Rentopia in Alameda

by phildini on March 4, 2016

The Alameda Renters Coalition has published the text of the amendment to the Alameda City Charter they're trying to add to the ballot for November. It's well worth a read, but here's the key points, as I see them:

  • Renters and Homeowners should have protection under the law
  • Alameda needs a Rental Housing Board to oversee administration of rental units in the city
  • Evictions should only be enacted for Just Cause
  • Rent should be pinned to the Consumer Price Index

The charter amendment, if enacted, will provide incredible renter protections in Alameda. I haven't read the text of the rent control measures for other California cities, but I'm willing to wager this proposal would put Alameda in the top three cities in terms of renter friendliness.

I'm biased here, but as a renter (and someone who both wants to see more people in Alameda and see the current residents protected), I'm in favor of shifting the landlord-tenant power balance a bit more in favor of the tenants. That said, there's definitely some parts in the measure that gives me pause.

The big one is capital improvements. As I read the amendment, there is no allowance for general capital improvements to a property. The amendment is very explicit about allowing relocation and rent increases for capital improvements to bring the property up to code, but what if a landlord wants to do general remodeling to make a property nicer, or more attractive? The amendment doesn't seem to allow for that. It feels like an oversight that could be taken advantage of, and which would decrease the overall appeal of the housing stock in Alameda.

Also, the Rental Housing Board, again as I read the amendment, seems to operate with absolutely no oversight. They're chosen by general election, operate completely autonomously from the rest of city government, and their budget is approved only by them. Ostensibly, this is so the Board can't be influenced by a city council that is being too partisan to landlords or tenants. However, the way the amendment is currently worded, the Rental Housing Board could decide to charge a $1000/unit Rental Housing Fee, and the only recourse would be a lawsuit or another election. There doesn't seem to be a lot of 'check' to this 'balance'.

Where does that leave us? I think the debate around this amendment, especially in light of the rent stabilization passed by the City Council on March 1st, is going to be intense, and I hope it raises the level of discourse about how to prepare Alameda for the next decade and the next century. I want strong renter protections, I want myself and other renters to feel secure in our homes. Housing is a home, first and foremost. This amendment provides for that idea, but seems focused on solving the problems of the present, without considering the problems of the future.

Things Learned at the City Council Meeting

by phildini on March 1, 2016

Here are some things, learned by myself and others, at the Alameda City Council meeting on March 1st.

  • The city council continues to treat its staff in a way I find weirdly antagonistic
  • Whenever a council member uses the phrase "Real World", what they mean is: "You researched presentation means nothing, city staffer. Alameda is different."
  • Appropriate means you make funds available for. Those funds can be taken back, especially if they aren't spent
  • The Mayor and City Council are maybe really underpaid?
  • Alameda cares about golf way more than I thought it did. Like, an hour and half more than I thought it did.
  • I don't understand Councilmember Daysog's long-term strategy for Alameda
  • Councilmembers Ashcraft and Oddie seem like people I would enjoy hanging out with

And, the big one

  • Alameda now has rent stabilization.

Hello, world.

by phildini on February 26, 2016

This is the first post posted to WordFugue is an experiment, something neither of the founders of this site have ever done before. I've had blogs off and on for over a decade, but two things are different about WordFugue.

  1. It's the first blog I've run where I've built the whole thing as a blog, and built it just for myself and my partner to use.
  2. It's the first time I'm blogging with a partner, sharing a space with someone else, sharing the writing, and the code, and vision.
There will be posts that backfill to different dates as I start migrating various other blogs to this blog, but this is where it all starts in many ways.
Watch this space.

An Interview, Interrupted

by phildini on October 25, 2015

This is a short story inspired by this post from Chuck Wendig, mashing up two other stories. Full reveal of the mashups at the bottom!

To say I was nervous would be an understatement. Months of research, of hunting down leads, of following urban legends and whispered truths had paid off with this night, this potentially life-changing night.

It started with a rumor, heard at parties and in whispers throughout the year, growing strongest around Halloween, a rumor of an shadow figure draped equal parts in violence and elegance. A question that would be asked if the right people were sufficiently drunk with the other right people.

“You know there’s a vampire in San Francisco, right?”

It sounds crazy in my own head when I think about it. How cliche, to think of that book and the history around it, and try to extend that world into the real world. What a perfect representation of this city, to think that’s there’s a creature of cultured carnage who drifts among us, civilized on the outside with a tortured heart of evil inside.

My name is Susan Harper, I’m a reporter for the San Francisco Chronicle. Well, I like to say I’m a reporter for the Chronicle. Really, I’ve had just a few bylines in print, and most of my writing has been for the collection of blogs that catalog the former hippies and capitalist yuppies that make up the City by the Bay.

I’m known for tracking down urban legends and weird stories, pieces of San Francisco folklore  that get passed in some new age oral tradition at parties and bars and in parlors. I hear about them, or they get sent to me, and I spend a few weeks to a few months tracking down the truth and the origin of these tales, then selling the story to whatever outlet will pay the most for it.

