Vernon T. Bludgeon – the blog for all things Vernonistic

interpreter as actor: an epiphany

Posted on September 15, 2023 | by Professor B | Leave a Comment

Three years ago I retired from 30 years as a Spanish<>English court interpreter. Before that I was a classical guitarist — a good one, but not so phenomenally good as to make a reasonable living out of it. At around age 30 I quit music and stumbled into court interpreting, thinking it might be an interesting and viable way to pay the bills.

All my life I have had a taste for adrenalin rushes and dopamine rewards of the kind you get from things like performing music on a stage, or skydiving, to which I was addicted for 10 years. I discovered that interpreting in open court, especially in scenarios like witness interpreting, is a performance before an audience, and that it provided enough challenge, pressure and excitement to satisfy the adrenalin junkie in me.

A lot of proceedings are largely scripted. I once worked with a defense attorney who, when prepping his client for a plea, spoke of when we go on stage — an expression I adopted and used forever thereafter.

Properly trained interpreters use the same grammatical person as the person whose words they’re interpreting, and in so doing, they are in a sense assuming the identity of that person. Most of us, at least to some degree, reproduce tone and expression, the better to convey the meaning as we understand it.

Often the outcomes in criminal proceedings are all but foregone conclusions, as if preordained, written in a script. Spoiler alert! The verdict is: guilty.

I have rarely encountered any discussion in the professional literature, online forums or anywhere, about how we interpreters and translators, like actors, spend our days and make our livings expressing other people’s ideas and opinions rather than our own. One exception I know of is the novel The Translator by the undeservedly little-known Ward Just, where this issue is mentioned in passing. No wonder so many of us spout off as we do when given the chance!

Formulaic repetition; predictable outcomes; the ritualistic formality with which the players, if you will, play their parts in a courtroom; the way interpreters are constrained to reproduce other people’s thoughts, not their own; their use of expressivity to help get the meaning across: in all these ways, the court interpreter’s job is like acting out a script. But this rather obvious notion of interpreter as actor was recently driven home to me with shocking clarity.

Last spring I succumbed to an urge to audition for the Martha’s Vineyard Playhouse’s production of the Shakespeare comedy Twelfth Night, and was cast as The Fool. Did I have any real theatrical experience? No. But the director liked my audition, and my musical abilities were useful to the production. Staged in the summer in an outdoor amphitheater, the show was extremely successful and well received. The other cast members were superb. I never had more fun in my life. One thing I found remarkable about this marvelous experience was how completely natural it felt to be on the stage, acting in a play. I have always had my attention-seeking, narcissistic, histrionic tendencies. Even so, this felt unexpectedly, almost absurdly normal. Why?

A few weeks after the play closed, I served as interpreter for an unusual event. You may recall news reports from September 2022 about the Venezuelan migrants whom Florida’s Governor Ron DeSantis used as pawns in his criminal political stunt, conning them with false promises into boarding a plane bound for Martha’s Vineyard. With no warning whatsoever, members of the local community immediately mobilized to provide services and support. Not only were our unexpected guests well cared for; the same people who handled last year’s surprise invited our Venezuelan friends back to the island for a reunion to mark the one-year anniversary. I was asked to interpret for a ceremonial event — my first time interpreting before an audience in more than three years. When there came a pause in my part of the action long enough for my mind to wander, it dawned on me: I had worked as an actor for 30 years! Of course it felt normal, natural, indeed familiar to perform in a play.

No, doing court interpreting and doing Shakespeare are not the same. It may not be just one easy step for all interpreters to move from the former to the latter. But are not interpreters located on a continuum that includes almost everyone? At one end, the only people who are their pure, authentic selves all the time are infants (and maybe, people with certain mental disorders); at the other extreme, actual actors. Virtually all of us, to some degree, go through life acting out our various roles. In their professional lives, interpreters are located especially close to the actor end of the spectrum.

As Shakespeare’s character Jaques says in As You Like It:

All the world’s a stage,
And all the men and women merely Players;
They have their exits and their entrances,
And one man in his time plays many parts[…]

* * *

sunshine squash soup: a recipe

Posted on October 31, 2022 | by Professor B | Leave a Comment

My wife and I signed up for one of those deals where you pay a local farm up front and then, for the rest of the season, you stop by weekly to collect your hefty basket of quality produce. The good/bad news with these arrangements is that you sometimes find yourself under pressure to make use of vegetables that are unfamiliar, and which you would have walked right past if you’d been shopping in a store. Such was the case with a big-ass sunshine squash we recently got, one of those varieties with a hard thick skin that you’d be a fool to take on with a vegetable peeler. One recipe recommended roasting the squash in an oven and letting it cool before continuing to fuck with it. I decided it would be fun to use this idea for a soup, and began improvising with what was in our kitchen. I didn’t measure anything; all quantities are approximate. You may wish to use less or more stock depending on whether you have a moderate amount of squash or a shit-ton. And if you want to substitute another squash variety like butternut, this should work brilliantly, but you won’t need to roast it. I’d suggest preparing the aromatics as described below, then cutting the squash up into chunks and braising it in the stock until it’s soft enough to mash.

Preparation time: Over two hours from start to finish, much of it unattended.

Ingredients:

a large sunshine squash, buttercup squash, or similar
olive oil, about 3 tbsp
1 heaping tbsp mintzed [sic] garlic
1 heaping tbsp mintzed [sic] ginger
1 tbsp cumin
1 medium onion, diced
salt and fresh ground pepper
1/2 tsp (or to taste) hot pepper flakes
4 cups vegetable (or chicken) stock
1 28-oz can of chick peas (or canellini beans), rinsed and drained
(optional) fresh parsely for garnish

Step One With a fork, poke some holes in the squash in several places, put it in a roasting pan with perhaps an inch of water. Roast the squash in a 350° oven for about an hour, until it yields to a fork. Then take it out and let it cool until you can handle it comfortably. Next, remove the stem, cut it in half, and remove the seeds. Use a knife to peel off the skin (this is the most tedious part of the project). Break up the squash — or let it fall apart — into chunks approximately the size of your fist or smaller.

Step Two In a large pot, heat the olive oil, then drop in the garlic and ginger and cook briefly, until they are sizzling and fragrant — about 20 seconds. Then put in the onion and cook, stirring occasionally, until the onion is soft.

Step Three Add the stock, squash, hot pepper flakes, cumin, and salt and pepper to taste. Stir it up and let it cook at a steady simmer, partially covered, for about 15 to 20 minutes. The objective is to let the flavors blend and get the squash very soft.

Step Four Use a potato masher to mash the squash into a liquid, stir it all up and adjust your seasonings if need be. Then add the beans, stir, and cook a bit longer to let the beans warm up.

Step Five You’re all done, unless you want to pretend you’re a restauranteur. If so, garnish with 17 cents worth of parsley and imagine yourself charging $16 instead of $9 for a bowl of soup.

The result was so ridiculously delicious that I felt compelled to write it up as a recipe and share it. If you cook this, feel free to tell us in the comments how it turned out and what good tweaks you introduced, if any.

