Rambles In The Brambles

Elizabeth and I hadn't visited the Getty Villa here in Los Angeles since it had reopened, so it was about time. Actually, I had wanted to go last month, but I hadn't realized that one needs tickets in advance. (The tickets are free, but it took about a month before we could get a weekend time.)

The Villa is set up like an archaeological dig, with patrons entering from the top of the canyon above the main museum. I imagine that this was due to the limits of the plot of land: The villa is situated in a fairly small canyon. The architecture, as with the Getty Center, is almost more interesting than the exhibits themselves. That said, I enjoy statues, and the Greek and Roman period, so it was a very pleasant afternoon. Pictures attached below.

	Not the Getty Villa, but a picture from last week: Elizabeth and I playing with the Valentine's Day gift ribbons (from a gift from Uncle Bob and Aunt Norine).
	The entry to the Getty Villa is about a mile north of Sunset, along PCH. It is a quick right turn, easy to miss.
	The majority of the exhibits are in the villa house itself (seen here). One of the most pleasant parts of the place is the Outer Peristyle, which includes this large reflecting pool with statues.
	Us, about to jump into the cool water.
	Most of the statues had eyes painted in. I suppose that this is authentic.
	It was a beautiful day out, and the villa has a good mix of indoor and outdoor places.
	The East Garden was a quiet spot after the somewhat loud galleries.
	This fountain in the East Garden was a replica of a fountain in Pompeii.
	Looking through the main villa house from the East Garden to the amplitheatre. Roman houses had two open axes. This is one, while the Outer Peristyle sat along the orthogonal axis.
	The Romans grew their own herbs, and the Getty herb garden had pools that contained aquatic plants.

Posted by Jeff at 02:47 PM | Permalink | Comments (0) | TrackBacks (0)

I read this New York Times story about Zimbabwe and the destruction of its economy by Mugabe and his supporters (via Greg Mankiw). The CIA Factbook (a good reference) confirms that the "official" inflation was over 1000% in 2006, and notes that Zimbabwe has a real negative growth rate.

Well, there is a certain justice in the universe: Governments made up of racist murdering thieves tend to drive their nations into poverty and death. This justice is like the justice of engineering: Poorly designed machinery tends to collapse, no matter the intentions of the designers. The tragedy is that the people that live in Zimbabwe probably didn't know any better and are the ones that will really bear the costs. (…but Mugabe has been in power for over twenty years…) Maybe it is more tragic that it didn't have to be this way.

Who's next?

Posted by Jeff at 11:53 AM | Permalink | Comments (0) | TrackBacks (0)

Does a blog such as this, which is really just viewed by my wife and my parents (when don't have better things to look at on the internet), really need to be wired up with Google AdSense? Probably not. But, well, it was something that I've been meaning to do, and it was easy enough to fit into my MovableType templates. Hopefully, it will at least be unobtrusive, and maybe even be relevant/useful. (The "link units" on the individual entry pages take you to Google pages with more results, and I hold out the most hope for those.)

Posted by Jeff at 09:36 PM | Permalink | Comments (2) | TrackBacks (0)

OneNote 2007 is out, and of course I rushed out to get a copy. It was the main reason that I had participated in the Office 2007 beta, and there were a number of great new feature. One particularly great new feature is the ability to have notes stored on a server, with clients syncing up against it. For me, this means that I can use my notes on my laptop at home, or on my desktop at work, without having to manually sync thing. Chris Pratley, the ex-manager of the OneNote team, wrote a very good description of all of the new multi-machine possibilities. Good good stuff: Any WebDAV server can acts as the repository. But..

However, I'm wary of using a WebDAV server across the internet. I might have very private things in my notes (e.g. account numbers, etc), and sending them around unencrypted doesn't sound like a good idea. Dan Escapa of Microsoft pointed out that Vista doesn't even allow SharePoint access through the internet via unsecured HTTP. David Rasmussen, also of the OneNote team, wrote about using flash USB drives as a way of keeping things in sync, an alternative to the network. (In the comments of that post, he mentions that password-protecting the .one files might keep things private.)

Unfortunately, when I tried to use WebDAV over HTTPS (with Basic Authentication) during the Beta, it failed. Looking through my webserver logs (I was running Apache on Debian), OneNote seemed to occasionally make requests over to the unsecured HTTP URLs. I discussed this with Dave and another MS developer, and they did some testing.

So when I tried it out with the production version of OneNote, I was disappointed to find that the error still persists. Let me try to detail what the problem is. The MS team may have made some changes since the Beta, as I think that I have a way to work around it.