Emperor Norton’s Ghost, wandering around the Barbary Coast? That would be George, a lovely if eccentric man who works in theaters around the city and likes dressing up. The moans of dead gold miners, trapped under Nob Hill to haunt those who had gotten wealthy off their gold? A problem with the city’s natural water lines. That one required actually prying the manhole off a sewer entry, and almost getting arrested, but resulted in an official thank-you. Turns out the city didn’t know about the leak, and it almost disrupted the foundations under a city councilmember’s house. Oops.

My success record isn’t perfect, but I’ve been able to find an answer to most of the legends and weird occurrences that have persisted over the years. Except the damn vampire tale.

I kept hearing it, it felt like someone mentioned it at every party, and it rattled in my brain until I could think about nothing else. I started getting emails, tweets, forum posts asking me about it; I felt like the city itself was crying out in my dreams.

“You know there’s a vampire in San Francisco, right?”

The unspoken second question was always: “Is it really true?”

I reached a breaking point, put aside all the other stories I was working on, even got the Chronicle to put me on a small retainer to work on the story. Enough people were talking about it that I thought it would be two weeks, tops, until I had this story in the bag, and had leveraged the pageviews into a more solid gig with the paper. That was six months ago.

Days, weeks, then months went by and I had no proof, no shred of the origin of the legend. I began to doubt myself, doubt my sanity, doubt the sanity of the whole city, and became more and more certain that there was nothing there.

But the whispers! They never stopped! I expected an initial flood after people found out I was working the vampire story, but I wasn’t prepared for the constant typhoon. It seemed my investigation had opened a bottomless pit of shadows.

Normally, when an urban legend persists there’s some kernel of truth to the story. Somebody sees something, like, say, an old woman dressed all in grey walking along Ocean Beach in the fog, and the watcher is slightly drunk, or high, so they make up a story about the Grey Ghost of Ocean Beach or whatever. They tell their friends, and the legend spreads for a bit, or dies right there. If enough weird things happen that roughly match the outline of the story, the spread intensifies, and the story might enter the realm of city folklore. The best urban legends can carry on for years, told and re-told until everyone who could possibly be interested moves away, or dies, or the story is exposed by someone like me. The longest I had seen a piece of folklore live, without exposure, and still be taken seriously, was about twenty years, give or take. Enough time for a whole generation to come up and move on in our ever-changing city.

After digging into stories, and old journals, and hinted rumors in ancient newspapers and antique books, it looked like the Vampire story had been living, non-stop, in San Francisco for over a hundred years. Well before the publishing of that damn book, almost to the glory gold rush days themselves. When I was able to trace that line all the way back, I felt my first thrill of uncertainty, tinged with fear. The immensity of the story seemed to loom over me.

And yet! I still had no clear lead, no clear path. Rumored sightings, whispered stories, nothing concrete! Barely a consistent description, and one that could have matched most of the men in the Financial District. Pale, blond, lithe or muscular depending on who you asked. And always, always impeccably dressed. I would hear he had been at this party, or that gala, or this orgy (San Francisco being what it is), but never any proof, any evidence. Once, I got a text from a friend at party, who knew how long I had been searching: “HE’S HERE COME NOW”. I practically sprinted across town, not even remembering how I got there, and rushed into the club, only to find my friend looking like she was on the biggest high of her life, dreamy and moving slowly.

“Where is he?” I asked, yelling over the music.

“Wha?” she replied.

“The Vampire! You said he was here!”

“He… he was!” She looked around. “I don’t see him now, though.”

I never did know if she was just fucking with me, but I left the party feeling lower than I had ever felt. I got back to my apartment, stared at the snowdrifts of printouts and newspaper articles, dotted with rotting takeout boxes like flowers in the snow, and decided to pack it in. I would write the most unsatisfactory conclusion to six months of searching that I could imagine, the journalistic equivalent of a shrug emoji. I would fade back into the obscurity of San Francisco’s limitless pool of wannabe journalists, and keep making rent by writing copy for soon-to-fail startups.

I was sorting the last scraps of paper into trashbags and wishful-thinking storage boxes, with the first draft of my greatest shame sitting open on my laptop, when my cell phone rang. Despite my policy of never answering numbers where the caller ID says “Unknown”, I was looking for anything to distract myself from the disappointment and tedium. I picked up the call, and clear male voice with the barest hint of an Eastern European accent said:

“I hear you’ve been looking for me.”

“I.. What?” Not my most graceful response, but how do you answer that?

“I am under the impression that you would like to write a story about me.”

“A story about you? Who are you?”

“Ah, my apologies, I thought it would be obvious. I am the Vampire of San Francisco.” He paused, while my heart stopped beating for a moment. “The only one, as far as I know.”

My first thought was that some loony had got ahold of my number, and wanted his ego (hopefully only his ego) stroked by having an actual journalist listen to him for what would probably be hours. I’m normally pretty tight with my real cell phone number, but a few friends have it and one of them could have been convinced to give it to some rando. It wouldn’t be the first time, or probably the last.

Well, that’s not quite true. My first thought, if I’m being more honest, was a mixture of hope and fear and uncertainty. Hope that my story might not be dead after all, uncertainty about what my next step was, and fear that maybe the rumor was right.

“I can understand if you think this might be a deception, but I assure you I am being completely honest. I got your number from a mutual friend.”