Memo to God

Posted on September 23, 2021 | by Professor B | Leave a Comment

To: The Supreme Being
From: HR Department
Subject: Immediate termination

Dear God:

This is to advise You that Your employment is terminated effectively immediately. You are hereby ordered to leave the premises at once.

Do not let the door of Your creation hit You in Your divine ass on the way out.

Very truly Yours,

Human Resources Department

On Getting Old

Posted on November 11, 2019 | by Professor B | Leave a Comment

I would like to say that as I approached my 60th birthday, my attitude was one of equanimity, gratitude, all that wisdom bullshit. The fact is that I was only partially successful in getting my head around this milestone. Any way you spin it, 60 is not young — unless, perhaps, you’re talking about a Supreme Court Justice, or the conductor of a world-class orchestra. Let’s face it: I am a lot closer to death than I was a few decades ago. My future is a lot shorter than my past. Of course, being dead is perfectly safe. Mark Twain is said to have said that he wasn’t the slightest bit worried about death because he had been dead for billions of years before he was born, and had suffered not the slightest inconvenience. That’s a great line, easy to agree with. Easy to talk the talk. But walking the walk: I admit that it freaked me out a bit to be walking down the street one day and suddenly noticing I was over 60. What is this, some stupendous existential joke?

I considered sharing a few of these reflections in a blog post, but did not for a variety of reasons. One is that I procrastinate; another is that I expect no one to be interested in my bloviations. But I’ve overcome the first obstacle by delaying for a year and a half, sufficient even for a world-class procrastinator. As for the second, well, fuck it. Moreover, the urge to write was revivified the other day when something abruptly shifted inside my head.

Standing in my house, in a room, staring into space, not doing whatever it was I was supposed to be doing (when you have the Attention Deficit Disorder, this happens a lot, irrespective of your age), it dawned on me that in the spring I would be 62 years old. And rather than feeling the clutch of fear, I felt elation. Sixty-two! How cool is that?

Sixty-two years old, and not only have they yet to put a toe-tag on me — I am healthy. I’ve done quite a number things I wanted to do in this life, been involved in rewarding relationships with fascinating people, and have had a lot of fun. I’ve paid some dues, but on balance, this has unquestionably been a good run — and it ain’t over yet. I’ve landed in a good place, thanks to a modicum of discipline, a few wise decisions and not too many disastrous ones, and a lot of luck.

Granted, there’s a substantial chance that I will progress from old to very old, hence frail and sick, maybe lonely and depressed. Maybe the dementia will get me. That will surely suck, and I may well change my tune at that point (assuming the cognitive wherewithal). But in the meantime, I’ve realized moving through my 60s is nothing to complain or get upset about — quite the contrary.

I have noticed in myself an increased tendency towards retrospection as I’ve gotten older, and wonder if others around my age have the same experience. It would make sense that you would turn your gaze towards the past when you’ve arrived at the point, as noted above, where your future is a lot shorter than your past. There’s more of the latter and less of the former to think about. Life is like this at any age — you experience shit, then process it and hopefully learn something, even if not consciously. Maybe in the final stretch we do this, but on a greater scale. Now comes the time for reflection, grand summaries, conclusions, and — dare I say it? — deeper levels of understanding. Understanding what, you reasonably ask? The way in which events and interactions with others have unfolded in your life. Or, to put it more simply, at the risk of sounding sententious: life.

Can you keep a secret? Integrating HashiCorp Vault with a Zend Framework Application

Posted on June 13, 2017 | by Professor B | Leave a Comment

Why do we hash user passwords in our databases? So that if bad actors somehow gain access to our database, they will have a hard time stealing our secrets. But suppose we need to securely store other sensitive data in our database? Encrypt it. But how do we go about that? Assymetric, public/private key encryption with PGP would undoubtedly be the best way to go, but in the case at hand, it’s too impractical. Faced with this situation, I reasoned that symmetrical encryption was the next best option: use one key for both encryption and decryption. But how to store the encryption key securely? As a plain text file sitting on the same server as the database username and password? Which, by the way, are also sitting there in plain text, if not in plain sight?

Disclosures, Disclaimers, Excuses

Now that I have your attention, a quick digression. I am not a security expert — I just try to pay attention to those who are. So please, use your own judgment at your own risk yadda yadda yadda. Moreover, I’m not even officially a web application developer. My job title has nothing to do with that. Long story short: I stumbled into coding some 20 years ago because in my workplace we could find no software, commerical or otherwise, that met our needs in managing a busy federal court interpreters office. So we (OK, I) rolled our own, and have been rolling ever since. Now I’m working on the next iteration of our great project, using Zend Framework 3 and Doctrine, and that’s the context in which this security problem arises.

Wandering back to our main topic: we need to store some sensitive data of contract court interpreters in a database, we want to encrypt it symmetrically, and we need to keep the secret encryption key secret.

Hashicorp Vault to the rescue

The very clever people at Hashicorp generously provide, among other things, a secret-management tool aptly named Vault. As their website puts it,

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

The use of Vault is a complex subject, and the following discussion is no substitute for the documentation. We should just point out that secrets (yes, that’s the technical term) can be stored in several different types of storage backends, and authentication can happen by way of a number of different authentication backends. These things are identified and accessed by way of paths similar to a filesystem. And that unified interface mentioned above is an HTTP API. You talk to Vault by sending HTTP requests with an authentication token in your request headers, and get JSON responses. Of course, this makes it a snap for applications to communicate with Vault with the language of your choosing.

The challenging part is devising a good security model, and there is a vast — if not to say baffling — array of choices and decisions to be made. I’m still not convinced my current solution is the best, so it’s subject to change. But let’s step through it as it is at the moment. Of course, you’ll first need to install and configure and run Vault, and they make that pretty damn easy. (Though you do have to decide what machine(s) to put it on. There’s replication and high availability and all that sexy stuff for large-scale deployments. Ours happens to be a modest configuration, involving a small set of users behind our organization’s firewall.)

Creating Policies

In Vault, you create authentication tokens that have policies attached to them, determining what the bearer of the token is allowed to do. I want our authenticated application not to be authorized to read our ultimate secret, but to grant an auth token bound to a policy that does allow it. So we need a policy for reading the secret. We also need a policy for creating the token that’s attached to the policy for reading the secret. Sound complicated? Don’t worry: it is! But the underlying principle is a basic one: grant access that is as permissive as necessary, and no more. So I took out my quill and wrote policies, thus:

read-secret.hcl

path "secret/data" {
  policy = "read"
}

create-token.hcl

path "auth/token/create/read-secret" {
	policy = "write"
}

Incidentally, that .hcl extension you see refers to Hashicorp Configuration Language. It’s a lot like JSON and you’ll pick it up immediately. Then, after logging into Vault with sufficient privileges, we wrote our policies to Vault via its CLI:

vault policy-write read-secret read-secret.hcl

and

vault policy-write create-token create-token.hcl

and finally, the rather more esoteric one:

vault write auth/token/roles/read-secret allowed_policies=read-secret

which magically allows the “role” to bestow access to something that the role itself cannot access.