I have complete control over my server (Apache 2.0.54), and am running OneNote 2007 (build 12.0.4518.1014). I've split my website into an area that has my normal content (www.borlik.net), and an area that just has WebDAV content (webdav.borlik.net) using virtual hosts. In addition, each of those areas has separate virtual hosts for HTTP and HTTPS. Originally, I didn’t want to have an unsecure WebDAV location at all, and hoped to simply redirect all HTTP traffic to HTTPS.

I tested this by trying to create a new OneNote notebook (named xxx) at the secure webdav location, e.g. https://webdav.borlik.net/. This failed with message boxes. If you look carefully at the webserver logs, one might notice something odd in what OneNote is requesting from the server:

192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD /xxx/ HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx HTTP/1.1" 404 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "MKCOL /xxx HTTP/1.1" 201 324 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "PROPFIND /xxx/New%20Section%201.one HTTP/1.1" 404 363 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx/New%20Section%201.one HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - - [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 301 377 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "PROPFIND /xxx HTTP/1.1" 207 837 "-" "Microsoft Data Access Internet Publishing Provider DAV"

Can you find it? Most of the requests are on the secured (HTTPS) URL, authenticated with my username (jborlik). However, the second to last request is an OPTION request to the root of the HTTP site. Apache returns a 301 (redirect permanent), as it should, and OneNote stops. I don't know what it is looking for at the root, and I really don't want there to be anything there. On the server, a directory for the new notebook is actually created, but none of the template .one files are created. OneNote itself displays a red crossed-out circle over the notebook, indicating that it can't sync.

If I do not redirect HTTP to HTTPS, i.e. open the WebDAV directory to unauthenticated access, things seem to work fine. (I'm doing the same thing: Creating a new notebook "yyy" at the secured URL.)

…
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "OPTIONS /yyy/New%20Section%201.one HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "HEAD /yyy/OneNote%20Table%20Of%20Contents.onetoc2 HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "HEAD /yyy HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "MKCOL /yyy HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
...

At the critical times, OneNote makes the OPTIONS and PROPFIND requests over unauthenticated HTTP. Those are successful now (code 200), so it moves on does the rest of its thing. Of course, this isn't secure at all, and we are back to where we were before.

The next thing that I tried was to only allow OPTIONS and PROPFIND requests over the unauthenticated HTTP. These aren't terribly unsecure, I suppose, especially if GET and PUT are rejected. This is done in Apache via the LimitExcept directives. So, my unsecured WebDAV virtual host definition contains something that looks like:

       <Location />
             Options Indexes
             Dav on
             DavDepthInfinity on
             AllowOverride None
             <LimitExcept OPTIONS PROPFIND>
                deny from all
             </LimitExcept>
        </Location>

When I tried the same thing again (created a new notebook "ccc" on the secure URL), it actually seemed to work!!

192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "OPTIONS /ccc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc HTTP/1.1" 404 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "MKCOL /ccc HTTP/1.1" 201 324 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PROPFIND / HTTP/1.1" 207 6474 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/Client%20A.one HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PROPFIND / HTTP/1.1" 207 6474 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "LOCK /ccc/Client%20A.one HTTP/1.1" 200 420 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 201 335 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "OPTIONS /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/Client%20A.one HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"

If you look very closely at the log above, you will see OneNote make its OPTIONS and PROPFIND requests, succeed, and move on. It tries a number of other things over the unsecured URL, including PUT, but it tries again over HTTP (and succeeds). (I tried just allowing OPTIONS over HTTP and disallowing PROPFIND, but that failed.)

With this, I think that things are up and running. It seemed to sync and work correctly. When I restarted OneNote, it reprompted me for the site login (using the IE authentication box), which is fine. I did notice that I couldn't rename sections, as OneNote tried to do a (disallowed) MOVE request over the unsecured HTTP, and never tried again over HTTPS. Ah well… MOVE is a bit more dangerous, so I'll leave that one turned off. I'll just have to be very careful what I name sections when I first make them.

A person might be tempted to say that this was sloppy coding on the OneNote team's part. I don't believe that, though… My guess is that there are many different site setups, and many different WebDAV servers out there, and they tried to make OneNote as compatible as possible. Should they break SharePoint, or Apple iDisk, in order for this to work from my particular setup of Apache? Someone will end up unhappy no matter what they choose. There is a way for me to work around the problem, at least. In the end, I'm glad that the functionality is there, and I salute the OneNote team for a product that makes me more productive.

Update 1/21/2007: Dan Escapa's must-read OneNote blog has some additional information regarding this issue. His solution, from David Tse of Microsoft, is more or less what I did above. Mr. Tse suggests that it doesn't work for Vista, although his solution didn't involve SSL encryption (as far as I could tell), just authentication over plain-old HTTP.

Posted by Jeff at 10:48 PM | Permalink | Comments (7) | TrackBacks (0)