“Are you reading my mind?” I mentally kicked myself for saying the first thing that came to mind. Probably should have been a bit more guarded than that, Susan. I’ll admit I was caught off-guard by his directness, and how close he was to what I was thinking.

The man claiming to be a vampire on the other end of the line laughed, and it was a full, throaty laugh that seemed genuine and slightly predatory.

“No, reading minds is not a gift of mine, and doing so over the phone would be a feat I’ve never heard of. You might say instead that I can think very, very quickly, and select the best outcome for any given situation. Were I in your place, I would also suspect this might be a ruse.”

“Why me?” Again with brain-mouth malfunction, Susan. Get it together. “I mean, why contact me now? If what you say is true, you’ve done an excellent job staying out of the spotlight for decades. Why expose yourself now?”

“Partially because you impress me,” the voice replied. “I’ve read all your work, and you show a thoroughness and intelligence that helps me believe I’ll get a good story out of our interview. As for why I’m granting such an interview, my reasons are my own. Say it’s boredom, if that satisfies you.”

Many thoughts in quick succession: a flush of pride at the idea that someone found my work worthy, a double-take at how quickly he had assumed we were going to interview, and a lingering suspicion at his motives.

“I will admit you’ve got my attention, Mr. Claims-to-be-a-Vampire. When and where would you like to meet?”

I swear I could hear him smile a fanged smile as he replied. “Excellent! It just so happens that the opening gala for the Museum of Modern Art is this Friday. Would eight o’clock work?”

Eight o’clock at the MoMA gala. How on earth was I going to get tickets? But if this guy was for real, I needed to take this interview. I’d bribe someone at the Chronicle’s Art and Culture desk if I had to. “Sounds great. How will I recognize you?”

“Oh, I’ll recognize you, Ms. Harper. Until Friday.” Thanks for that extra bout of creepyness, mystery man. The line went dead.

An interview with a… Good lord. My life actually is becoming that damn book. If he asks me to call him Louis or Lestat, I’m leaving and publishing the shrug.

I convinced myself the interview was credible, and was able to convince the editor I had been assigned at the Chronicle. She gave me the go-ahead on taking the interview, and gave me a memo to use as armor against the snooty stares of the arts and culture desk in acquiring a ticket to the gala. The only condition was that I take a photographer with me, some young kid from New York who was out here as part of an exchange. Paul something or another. I wasn’t thrilled about the photog, since I didn’t know if it would spook Mr. Vampire, but I figured having an extra to corroborate my story couldn’t hurt, and photographic evidence of San Francisco’s vampire might well get me that regular job I had been angling for.

Which is how we get here, to this night, to the opening gala at the Museum of Modern Art in glorious, sunny, foggy San Francisco, with me in my best dress and some photographer from New York in a fairly smart tux at my side. I’d spent most of the week complete unsure of what I was getting myself into. Every piece of folklore and weirdness I’ve chased down has either faded away as people lost interest, or been debunked. Here was a man claiming to be the embodiment of a legend over a hundred years old, and I couldn’t tell you going into the gala if I thought he was real or fake.

He had called on Monday. By Tuesday morning somehow all my friends, and it seemed most of the city, knew I was interviewing the vampire. I study rumor for a living and I still get surprised at how fast news travels. Everyone I knew was calling to see if it was true, offer me advice, or offer me a warning. The truly surprising thing was how small the number of skeptics was.

All of this, the months of confusion and hunting, the whirlwind of rumor and the calm, predatory nature of the voice on the end of the line, led me to be more nervous than I can remember being as I walked in the large glass doors at the front of the MoMA.

There’s this thing I do, when I’m presented with something that overloads my rational mind. My brain seems to slow down, and make one of those photo-mosaics out of what I’m seeing. It’s like I’m taking hyper-accurate pictures of a thousand little details, and only once I’ve got all the details will the I see the whole scene. I call it my “reporter’s sense”, and it’s served me well as I try to navigate the world of urban fantasies.

The gala was a sensory overload, and I found my reporter’s sense kicking in as a I tried to process everything I was seeing. There was the Mayor, standing with the chief curator of the museum, each of their spouses dressed to the nines and flashing bright smiles for the camera. There was the chief of police, sharing a drink with a councilwoman, and my brain annotated the detail that they were rumored to be having an affair. Between the groups of urban aristocracy and political dignitaries was Donald Peregrine, the venture capitalist. The open secret of San Francisco was that most of the political machine and new money in the city owed him favors, and that real policy in the city was set by him.

Off in the corner, never far from the bar, was the Arts & Culture Editor for the Chronicle, who I’m sure would pretend like I didn’t exist all night long.

As the picture of the gala came together in my mind, one piece of the mosaic stood out. Off in the corner, uniquely apart from the crowd, stood a man who was almost certainly my interview. He was dressed in an impeccable suit that appeared dark as night on first glance, but revealed itself to be grey with darkest red accessories when I focused in. His face was pale, paler than you normally find under the California sun, and his hair was silver-speckled blond that seemed to halo his head. Standing as he was, with the enormous Mark Rothko painting at his back, he presented a striking image, like a modern-day king holding court.