Authenticating the application

As implied above, I decided Step One should be that not the user but the application authenticates itself against Vault using the TLS backend. To that end, I created my certificates (thank you, https://jamielinux.com/docs/openssl-certificate-authority/ for help with that), stored them in Vault,

vault write auth/cert/certs/web display_name=web policies=create-token \
	certificate=@/path/to/your/cert.pem

and tested it out with the Vault cli,

vault auth -method=cert -client-cert=/path/to/your/cert.pem \
    -client-key=/path/to/your/key.pem

then with the HTTP API using our good friend curl. By the way, before thinking too much about integration with ZF, I followed the same procedure with all this token stuff until I was able to go from zero to reading the secret (encryption key) from the command line. I predicted (correctly!) that the heavy lifing was setting up the Vault stuff, and getting it to play well with ZF would be more like fun than work.

Getting a token for getting the secret

After the previous command, now that we’re authenticated via TLS, we can go

vault token-create -role=read-secret

and get a response something like

Key            	Value
---            	-----
token          	ef2fb0d1-1644-937f-5326-3c6270abc3ba
token_accessor 	522c0a9d-7897-a670-e511-650d37ea6d20
token_duration 	768h0m0s
token_renewable	true
token_policies 	[default read-cipher]

Getting the secret

And finally, authenticate with the token we just got:

vault auth ef2fb0d1-1644-937f-5326-3c6270abc3ba

and go for the gold

vault read secret/data

resulting in

Key             	Value
---             	-----
refresh_interval	768h0m0s
cipher          	b862600aaeba7c4ccd74006d2e616083ffb7031a3b088e743080bcf32e90f3b4

and that “cipher” you see is the encryption key for encrypting/decrypting our sensitive database fields, a step we will perform in our PHP application.

In all honesty, it’s a bit more complicated than this because we are going to be using response wrapping. When a client sends the header so indicating, the response is not the thing requested, but another auth token with which you can get the thing requested. And that token is a single-use token: use it once and then it’s revoked. You can also limit the time-to-live on this token, so that whether it gets used or expires, it is not going to be hanging around for long as a valid token. This exemplifies the Vault (and general security) principle of limiting the exposure of a secret.

Plugging it into ZF

The front end

At last, the fun part. (Not to say that Vault isn’t loads of fun — it absolutely is! But after dealing and struggling with something unfamiliar, it’s comforting like a warm bath to return to the familiar, isn’t it?) I decided that this application would have its Vault capabilities in a separate module to make it easy to enable or disable. If it’s disabled, they simply don’t get to work with sensitive data. Let’s work from the front end to the back. The form has a good number of fields, but the ones we’re concerned with look like this:

because there’s no reason to expose this data if they don’t ask. The encrypted values are tucked away as hidden fields. When they click those lock thingies, we display a modal dialog inviting the already-authenticated user to re-authenticate (in case they load the form, wander off to the bathroom, and just then an identity thief comes up to their workstation). A couple of Javascript xhr calls later, if all goes well, the dialog goes away and these fields are re-populated with the decrypted values.

The Controller

And the above-mentioned xhr sends a POST request containing the encrypted values to /vault/decrypt, a route mapped to this action method in our module/Vault/src/Controller/VaultController.php:

        public function decryptAction()
    {
        $params = $this->params()->fromPost();
 
        try  {
 
            $key = $this->vaultService->getEncryptionKey();
            $cipher = new BlockCipher(new Openssl());
            $cipher->setKey($key);
            $decrypted = [
                'ssn' => $cipher->decrypt($params['ssn']),
                'dob' => $cipher->decrypt($params['dob'])
            ];
            return new JsonModel($decrypted) ;
 
        } catch (VaultException $e) {            
             return new JsonModel(['error'=>$e->getMessage()]);
        }
    }

The part involving Vault gets our encryption key, and it’s a one-liner. The next bit simply makes use of zend-crypt to take care of decryption.

You notice $this->vaultService. That’s a dependency injected via the constructor, so there’s a factory which pulls it from the container. Boring, so we’ll skip that part. Let’s have a look at the module’s module.config.php (ooh, exciting!)

Configuration

<?php
namespace SDNY\Vault;
use Zend\Router\Http\Literal;
 
return [          
    'vault' => [           
        // override these with a local configuration
        'vault_address' => 'https://vault.example.org:8200', 
        'sslcafile'     => '/usr/share/ca-certificates/ca-chain.cert.pem',
        // these settings must match the configuration set in Vault
        'ssl_key' => '/path/to/your-private-key.key.pem',
        'ssl_cert' => '/path/to/your-cert.pem',    
        'path_to_secret' => '/path/to/your/secret', // including leading slash
        // but do not change this adapter
        'adapter'       => 'Zend\Http\Client\Adapter\Curl',       
    ],    
    'service_manager' => [
        'factories' => [
            Service\Vault::class => Service\Factory\VaultServiceFactory::class,           
        ]
    ],
    'controllers' => [
        'factories' => [           
            Controller\VaultController::class => Controller\Factory\VaultControllerFactory::class,
        ]
    ],   
];

So the module’s config sets some default/dummy values, with the expectation that they will be overridden by a local configuration file called something like config/autoload/vault.local.php, consistent with the ZF convention. No reason to put this in a public repository.

The Vault service

We have a VaultServiceFactory that injects all that config for us when it instantiates our VaultService, which is what does the talking to Vault.

<?php
/**
 * module/Vault/src/Service/Vault.php
 */
 
namespace SDNY\Vault\Service;
 
use Zend\Http\Client;
 
 
/**
 * Extension of Zend\Http\Client for communciating with Hashicorp Vault
 * 
 * The purpose is enable us to store sensitive data in MySQL using symmetrical
 * encryption while avoiding having to store the encryption key in plain text 
 * anywhere at any time. All the configuration has to be correctly set before 
 * instantiation. Error-checking is left up to the consumer.
 * 
 */
 
use Zend\EventManager\EventManagerAwareInterface;
use Zend\EventManager\EventManagerAwareTrait;
 
class Vault extends Client implements EventManagerAwareInterface {
    use EventManagerAwareTrait;
 
    protected $events;
 
    /**
     * mapping of string keys to CURL integer constants
     * 
     * we need this because if a config array key is an integer
     * unfortunate things happen when the framework merges the configs
     * 
     * @var array
     */
    private static $curlopt_keys = [
        'ssl_key' => \CURLOPT_SSLKEY,
        'ssl_cert'=> \CURLOPT_SSLCERT,        
    ];
 
    /**
     * vault authentication token
     * 
     * @var string
     */
 
    private $token;
 
    // some more instance variables omitted for brevity
 
    /**
     * constructor
     * 
     * @param array $config
     */
    public function __construct(Array $config) {
 