I turned to the photog to snap a photo that would be the centerpiece for sure (he had to have staged himself like that, right?), but Paul whoever from New York had disappeared. Great. Guess it’s just me and Mr. Vampire then.

I walked across the gala with a purpose, my eyes fixed firmly on the man who was staring at me and now grinning a smile that looked nothing so much like a jungle cat. A small group of partiers crossed in front of me, blocking my view of him, and when they passed he was gone. Of course. Mr. Vampire wants to play hide and seek.

I reached the point where he had been standing, and spun in a slow circle, trying to see if I could spot him. I caught a flash of brilliant hair and dark suit turning a corner down the hall and nearly sprinted after him.

Through the upper echelons of the city’s elite I ducked and weaved, trying to keep a smile on my face so I wouldn’t be stopped with awkward questions. My mysterious quarry led me through galleries and showcases, up and down stairs, through parts of the museum I had never seen, until I was thoroughly lost. Some rational part of my brain screamed at me to stop letting this man, who at his most harmless had convinced himself he was a dangerous predator, lead me into who knows what.

That part of my brain was outweighed by the part that had spent six months chasing mist, and who really enjoyed seeing the byline “Susan Harper” in print.

Finally, I found Mr. Vampire in a small, dim, dead-end gallery on one of the upper floors, lounging casually on one of those strange couch-benches they have for gazing at art.

“Ms. Harper,” he said as I approached. “I’m so pleased you accepted my invitation. I’m sure you have many questions. Please, won’t you have a seat?” He indicated the cushioned section next to him, and I hesitated at the familiarity of his gesture. The only thing I knew about this man was that he dressed immaculately, claimed to be a vampire, and had led me to a corner of the building where I suspected help would be a long time coming.

He saw my hesitation and chuckled. “I’m only here to meet you, Ms. Harper. My intentions are strictly honorable.” He patted the cushion again, and I found myself subconsciously leaning closer, my body rebelling against my mind. Luckily, my will held and I remained standing. A fire twinkled in his eyes and his smile grew more feral.

“Suit yourself. Would you like to begin?”

It took me a minute to find my voice, but when I did so I started with the basics. “Well, since it wouldn’t exactly read well to call you Mr. Claims-to-be-a-vampire, what is your name?”

“You can call me Drake, and I’m not merely claiming to be a vampire, I am indeed a vampire.”

“Just Drake?”

“Just Drake for now, Ms. Harper. Any last name I gave you at this point would perforce be a lie, and I would hate to start our conversation on falsehoods.”

“Ok, let’s start at the beginning. You say you’re a vampire. Were you born one?”

“Hah! No, no-one I know was born a vampire. I was born a poor peasant in what is now Eastern Europe.”

“When were you born?”

“Time has not always been so accurately measured as it is now, but around the time of the Crusades.”

“The Crusades,” I said, disbelief in my voice. “Like, the Charlemagne, Holy Roman Empire Crusades?”

“Yes.” Drake said simply.

“O…k. How did you become a vampire?”

“Ah!” Drake said, brightening, “that tale will take some time!”

Drake stood to begin his tale of dark rituals and frightened villagers, of his transformation into something out of nightmare, of his lonely years wandering as a monster, of his slow re-integration into society, and of his travels around the world before making his home in San Francisco. As he told his tale, he began to pace around the room, his face and hands animated to punctuate the highs and lows of his story, and I didn’t notice until his voice was winding down that he had been pacing closer, and closer, until he was just a breath away from me.

Up close, I could see glimpses of his teeth, I would swear they were pointed, and the closer he came the less I seemed able to think clearly. As his story was ending, with the tale of his increasing loneliness and how it had caused him to reach out to a young reporter who might understand, I saw his head began to lower towards my neck.

It was all I could do to softly say “What about your honorable intentions?”, to which he replied “Your life for my story seems an honorable trade to me…”. Then his lips were on my neck and-


The skylight above us shattered, and glass rained down on the couch where I was now very glad I had chosen not to sit. Drake’s head snapped around to look, and suddenly I could think clearly again.

A figure, dressed in a tight black suit from head to toe, slid upside-down through the skylight, hanging on what seemed to be a rope made of silver thread.

“Hey. This guy bothering you?” the figure said.

Drake snarled, and moved faster than I would’ve thought possible, going straight from standing to leaping at the masked figure in a blink. A shot of some silver-greyish goo fired from a a device at the figure’s wrist, and hit Drake square in the face. Drake paused to claw it off, and the masked man fired another string of the stuff at Drake’s feet, binding him to the marble floor.

The man in black dropped to the floor, and fired a few more blasts at Drake’s arms and legs, partially mummifying the vampire where he stood. Walking past the snarling and straining Drake,  the masked man said “Ok Not-feratu, stay put. I’m going to check on that nice reporter you were trying to snack on.”

Walking up to me, he asked “Are you alright miss? Did he hurt you?”

“Me? I’m fine,” I said. Another helpful aspect of my honed reporter instincts: I can delay shock-processing until I’m back at my apartment, preferably with a bottle of scotch. Tonight was going to be hell on my liquor cabinet. “What about you? Who ARE you?”