        $this->vault_address = $config['vault_address'] . $this->prefix;
        $this->path_to_secret = isset($config['path_to_secret']) ? 
            $config['path_to_secret'] : null;
        $curloptions = [];
        foreach ($config as $key => $value) {
            if (key_exists($key, self::$curlopt_keys)) {
                $curloptions[self::$curlopt_keys[$key]] = $value;
            }
        }
        $config['curloptions'] = $curloptions;       
 
        parent::__construct(null, $config);
        $this->getRequest()
            ->getHeaders()
            ->addHeaderLine('Accept: application/json');
    }
 
    // some setters/getters omitted for brevity
 
 
    /**
     * checks response for errors
     * @param Array $response
     * @return boolean true if error
     */
    public function isError(Array $response) {
        return key_exists('errors',$response);
    }
 
    /**
     * resets request, response, etc, and restores
     * request header for JSON responses
     * 
     * @return \SDNY\Vault\Service\Vault
     */
    public function reset()
    {
        parent::reset();
        $this->getRequest()
            ->getHeaders()
            ->addHeaderLine('Accept: application/json');
        return $this;
    }
 
    /**
     * attempts Vault TLS authentication
     * 
     * this will attempt to authenticate using TLS certificates, which have to 
     * have been installed and set in our configuration up front. 
     * 
     * @link https://www.vaultproject.io/docs/auth/cert.html
     * 
     * @return Vault
     * @throws VaultException
     */
    public function authenticateTLSCert($options = [])
    {
        $this->setMethod('POST')
            ->setUri($this->vault_address .'/auth/cert/login')
            ->send();        
        $response = $this->responseToArray($this->getResponse()->getBody());
        if ($this->isError($response)) {
            $this->getEventManager()->trigger(__FUNCTION__, $this, []);
            throw new VaultException($response['errors'][0]);
        }
        $this->token = $response['auth']['client_token'];
 
        return $this;
    }
 
    /**
     * Attempts to acquire access token that is authorized to read the cipher 
     * we use for symmetrical encryption/decryption of sensitive Interpreter 
     * data.
     * 
     * @return Vault
     * @throws VaultException
     */
    public function requestCipherAccessToken()
    {
        $this->getRequest()->getHeaders()
                ->addHeaderLine("X-Vault-Token:$this->token")
                ->addHeaderLine("X-Vault-Wrap-TTL: 10s");
        $endpoint = $this->vault_address . '/auth/token/create/read-cipher';
        $this->getRequest()->setContent(json_encode(
               [
                // maybe reconsider these settings
                'ttl' => '5m',
                'num_uses' => 3,
               ]
        ));
        $this->setMethod('POST')->setUri($endpoint)->send();
        $response = $this->responseToArray($this->getResponse()->getBody());
        if ($this->isError($response)) {
            $this->getEventManager()->trigger(__FUNCTION__, $this, [
                'message' => 'failed to get token for cipher access'
            ]);
            throw new VaultException($response['errors'][0]);
        }        
        $this->token = $response['wrap_info']['token'];
        return $this;             
    }
 
 
    /**
     * unwraps a wrapped response and returns it as an array
     * 
     * @param string $token
     * @return array
     */
    public function unwrap()
    {
        $this->reset();
 
        $endpoint = $this->vault_address . '/sys/wrapping/unwrap';
        $this->setAuthToken($this->token);
        $this->setMethod('POST')->setUri($endpoint)->send();
 
        $response = $this->responseToArray($this->getResponse()->getBody());
        if ($this->isError($response)) {
            $this->getEventManager()->trigger(__FUNCTION__, $this, [
                'message' => 'failed to unwrap response'
            ]);
            throw new VaultException($response['errors'][0]);
        }
        if (isset($response['auth'])) {
            $this->setAuthToken($response['auth']['client_token']);
        }        
        return $response;      
    }
 
    /**
     * requests response-wrapped encryption key
     * 
     * @param string $token authentication token
     * @return Vault
     * @throws VaultException
     */
    public function requestWrappedEncryptionKey()
    {
        if (! $this->path_to_secret) {
            throw new VaultException('path to secret has to be set before calling '.__FUNCTION__);
        }
        $endpoint = $this->vault_address . $this->path_to_secret;        
        $this->getRequest()->getHeaders()->addHeaderLine("X-Vault-Wrap-TTL: 10s");
        $this->setMethod('GET')->setUri($endpoint)->send();
        $response = $this->responseToArray($this->getResponse()->getBody());
         if ($this->isError($response)) {
            $this->getEventManager()->trigger(__FUNCTION__, $this, [
                'message' => 'failed to get wrapped encryption-key response'
            ]);
            throw new VaultException($response['errors'][0]);
        }
        $this->setAuthToken($response['wrap_info']['token']);
        return $this;  
 
    }
    /**
     * gets encryption key.
     *
     * convenience method that wraps the several 
     * steps into one.
     *
     * @param string $token authentication token
     * @return string
     * @throws VaultException
     */
    public function getEncryptionKey()
    {
        $this->authenticateTLSCert()
                ->requestCipherAccessToken()
                ->unwrap();
        $this->requestWrappedEncryptionKey();
        $key = $this->unwrap()['data']['cipher'];
        return $key;
 
    }
 
    /**
     * sets Vault authentication token header
     * and instance variable
     * 
     * @param string $token
     * @return \SDNY\Service\Vault
     */
    public function setAuthToken($token)
    {
        $this->getRequest()
            ->getHeaders()
            ->addHeaderLine("X-Vault-Token:$token");
        $this->token = $token;
        return $this;
    }        
 
    /**
     * converts json to array
     * 
     * @param string $json
     * @return Array
     */
    public function responseToArray($json) {
 
        return json_decode($json,true);
    }
 
    /**
     * attempts user/password authentication
     * 
     * this will attempt to authenticate user against Vault's 
     * userpass auth backend. NOTE: looks like we won't be using this auth 
     * method after all, so this method is not currently used.
     * @link https://www.vaultproject.io/docs/auth/userpass.html
     * 
     * @param string $user
     * @param string $password
     * @return array Vault response as array
     */
    public function authenticateUser($user,$password)
    {
        $uri = $this->vault_address . "/auth/userpass/login/$user";
        $this->getRequest()->setContent(json_encode(['password'=>$password]));
        $this->setUri($uri)->setMethod('POST')->send();
 
        return $this->responseToArray($this->getResponse()->getBody());  
 