“Me? I’m just your friendly neighborhood… hmm.” The man paused. “This isn’t really my neighborhood, is it?”

As he was pondering, Drake burst out of his bonds with a roar, snarled in our direction, and leapt straight up through the skylight. The man in black sighed, and said “Next time, load the shooters with garlic. Check.” He started running towards the center of the room, yelled back at me “Good luck with the story!”, then also jumped straight through the skylight and into the night.

Only after Drake and the mysterious stranger had left did security arrive, and the best answer I could give them about what happened was “Earthquake. Didn’t you feel it?” I still got escorted from the party, while the Arts & Culture Editor tried to kill me with his brain.

I got back to my apartment, stared down at the draft of my story, and eventually pieced it into something that would read well, even if it was mostly fiction. I mixed enough truth with fantasy to be believable, even if I didn’t believe the truth myself. I had spent my whole career disproving myths and legends, and it turned out vampires and super-human masked crusaders actually existed in the world. The story, a cobbled-together city-interest piece about Eastern European cults and the power of rumor, was enough to please my editor, and the mystery surrounding the myth made the piece my most popular ever. The whispers about what actually transpired at the gala didn’t hurt the story’s popularity, by any stretch.

For most, the vampire story was put to bed, and I started hearing about the Vampire of San Francisco less and less. I’m not sure what actually happened between Drake and the masked man that night, but now I have an answer when people ask. “You know there’s a vampire in San Francisco, right?”

“I heard he died,” I reply.

“Of spiderbite.”

Thanks for reading! This story was a mashup of Anne Rice's "Interview with a Vampire" and Marvel's Spiderman. Hope you enjoyed it, please leave feedback in the comments!

Why Doesn't the Django CSRF Cookie Default to 'httponly'?

by phildini on October 19, 2015

Recently, some questions asked by a friend prompted me to look deeper into how Django actually handles it's CSRF protection, and something stuck out that I want to share.

As a refresher, Cross-Site Request Forgery (CSRF) is a vulnerability in web applications where the server will accept state-changing requests without validating they came from the right client. If you have, where normally a user would fill out a form to delete that account, and you're not checking for CSRF, potentially any site the user visits could delete the account on your site.

Django, that marvelous framework for perfectionists with a deadline, does some things out-of-the-box to try and defend you from CSRF attacks. It comes default-configured with the CSRF middleware active in the middleware stack, and this is where most of the magic happens.

The middleware works like so: When it gets a request, it tries to find a csrf_token in the request's cookies (all cookies the browser knows about for a URL are sent with every request to that URL, and you can read about some interesting side-effects of that here: Cookies Can Be Costly On CDNs). If it finds a token in the cookie, and the request is a POST request, it looks for a matching token in the request's POST data. If it finds both tokens, and they match, hooray! The middleware approves the request, and the request marches forward. In all other cases, the middleware rejects the request, and an error is returned.

The CSRF middleware also modifies the response on its way out, in order to do one important thing: set the cookie with the CSRF token to read. It's here that I noticed something interesting, something that struck me as curious: The CSRF token doesn't default to 'httponly'.

When a site sets a cookie in the browser, it can choose to set an 'httponly' property on that cookie, meaning the cookie can only be read by the server, and not by anything in the browser (like, say, JavaScript). When I first read this, I thought this was weird, and possibly a mistake. Not setting the CSRF token 'httponly' means that anyone who can run JS on your pages could steal and modify the CSRF cookie, rendering its protection meaningless.

Another way to read what I just wrote would be: "If my site is vulnerable to Cross-Site Scripting (XSS) attacks, then they can break my CSRF protection!" This phrasing highlights a bit more why what I just said is funny: If your site is vulnerable to an XSS attack, that's probably game over, and worrying about the CSRF protection is akin to shutting the barn door after the horse has been stolen.

Still, if the CSRF cookie defaulted to 'httponly', and you discovered your site had an XSS, you might breathe a little easier knowing that bad state-changing requests had a harder time getting through. (Neglecting other ways the cookie could be broken in an XSS attack, like cookie jar overflow). I was talking to Asheesh Laroia about this, and he called this the "belt-and-suspenders" approach to securing this facet of your web application. He's not wrong, but I was still curious why Django, which ships with pretty incredible security out-of-the-box, didn't set the default to 'httponly'.

We don't know the answer for sure (and I would love to have someone who knows give their thoughts in the comments!), but the best answer we came up with is: AJAX requests.

The modern web is composed less-and-less of static pages. Increasingly, we're seeing rich client-side apps, built in JavaScript and HTML, with simple-yet-strong backends fielding requests from those client-side apps . In order for state-changing AJAX requests to get the same CSRF protection that forms on the page get, they need access to the CSRF token in the cookie.

It's worth noting that we're not certain about this, and the Django git history isn't super clear on an answer. There is a setting you can adjust to make your CSRF cookie 'httponly', and it's probably good to set that to 'True', if you're certain your site will never-ever need CSRF protection on AJAX requests.

Thanks for reading, let me know what you think in the comments!

Update (2015-10-19, 10:28 AM): Reader Kevin Stone left a comment with one implementation of what we’re talking about:

    headers: {
         'X-CSRFToken': $.cookie('csrftoken')



Django will also accept CSRF tokens in the header ('X-CSRFToken'), so this is a great example. 