    }
 
}

<?php /** * module/Vault/src/Service/Vault.php */ namespace SDNY\Vault\Service; use Zend\Http\Client; /** * Extension of Zend\Http\Client for communciating with Hashicorp Vault * * The purpose is enable us to store sensitive data in MySQL using symmetrical * encryption while avoiding having to store the encryption key in plain text * anywhere at any time. All the configuration has to be correctly set before * instantiation. Error-checking is left up to the consumer. * */ use Zend\EventManager\EventManagerAwareInterface; use Zend\EventManager\EventManagerAwareTrait; class Vault extends Client implements EventManagerAwareInterface { use EventManagerAwareTrait; protected $events; /** * mapping of string keys to CURL integer constants * * we need this because if a config array key is an integer * unfortunate things happen when the framework merges the configs * * @var array */ private static $curlopt_keys = [ 'ssl_key' => \CURLOPT_SSLKEY, 'ssl_cert'=> \CURLOPT_SSLCERT, ]; /** * vault authentication token * * @var string */ private $token; // some more instance variables omitted for brevity /** * constructor * * @param array $config */ public function __construct(Array $config) { $this->vault_address = $config['vault_address'] . $this->prefix; $this->path_to_secret = isset($config['path_to_secret']) ? $config['path_to_secret'] : null; $curloptions = []; foreach ($config as $key => $value) { if (key_exists($key, self::$curlopt_keys)) { $curloptions[self::$curlopt_keys[$key]] = $value; } } $config['curloptions'] = $curloptions; parent::__construct(null, $config); $this->getRequest() ->getHeaders() ->addHeaderLine('Accept: application/json'); } // some setters/getters omitted for brevity /** * checks response for errors * @param Array $response * @return boolean true if error */ public function isError(Array $response) { return key_exists('errors',$response); } /** * resets request, response, etc, and restores * request header for JSON responses * * @return \SDNY\Vault\Service\Vault */ public function reset() { parent::reset(); $this->getRequest() ->getHeaders() ->addHeaderLine('Accept: application/json'); return $this; } /** * attempts Vault TLS authentication * * this will attempt to authenticate using TLS certificates, which have to * have been installed and set in our configuration up front. * * @link https://www.vaultproject.io/docs/auth/cert.html * * @return Vault * @throws VaultException */ public function authenticateTLSCert($options = []) { $this->setMethod('POST') ->setUri($this->vault_address .'/auth/cert/login') ->send(); $response = $this->responseToArray($this->getResponse()->getBody()); if ($this->isError($response)) { $this->getEventManager()->trigger(__FUNCTION__, $this, []); throw new VaultException($response['errors'][0]); } $this->token = $response['auth']['client_token']; return $this; } /** * Attempts to acquire access token that is authorized to read the cipher * we use for symmetrical encryption/decryption of sensitive Interpreter * data. * * @return Vault * @throws VaultException */ public function requestCipherAccessToken() { $this->getRequest()->getHeaders() ->addHeaderLine("X-Vault-Token:$this->token") ->addHeaderLine("X-Vault-Wrap-TTL: 10s"); $endpoint = $this->vault_address . '/auth/token/create/read-cipher'; $this->getRequest()->setContent(json_encode( [ // maybe reconsider these settings 'ttl' => '5m', 'num_uses' => 3, ] )); $this->setMethod('POST')->setUri($endpoint)->send(); $response = $this->responseToArray($this->getResponse()->getBody()); if ($this->isError($response)) { $this->getEventManager()->trigger(__FUNCTION__, $this, [ 'message' => 'failed to get token for cipher access' ]); throw new VaultException($response['errors'][0]); } $this->token = $response['wrap_info']['token']; return $this; } /** * unwraps a wrapped response and returns it as an array * * @param string $token * @return array */ public function unwrap() { $this->reset(); $endpoint = $this->vault_address . '/sys/wrapping/unwrap'; $this->setAuthToken($this->token); $this->setMethod('POST')->setUri($endpoint)->send(); $response = $this->responseToArray($this->getResponse()->getBody()); if ($this->isError($response)) { $this->getEventManager()->trigger(__FUNCTION__, $this, [ 'message' => 'failed to unwrap response' ]); throw new VaultException($response['errors'][0]); } if (isset($response['auth'])) { $this->setAuthToken($response['auth']['client_token']); } return $response; } /** * requests response-wrapped encryption key * * @param string $token authentication token * @return Vault * @throws VaultException */ public function requestWrappedEncryptionKey() { if (! $this->path_to_secret) { throw new VaultException('path to secret has to be set before calling '.__FUNCTION__); } $endpoint = $this->vault_address . $this->path_to_secret; $this->getRequest()->getHeaders()->addHeaderLine("X-Vault-Wrap-TTL: 10s"); $this->setMethod('GET')->setUri($endpoint)->send(); $response = $this->responseToArray($this->getResponse()->getBody()); if ($this->isError($response)) { $this->getEventManager()->trigger(__FUNCTION__, $this, [ 'message' => 'failed to get wrapped encryption-key response' ]); throw new VaultException($response['errors'][0]); } $this->setAuthToken($response['wrap_info']['token']); return $this; } /** * gets encryption key. * * convenience method that wraps the several * steps into one. * * @param string $token authentication token * @return string * @throws VaultException */ public function getEncryptionKey() { $this->authenticateTLSCert() ->requestCipherAccessToken() ->unwrap(); $this->requestWrappedEncryptionKey(); $key = $this->unwrap()['data']['cipher']; return $key; } /** * sets Vault authentication token header * and instance variable * * @param string $token * @return \SDNY\Service\Vault */ public function setAuthToken($token) { $this->getRequest() ->getHeaders() ->addHeaderLine("X-Vault-Token:$token"); $this->token = $token; return $this; } /** * converts json to array * * @param string $json * @return Array */ public function responseToArray($json) { return json_decode($json,true); } /** * attempts user/password authentication * * this will attempt to authenticate user against Vault's * userpass auth backend. NOTE: looks like we won't be using this auth * method after all, so this method is not currently used. * @link https://www.vaultproject.io/docs/auth/userpass.html * * @param string $user * @param string $password * @return array Vault response as array */ public function authenticateUser($user,$password) { $uri = $this->vault_address . "/auth/userpass/login/$user"; $this->getRequest()->setContent(json_encode(['password'=>$password])); $this->setUri($uri)->setMethod('POST')->send(); return $this->responseToArray($this->getResponse()->getBody()); } }

This Vault service extends Zend\Http\Client because it basically is a specialized http client. The general pattern is that most of these methods attempt to get the token we need, store it in $this->token, and return $this so the lazy coder using the class can save some keystrokes.

We make use of the handy Zend\EventManager\EventManagerAwareInterface and Zend\EventManager\EventManagerAwareTrait and do a fair amount of $this->getEventManager()->trigger(). It’s most definitely a work in progress, but by the time this project is done (or pretty close) there are going to be event listeners responsible for logging things and generally paying attention. On the Vault side, I plan to (figure out a way to) monitor the audit log with the ultimate goal of trying to detect a possible breach and hit the panic button.

So we’ve demonstrated decryption, how about encryption? Coming soon! But as you can see, it will be straightforward.

Further thoughts on Vault and PHP Applications

Remember we started out with a reference to the practice of storing database credentials in plain text? Vault provides a database secret backend so you can avoid doing that. Vault also has a very straightforward user/password authentication backend that makes it tempting to consider implementing a Zend\Authentication\Adapter\AdapterInterface that uses it.

All of this is to say that in terms of security, I think Vault offers us ways to take Zend Framework applications, and PHP applications generally, to the next level.

Conclusion

As noted at the beginning, this solution to my challenge of keeping our encryption key secure may not be the best possible. But it’s a start. The first objective was to avoid leaving our secret lying around in plain text, and this accomplishes that. My holy grail is to make it so that even in a worst case scenario, where an attacker gains root access to the machine where this application is installed, my precious social security numbers and dates of birth would still not be compromised. Like anything, this model is not guaranteed bullet-proof against a breach that severe, but again, it’s a start.

Hopefully this demonstrates that once you have Vault going, it’s quite easy to integrate with your ZF application. As a personal note, I would add that this is actually my debut blogging about Zend Framework, and I do feel a little self-conscious about presuming to address an audience with so many badasses in it. Stage fright notwithstanding, I am truly interested in hearing your comments, so please feel free.

References

Remembering Dan B

Posted on October 13, 2016 | by Professor B | Leave a Comment

The objective connection between Danny and me is that we are stepbrothers: his father and my mother were married to each other for over 40 years. They met when both were employed at the U.S. Naval Observatory in Washington, D.C.

When I first met him, I was 13 and Dan was 17. Those days were very much the latter phase of the 1960s, culturally speaking. I was then (already) keenly interested in doing drugs and being cool. Dan was the embodiment of all that I aspired to: a cool hippie dude. Complete with long hair, beard, and musical abilities, he was what we used to call “far out” without irony. He was like an older brother and I attached to him immediately.

Our relationship was episodic. For a time in the 1970s we lived together — indeed, in the same room — in La Serena, Chile, where his father directed the Cerro Tololo observatory. In 1982-1983, we happened to overlap again in Tucson when I was graduate student in guitar at the University. After that phase, we would cross paths from time to time owing to the family connection. He showed up for the wedding festivities when I got married (the first of two times) in Puerto Rico in 1994. A few times we coincided while visiting his dad’s/my mom’s home in La Serena and later in Vero Beach, Florida.

Danny was what’s known as a survivor. Of course the past tense is appropriate here — he survived until he didn’t, and if he were here now he’d probably laugh at some grim joke along those lines. But my point is that he overcame some fantastically bad breaks. He was dealt a shitty hand, with mother and brother both suffering from severe mental illnesses and a sister that was… kind of strange, if I may be forgiven for saying so. His dad, my stepdad, was remarkable: an accomplished astronomer and unfailingly loving and generous person. Except that he didn’t much care for dealing straight on with the interpersonal — not an uncommon characteristic, especially among men, especially men of his generation. So he took off for Washington D.C. to take the job at the Naval Observatory, and left Danny at age 15 to deal alone with his profoundly dysfunctional family. And deal with it he did. He got through all that and more, and led a life doing a great many interesting things that he wanted to do, rich in relationships with interesting people.

Truth be told, most of my memories of the times I spent with him are pretty banal, but entirely pleasant. There was good chemistry among our parents and us, and we enjoyed many a happy evening as a merry quartet, eating and drinking well and enjoying lots of long hard laughs. I have a mental picture from one afternoon at a beach in Chile. We waded into the surf and threw a frisbee back and forth, making heroic diving catches of errant throws — the sort of maneuver you might expect from a serious baseball player — but falling painlessly into the water instead of hitting the ground. It was funny, really funny in a physical-comedic way that’s impossible to describe. I have a vivid image of him emerging from the water after one those moves, laughing, laughing…

Now this is part where I make my presentation more compelling by choking up and shedding a tear or two. Note to Danny: that’s another laugh line I think you’d have found amusing.

And now I recover and continue with another fun memory, probably from that same period of time when we spent a couple of weeks in La Serena. We played several games of chess, winning and losing more or less evenly. It was the last night — one of us, I forget who, was traveling back to the U.S. the next morning. So we sat down for a final chess game and abused a bottle of Bailey’s Irish Creme, of all things. That isn’t a very high-alcohol drink and we were both fairly robust drinkers, so we got a little silly but not excessively drunk. The laughter, conversation and chess lasted through the night. The game finally ended in a draw, an outcome that pleased us both.

It is common to canonize people when they die, but there’s no need for that here. Dan definitely had his peculiarities, as do we all in one form or another. He was also a truly extraordinary person, talented and intelligent in a multiplicity of ways, an independent and original thinker, with a sense of humor surpassed by no one. Cliché though it sounds, he lived a full life. But he also did an exceptionally courageous job of dying, from what I can tell. One thing I regret about not attending his memorial in person is not being able to hear more about this from those who were with him at the end. He went out with equanimity, dignity and grace. At times like these I like to quip that dying is so very fashionable. Everyone does it! Those who have not done it yet will get their chance in due course. When my great moment comes I hope to emulate his example.

There is a powerful line in a novel by the writer Haruki Murakami, where two of his characters are in the presence of another who has just died. It reads: he had just accomplished the profound, personal feat of dying.

Good bye, brother Dan. You have accomplished the profound, personal feat of dying.

You’ve Got Us Under Your Skin

Posted on November 2, 2014 | by Professor B | Leave a Comment

This little ditty, to the tune of I’ve Got You Under My Skin, was created for the 2013 Courthouse Follies. It is disrespectfully dedicated to the NSA.

They’ve got us under their skin
They’ve got us deep in the heart of them
So deep in their heart, we’re really a part of them
They’ve got us under their skin

We’re always listening in
Their emails and phone calls and texts always go down so well
To our data centers where they’re lovingly stored so well
[addressing audience from here on]
You’ve got us under your skin

We’ll sacrifice anything, come what might
For the sake of stoking up fear
We violate every constitutional right
That we still claim to hold dear

Don’t you know little fools, you can never win?
Forget legality
Wake up to reality
If you really do value privacy
You should stop before you log in
‘Cause you’ve got us under your skin

Is social inequality inherent to human society?

Posted on September 22, 2014 | by Professor B | Leave a Comment

In an exchange of comments Facebook the other day, somebody said:

“Capitalism doesn’t create inequality, if it did there wouldn’t be inequality existent in other economic systems which there most certainly is. Inequality is inherent to the human condition. We are not all equally capable or equally industrious so we will not enjoy equal results. There is no system that creates equality because equality doesn’t exist. It’s a fiction people choose to believe. Believe it if you will, but don’t tear down an economic system that provides you with the free time to indulge such fantasies. I’ll grant you that capitalism isn’t fair, but show me an economic model that produces more. I’ll take freedom over equality any day. Right now, we have neither.”

Hereafter I’m using the second person to address the commenter.

Your remarks reflect such a strong attachment to capitalist orthodoxies that it is unlikely I can say anything to convince you, and there are so many misconceptions and fallacies that it’s hard to know where to begin. But I should try to make a couple points just for the record.

The fact that “other economic systems” — i.e., other than capitalism — have resulted in social inequality (or were likewise based on it, as with slavery and feudalism) in no way proves that capitalism does not also produce inequality. More to the point, the data and the historical record are overwhelming. Few serious scholars, economists, etc. dispute that the global capitalist order has produced massive social inequality – even capitalists acknowledge this. The world’s most powerful, elite government officials, corporate executives and academics gather for their conference in Davos to wring their hands over the global social, economic and environmental crisis resulting from capitalism’s excesses. (And rightly so, because such a system not only morally reprehensible, but also unsustainable.). No, the great dispute is over the way forward.