Also! Check out the comment left by Andrew Godwin for confirmation of our guesses.


by phildini on September 29, 2015

Last week I went to an excellent meetup hosted by Erin McKean of Wordnik on making twitter bots, and now I've got the bot bug. Making bots, these little autonomous pieces of code that exist for some singular purpose, has the highest satisfaction-to-lines-of-code ratio I've ever experienced. This is the most sheer fun I've had writing code in a while, and I'm full of ideas for writing more. Philip's Forest of Bots is currently small, but growing:

  • Legendary Bot was the first bot I created, at that workshop last week. If you've seen How I Met Your Mother, and heard Barney Stinson say "It's going to LEGEN-wait for it-DARY!", then you know how this bot operates.
  • SnozzBot was bot number 2, conceived as I walked home from that meetup. Inspired by the original Willy Wonka movie, picture Gene Wilder saying "The snozzberries taste like snozzberries" and this bot will make more sense.
  • BuddyBot is still a work in progress. After writing the two twitter bots above, I wanted to do something with Slack. BuddyBot sends positive messages to members of my social Slack group, because we could all use more positivity in our day.

This post is just to get these bots out there, more details and resources on building bots to come, thanks for reading.

Porting Django Apps to Python 3, Part 1

by phildini on May 26, 2015

Hello! Welcome to the first in a series of posts about my experiences making Django apps Python 3 compatible. Through these posts I'll start with a Django app that is currently written for Python 2.7, and end up with something can be run on Python 3.4 or greater.

Some quick notes before we begin:

  • Why am I doing this? Because we have 5 years until Python 2.7 goes end-of-life, and I want to be as ready as possible for making that change in the code that I write for my job. To prep for that, I'm converting all the Django apps I can find, from side-projects and Open Source projects.
  • Why 5 years? Because that's the time outlined in PEP-0373, and based on Guido's keynote at PyCon 2015, that's the timeline we all should be sticking to. It's also recently been brought to my attention that further Python 2.7 releases are really the responsibility of one person, the inimitable Benjamin Peterson, and if he for any reason decides to stop making updates that 2020 timeline may get drastically shortened. It's better to be prepared now.
  • Why "Python 3 compatible"? Why not fully Python 3? Because I believe the best way forward for the next 5 years will be writing polyglot code that can be run in either Python 2.7 or Python3.4+ environments. (I'm going to start shortening those to py2 and py3 for the rest of this post.) So I won't be using 2to3, but I will be using six.

With those pieces in mind, let's begin!

I started with Cards Against Django, a Django implementation of Cards Against Humanity that I wrote with some friends a couple years ago. We didn't own Cards Against Humanity, and hilariously thought it would be easier to build it than to buy it. (We also may have just wanted the challenge of building a usable Django app from scratch). The end result was a game that could be played with an effectively unlimited number of players, each on their own device, and which was partially optimized for mobile play. To get a sense of what the code was like before I started the migration, browse the Github repo at this commit.

Now it turns out I made one assumption right at the beginning of this port that made things a bit harder, and may have distracted from the original mission. The assumption was that Django 1.5 is not py3 compatible, when in fact it was the first py3-compatible version. Had I found and read this Python 2 to 3 porting guide for Django, I may have saved myself some headache. You now get the benefit of a free mini-lesson on upgrading from Django 1.5 to Django 1.8.

Resource #1: The Django Python 3 Porting Guide

Real quick, I'm going to go through how my environment was set up at the beginning of this project, based on the starting commit listed above.

This snippet will setup a virtual environment using mkvirtualenv, install the local requirements for the app, and initialize the db using the local settings.

Ok, let's upgrade to Django 1.8 $ pip install -U Django ..and naively try to run the dev server.

Well that's a bummer, but fairly expected that I wouldn't be able to make the jump to 1.8 easily. What's interesting about this error is that it's not my code that seems to be the problem -- it looks like the problem is in django-nose.

$ pip install -U django-nose nose

Try runserver again...

Hmm... obviously the API for transactions changed between Django 1.5 and Django 1.8. Here I looked at the Django release notes, and noticed that 'commit_on_success' was deprecated in 1.8. Digging in to the new transaction API, it looked like 'transaction.atomic' was pretty much the behavior I wanted, so I went with that.

Resource #2: The Django Release Notes

Third time's the charm, yes?

Apparently not. This one was weird to me, because I didn't have South in my installed apps. Through a sense of intuition that I can't really explain, I suspected django-allauth, the authentication package this project uses. I wondered if an older version of django-allauth was trying to do South-style migrations.

$ pip install -U django-allauth

Sure enough, an old version of allauth was the culprit, and an upgraded version allowed the runserver to launch successfully.

So now I have the development server running, but I've got that warning about needing to run migrations. This is the part of this upgrade that I knew was coming, and I was most worried about. I already have the database initialized from Django 1.5's 'syncdb' -- what will happen when I run 'migrate'?