Further, there really is no other economic system of consequence in the modern global economy, other than capitalism, hence nothing to compare except in historical terms. If you look at history, you can say slave-based and feudal societies were unequal, so that must be the human condition. But this too is fallacious; there is no basis in evolutionary biology, history, anthropology, or what have you, to conclude that capitalist, market-based forms of social organization are somehow genetically embedded in homo sapiens.

You seem to be confusing the Enlightenment-inspired ideal of equality, the notion of human and social rights, with the obvious fact of variation from one individual to another. Of course, some people excel more than others at sports, math, language, music — and some are just plain smarter than most of the rest of us. Some are “industrious,” some are boneheads and slackers. Is that any excuse for a system in which countless millions toil at slave wages while a handful of billionaires control the world’s resources?

Capitalism subordinates social need to private accumulation. Inequality is not just an unfortunate side effect; it’s an essential feature. Marx told you a long time ago that under capitalism, wealth tends to concentrate at the top at the expense of the many, and history has proven it. Yes, there have been booms, as in the post-Word War II period, when living standards in the U.S. rose generally —thanks to the fearless struggles of socialist-minded workers who achieved a few significant social reforms. The data is incontrovertible, however, that for the past three decades or so, wages have stagnated even while productivity has increased. Since the financial collapse 2008, of course, matters have gotten much worse for broad swaths of the population, while the tiny layer at the top enjoys a share of the national income not seen since the robber baron days.

These levels of inequality are wholly incompatible with democracy. You correctly state that right now we have neither freedom nor equality. But that is no mere coincidence. With these levels of inequality, social explosion is inevitable. The ruling class cannot permit freedom in the face of such instability; in order to maintain control, there has to be mass surveillance of the population (brought to you by the NSA), ruthless police violence, and an exaggerated threat of terrorism to incite fear.

You say don’t tear down an economic system that provides me with the free time to indulge my fantasies. The implication here is that if capitalism has been OK for me, and I enjoy a reasonable level of material comfort, then it’s fine, and for those innumerable millions all over the world living in misery, sorry but life is unfair. This view is self-centered and short-sighted. You probably would agree that we should deplore racism even if we are not a victim of it. This is ordinary moral decency. Why is social inequality any different? Because you start from the mistaken assumption that inequality is somehow an immutable characteristic of human social organization, a pessimistic and defeatist worldview with no objective, scientific basis.

The good news is that there is considerable evidence to the contrary. Of course, there are both selfish and altruistic tendencies in human behavior. The solution is to create social structures that make it difficult for the selfish and greedy impulses of a few to screw everyone else. The hope — and there is reason for hope — is that when material want is a thing of the past, the need for extreme greed will diminish and eventually fall away.

A few hundred years ago, slavery and genocide were far more common than they are today. Those who advocated for the abolition of the slave trade were derided as dreamers, or worse. Nowadays, world opinion is virtually unanimous that genocide and slavery are wrong. This is progress, and there are other examples. Human society has progressed from slavocracy to feudalism to bourgeois democracy and capitalism. Fortunately, there is no reason to believe that capitalism is the endpoint of human social evolution. Quite the opposite is true: capitalism gives every indication of coming apart at the seams. What will follow? That is the big question.

My view is that world socialist revolution is the only way forward. The resources of the planet must be brought under the democratic control of the working class — meaning the overwhelming majority of humankind — and utilized rationally to meet the needs of people and the environment, rather than pillaged for the benefit of a tiny minority at the top. If you think this is an unrealistic goal, consider the alternative.

Top ten books — because you asked for it

Posted on September 11, 2014 | by Professor B | Leave a Comment

People on Facebook have inviting their FB friends to list the top ten books that have had the greatest impact in our lives. Some people start naming big-name classics like Cervantes, Tolstoy, Shakespeare, Joyce. This strikes me as rather uninteresting, but maybe I am just envious because I am not well-read in the classics. Others are surprisingly candid — or perhaps, naive — in listing some real crap, self-help junk, various pop-schlock titles. I guess I am somewhere between an intellectual and a moron; ignorant, but a snob.
Problem is, I can’t bring myself to do this top ten list. I have been living 50+ years and reading for so long that I no longer remember very well the books that had a great impact at the time I read them, even where their impact was indeed great. The more recently read books tend to displace the old ones. So most of my top ten would be things from the past five years or so. All right, let’s give it a try anyway:
(1) Nietszche – Thus Spoke Zarathustra. Made a huge impression on me when I was 16 years old, so it has to stay on the list. I may not have understood it deeply, but nevertheless.
(2) Juliet Schor – The Overworked American. I read it in the early 1990s and keep remembering it time and again, so it makes the list.
(3) Duke and Gross – America’s Longest War. Greatly informed my thinking about the so-called War on Drugs, which I have been observing from the perspective of a judiciary employee for the past 20 years.
(4) Mathieu Ricard – Happiness. Picked up a copy while looking for something to do at an airport in December 2006. The timing was perfect. It actually changed my life for the better, permanently.
(5) Michael Pollan – The Omnivore’s Dilemma. I was already leaning in the direction of a vegetarian diet, but after reading this, I changed the way I eat.
(6) The Gateless Barrier, a/k/a The Gateless Gate. I was a student at a zendo for about two and a half years, studying with a teacher. Maybe some of it was bullshit. But we went through this koan collection, and I did a lot of sitting (still do hit the mat every day). I know the exercise had a profound effect.
(7) Kurt Vonnegut – Slaughterhouse 5. I never read it until recently — a couple years ago. I think it’s one of the finest novels I have ever read.
(8) Haruki Murakami – 1Q84. It isn’t just this novel, but that it introduced me to this writer and I went on to read several more of his books. You talk about a work of fiction grabbing you in the first few pages. This one grabbed me and did not let go for the next 900+ pages. I don’t know what it is about this guy. He sees the world in a weird way that is peculiar to him, and yet… universal? “Remember: there is always only one reality.” Really?
(9) Don deLillo – Underground. The one that begins at the famous Dodgers-Giants game in 1959. Man, that was one fucking good book.
(10) Terry Eagleton – Why Marx Was Right. My father and I have a decades-long history of talking about politics, about which we generally agree, although I have moved to the left of him. He lent me this book, and it had an enormous impact. Hitherto, I had often said I would consider myself a socialist but for the fact that I had not read any Marx or Engels, much less Lenin or Trotsky. I went on to establish contact with some real, practicing Marxists. In a conversation with one of them — a particularly feisty and erudite old bastard whom I’ll call Fred — he scoffed at Why Marx Was Right, saying Eagleton was a “Catholic Marxist,” i.e., something of a joke. But this book got me started reading some of the works of Trotsky, Lenin, Marx, Engels, and finding out for myself what the political theory is. Combining that with readings of countless contemporary articles that use Marxist methods of analysis, attending some lectures, and observing world events unfold through my own eyes, my political education has advanced greatly in the past two or three years. I am a Marxist-Trotskyist. In this capitalist culture, much of what my generation has been taught about history and socialism is utter nonsense. I have developed a reasonable level of confidence in my ability to sort out the truth from the bullshit.

Running another Philadelphia marathon

Posted on November 20, 2013 | by Professor B | Leave a Comment

I never expected this. For over 20 years I was a typical jogger, going out two or three times a week for about four miles at a leisurely pace. With no goal other than fitness and enjoyment, I was unconcerned about going farther or faster. Suddenly I was 55 years old and lacing up my shoes for my fifth marathon.

It started in the winter of 2008, when a friend with marathon experience invited me to join him for a half marathon in Central Park, and I discovered that I enjoyed running nonstop for two hours. The idea of a marathon, hitherto almost inconceivable, became attractive. In the fall of that same year I ran Philly in 3:51, and loved it. I had the appropriate attitude of humility and respect for the distance, running a disciplined, well-regulated race the likes of which, ironically, I haven’t been able to match ever since.

Next was New York in 2009. By now I had moved to South Orange and fell in with a delightful gang of experienced, enthusiastic, and talented distance runners known as The South Mountain Running Collective. I became ambitious, and wanted to meet the Boston qualifying standard of 3:35. Like a fool, I went out too fast, and had to struggle and suffer to hang on over the last 10K, attaining the goal with only seconds to spare. Going out too fast is the classic mistake in distance running, though you might think it would not be so difficult to avoid.

But this performance got me to Boston in 2011, where I repeated the same error, albeit not as drastically: another positive split, but I beat my goal of 3:20 by five seconds, and easily qualified again for Boston in 2012. (Runners call it a negative split where the second half of a race is faster than the first, and it is well established that it is far more effective than the reverse.)

And how could I resist going back to Boston again? I could not, and trained with a view to another personal record (or PR, which is also a verb in runnerspeak) of about 3:17. But the temperatures were in the high 80s that day in April. We were forced to revise our plans and focus on simple survival. Hence my disappointing 3:43, 13 minutes short of Boston qualification (BQ) for my age group.

By now I was thinking it might be nice to get off the crazy train. Marathon training is a time- and energy-consuming pain in the ass, and try though we might to keep it tucked away in its own discreet little compartment, it inevitably has an impact on other people in our lives. And sometimes those people don’t like it. But could I really go out like that, credible excuse notwithstanding? With a 3:43?

No. In November 2013 I was back in Philadelphia again to settle accounts with the marathon gods. This time, however, the training cycle had been more challenging. It is not unusual to encounter setbacks of some kind during 20 weeks of training. Sickness, injuries, family dramas, the demands of work — in short, life — sometimes interfere. I had successfully navigated through bronchitis, a death in the family, and other challenges in previous training cycles. But this time injuries cost me a week and a half in August and several more days in October, and I was not able to get all the mileage I would have liked.

Even so, when I walked up to the line, I felt fit to run a successful marathon. The key workouts in the final stage of training had gone well. My injuries had subsided, the weather was fine, even my pre-race jitters seemed noticeably less severe than in the past. This time I did not have a fixed, specific goal. I thought 3:15 was conceivable, but decided anything up to 3:17:30 would be acceptable. And I had a plan, known as 10 + 10 + 10: go out relatively conservatively for the first 10 miles, i.e., at a 3:17:30 pace; pick it by a few seconds per mile for the next 10 miles; and for the last 10K, be in a position to pick up the pace even more, possibly enough to get me there in 3:15.

Once we got underway, embarrassing though it is to admit, I am not really sure what I was thinking. I do recall making a conscious effort to hold back initially. Over the first mile, traffic was congested, and I decided to go with it rather than fight. My first mile was a 7:42, but that was perfectly OK. A slow start was desirable; there was plenty of time to make it up.

For the next 18 miles or so, it seemed that nobody was in charge. The data on my GPS watch says that mile 2 was 7:18; mile 3, 7:08. For miles 4 and 5 I dialed it back to 7:24, but that was still about 8 seconds per mile too fast. The next few miles included a couple of moderate ones, and my average pace for the first 10 was around 7:30. The pushing and pulling continued over the second 10 miles, but the average overall was around 7:25 — consistent with the overall plan, yes, but too late because I had already blown too much energy in the first 10. By around mile 17 or 18 I was still feeling OK, but tired enough to predict that after 20 miles it was going to be hard to maintain the pace. Miles 22 to 25 were 7:40, 7:44, 7:48, 7:56, 7:55.

Crossing 26 with the crowds screaming encouragement, I was able to pick it up to a 6:53 pace, but over the last 10K I averaged about 7:48 and came in at 3:17:23. (The gory details are published at http://connect.garmin.com/activity/406675139.)

This marathon experience was different from the previous two in which I was seriously trying to reach a goal. In New York, the last 10K were hellish, but my addled mind had enough command of the numbers to understand that I would meet the BQ threshold if and only if I ran like hell. This motivated me to fight hard against the fatigue. The same was true in Boston in 2011: I knew the 3:20 mark was still within reach, but I had to dig. In this race, the goal was comparatively vague: sub-3:17:30, hopefully something closer to 3:15. For the last 10K I felt fatigue, but it wasn’t especially painful — I simply couldn’t convince myself to run faster. But I also felt pretty sure that the 3:17:30, and certainly the PR, was in the bag. That complacency probably hurt my cause; a bit of drama, pressure and anxiety might have provided helpful motivation.

3:17:23 represents a PR by over two minutes, and a Boston qualifier with over 22 minutes to spare; it was also good enough for 16th place among 319 men in the 55-59 age group. Maybe I ought to be happy with that. And although I am not completely disappointed with the bottom line, I am pretty disgusted with myself for not having better discipline. The objective numbers demonstrate that I had the fitness; the subjective experience of how smoothly the whole 26.2 went by, weak finish nothwithstanding, confirms it. I am almost certain I was physically prepared to run at least one, maybe even as much as two minutes faster. But I positive-split it by 1:22 and squandered this splendid opportunity.

Why is it so hard to slow down in those early miles? For me, I think one problem — if it can be considered a problem — is that proper marathon training really works. On race day you are fit, tuned up, but also tapered and rested — not to mention jacked up with the excitement. When the gun goes off and you start running, it is extremely difficult to believe that running can feel this easy and still be fast enough. It seems like you should be exerting at least a little bit. Even the minutes and seconds your watch displays at the mile markers do not convince. So, for me, the lesson is: believe it, bitch. It may even be that I could run a faster marathon next time by setting out to run it slower. Then there might be enough gas in the tank at the end to finish strong enough to get a better result.

Wait — did I just say next time? Uh, yeah, I guess I did. Which brings us back to where we started. I said I never expected to be running marathons, much less running them this fast. I said I would like to get off the crazy train, and maybe I will. But it isn’t easy. When you’re an athlete, you enjoy the challenge of seeing how well you can do, so you keep trying. Eventually the inevitable effects of age overcome the positive effects of training, but that’s no reason to give up prematurely. Another factor is that running marathons (and shorter races as well) is really cool, and fun, and profoundly rewarding. It gets into your bones and becomes part of your identity: you’re a runner. What’s the use of trying to be anybody else?