It turns out, not a whole lot. Running this command gave me a 'table already exists' DatabaseError. Googling for this issue left me a little stumped, so eventually I turned to the #django channel on Freenode IRC. (If you're curious how to get a persistent connection to IRC, check out this post.) I was able to get some great help there, and it was suggested I try the one-two punch of:

That '--fake' bit did the trick, convincing Django I had run the migrations (since the tables were already correctly created), and silencing the warning.

With the development server running on Django 1.8 (including the very limited test suite), I'm feeling confident about the migration to Python 3. Is my confidence misplaced? Find out in part 2!

If you'd like to see the totality of the work required to migrate this Django app from 1.5 to 1.8, check out this commit.

If you have feedback about what I did wrong or right, or have questions about what's here, leave a comment, and I'll respond as soon as I'm able!

Review: The Improbable Rise of Singularity Girl by Bryce Anderson

by phildini on May 22, 2015

If you look at the people who are trying to predict Strong AI, Artificial Intelligence that's equal to or better than a human's intelligence, there's two pieces of consensus among them: 1) That there's a real good chance we'll have that kind of human-or-better AI by 2040, and 2) that the reality of such an AI will change our world and our existence in ways that we almost can't comprehend. If you dig into that second piece a bit, you find two camps of people. One camp thinks "the future is so bright we're going to need shades." The other camp thinks "Yeah. Shades to shield our eyes from the nuclear fallout when a bunch of AIs decide humans aren't worth keeping around anymore." (I'm mischaracterizing the pessimist group, but not by much)

Caught between these two extremes, it's pretty easy to gain anxiety about the future, especially if you work in tech and know how fragile things currently are. (If you want to join me, and a lot of other really smart people, in celebrating/fearing the future, read these two blog posts from Wait But Why.) Both camps agree on one thing though: Humanity basically won't be able to keep up, at all, with our new technological Gods.

But there's an idea that's not explored in the blog posts above, a third option that could be far better or far worse than a benevolent machine God or destructive robotic despot (but ultimately more relatable than either): What if we could upload a human brain, upload all human brains, and beef up their processing power to beyond any intelligence level we can think of today? What if the next superintelligence was actually a human?

This is the idea that's explored in Bryce Anderson's The Improbable Rise of Singularity Girl. A young woman, Helen, the titular character of Anderson's novel, donates her body, and most specifically her frozen brain, to science, on the condition that they try to rebuild her, neuron by neuron, in a computer. Or, more realistically, a vast network of computers. As time progresses, Moore's Law marches on, the computers powering Helen get faster and faster, she gets smarter and smarter, and eventually reaches a level of intelligence and power that can only be described to us real-time, single-brained humans through some very clever literary devices.

The road to super-intelligence is not easy for Helen, as she must navigate the landscape of human interactions while at the same time being a brand new type of human. Not to mention having to make political arguments to fund her survival through grants, and keeping an eye on a true Strong AI that may not have humanity's best interests at heart.

All of this is set against the backdrop of a technological near-future that I had no trouble believing in. With the blog posts above fresh in my mind, I was prepared to dismiss any fictional representation of AI as Science Fantasy, but Anderson has done his homework, and knows his subject material well. (The dates he includes at the start of the book's chapters help build a timeline that will seem fairly plausible after reading Wait But Why). The most impressive part of the book, from a literary standpoint, is the way Anderson can construct the worlds-within-worlds-within-worlds required for a story that happens in an increasingly digital space, and not leave the reader confused as to where they are. There were only a few moments in the book where I felt lost as to what environment the characters were really in, and even then my confusion didn't distract from the action.

The thing that drew me in deep, however, the thing that made me sit up and take notice and plow through Singularity Girl, was that core idea, the idea that maybe we can prevent the technological apocalypse by making ourselves better, rather than making the machines better than us. I'm sure there are many that consider the idea wishful thinking, that would point out there's nothing inherently great about humans at a galactic scale, and that I shouldn't make our species out to be any better than it is. To me, it seems like theres a very thin line between a machine that has our best interests at heart and a machine that wants to turn us all into power sources. One line of code may be all it takes, and it may be the only thing that can fight a super-intelligent robot, is a super-intelligent human.

You should absolutely go read The Improbable Rise of Singularity Girl. The book has good characters, incredible worlds, edge-of-your-seat action sequences, and is almost guaranteed to expand your mind.

IRC all the way down (ZNC + IRCCloud + Quassel)

by phildini on May 2, 2015

For years, I felt that IRC was something I had to put up with. Most of the communities I want to be part of have a large IRC presence, and so I would fire up my trusty local IRC client, connect to Freenode or OFTC, and try to learn from the excellent people who also hang out in various IRC communities. But I was always frustrated by the fact that I would miss discussions when I wasn't connected.

A few months back, a friend of mine introduced me to Quassel, an open source software package that gets around IRC's major limitation (from my point of view): that your ability to read the contents of a channel are limited by your client being connected to the network. (The number of IRC loggers and other workarounds for persistence indicates others also find this a limitation.)

Quassel, in it's preferred configuration, requires at least two machines: a core that runs on an always-on server, and a client that connects to that core. The core is what actually connects to the IRC networks with your ident, and keeps a persistent connection for you. On the surface, this might not seem like an improvement over, say, irssi running on a server. It's an improvement for me because, despite several attempts, I have never been able to wrap my mind or fingers around irssi's keyboard shortcuts. Quassel has a nicer interface, a good desktop app, and some mobile mobile app support.

How do you get Quassel? Quite easily, if you're on an Ubuntu system. I recommend one of the cheap boxes from DigitalOcean. They're easy to use, and only $5/month for a 512MB RAM / 20GB disk box.

On the server where you want your Quassel core to run, add the Quassel ppa to your apt repositories:

sudo add-apt-repository ppa:mamarley/quassel

Install the Quassel core package:

sudo apt-get update; sudo apt-get install quassel-core

You also want to make sure you've opened up port 4242 to outside traffic, as that's the port Quassel runs on. If you're not running a firewall (you probably should be!), you don't have to do anything. If you're running ufw like I am, you'll need to do this:

sudo ufw allow 4242
sudo ufw reload

Now that your core is all set up, let's configure it! One of the amazing things about Quassel is that you configure the core through the client. Download the client for your OS of choice, and it will walk you through how to get everything up and running.

So Quassel is great, and for a few months it served all my IRC needs perfectly well. But as I started getting more and more involved in communities on IRC, I started to feel the desire for a more mobile-ready solution. Quassel does have a free Android app, but I currently run iOS, and the iOS app didn't thrill me based on what I saw of it. I started looking for a better solution.

Some of my friends on IRC have been using IRCCloud for months, and they seemed to really enjoy it. I got an invite to the service from one of them, played around a bit, but didn't immediately see the appeal. At the time, I was still happy with my Quassel core and client. When I started hankering for a mobile solution, I gave IRCCloud another look, but didn't feel I could leave Quassel completely behind. By this point, I had given accounts on the core to some other friends interested in IRC, so I knew I couldn't shut it down. Plus, having Quassel as a backup in case IRCCloud ever went down seemed like a great idea. How could I get the best of both worlds, where Quassel and IRCCloud could use the same IRC connection, and I would never lose uptime?

Enter ZNC. ZNC is an IRC bouncer, a piece of software that essentially proxies IRC connections for you. It connects to IRC, and you connect to it, similarly to Quassel. The difference is, the Quassel client speaks to the Quassel core over the Quassel protocol. You can connect to ZNC over IRC, using any client. Like IRCCloud, and the Quassel core.

How do you get setup with ZNC? On the same box where you're running that Quassel core, do:

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:teward/znc
sudo apt-get update
sudo apt-get install znc znc-dbg znc-dev znc-perl znc-python znc-tcl

This will add the ZNC ppa to your apt repositories, and install ZNC. Next you need to choose a user that will run the ZNC service. This could be your default user, although that's not recommended, and it most certainly shouldn't be the root user. I created a new user for running ZNC like this:

sudo adduser znc-admin

Before you configure ZNC to run under this user, you'll need to open another port in your firewall.

sudo ufw allow 5000
sudo ufw reload

Now you're ready to start up ZNC.

sudo su znc-admin
znc --makeconf

ZNC will ask you a whole bunch of questions, like what port to run on, what users to create, and how connections should be set up. The directions starting about halfway down this DigitalOcean article are pretty good, and I followed most of their options, changing the user details to match what I needed. Once you've finished setup, ZNC will give you two important URLs: The URL to connect to the ZNC web interface, where you'll most likely configure ZNC going forward, and the URL for connecting an IRC client to ZNC. That connection URL will be in the form of:

{your server address or IP}:{port you chose} {username}:{password}

If you have an IRCCloud account, you'll need to pay special attention to those last bits, because {username}/{network name}:{password} will be your full server password to connect to the right account. For example:


When you add the network to IRCCloud, it'll look something like this:

IRCCLoud settings

You can use similar settings to connect Quassel to the same ZNC server.

Unfortunately, IRCCloud makes you upgrade your account to add servers with passwords. But in my opinion, IRCCloud is totally worth the $5/month. The more I use it, the more I like the service, the interface, and the mobile support. IRCCloud plus ZNC, with Quassel as a backup client connected to the same ZNC service, solves all my IRC woes. Hopefully, some combination of these services will be helpful to you as well.

And I'll see you on IRC.

I Must Not Fear

by phildini on March 10, 2015

I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.

Recently, I've had a lot of anxiety in my life. I'm dealing with closing my father's estate, projects are changing at work, and parts of my home life are adding a kind of stress I thought I had left behind in college.

I was brought up religious, and the response my mother instilled in me when presented with stress (to be fair, this was her idea of an appropriate response to everything) was "prayer and exercise". I'm not sure how religious I consider myself, but while teenage me thought my mother's advice was too simple, new adult (when do you actually stop being a young adult?) me thinks that simplicity is part of its elegance.

I have discovered few situations that don't seem just a little bit better by working out and admitting your problems, either to yourself or to some higher power.

I posted the quote above because I read Dune in high school, and the Litany Against Fear has stuck with me ever since. You may think it's silly that the mantra of a made-up religious order from a science fiction novel would bring such comfort, but I encourage you to say the words to yourself a few times and see if you don't have a reaction. Also, of course I would get solace from science fiction.

Now if you'll excuse me, I have a long walk to take, and some words to ponder.