The post Which cities have people-watching street cafes? appeared first on Marginal REVOLUTION.

Comments

Intro – Testing Google Sites and Google Caja

In March 2018, I reported an XSS in Google Caja, a tool to securely embed arbitrary html/javascript in a webpage.
In May 2018, after the XSS was fixed, I realised that Google Sites was using an unpatched version of Google Caja, so I looked if it was vulnerable to the XSS. However, the XSS wasn’t exploitable there.

Google Caja parses html/javascript and modifies it to remove any javascript sensitive content, such as iframe or object tags and javascript sensitive properties such as document.cookie. Caja mostly parses and sanitizes HTML tags on the client side. However, for remote javascript tag (<script src=”xxx”>), the remote resource was fetched, parsed and sanitized on the server-side.
I tried to host a javascript file on my server (https://[attacker].com/script.js) and check if the Google Sites server would fall for the XSS when parsed server-side but the server replied that https://[attacker].com/script.js was not accessible.

After a few tests, I realised that the Google Sites Caja server would only fetch Google-owned resources like https://www.google.com or https://www.gstatic.com, but not any external resource like https://www.facebook.com.
That’s a strange behavior because this functionality is meant to fetch external resources so it looks like a broken feature. More interestingly, it is hard to determine whether an arbitrary URL belongs to Google or not, given the breadth of Google services. Unless…

 

Finding an SSRF in Google

Whenever I find an endpoint that fetches arbitrary content server-side, I always test for SSRF. I did it a hundred times on Google services but never had any luck. Anyway the only explanation for the weird behavior of the Google Caja server was that the fetching was happening on the internal Google network and that is why it could only fetch Google-owned resources but not external resources. I already knew this was a bug, now the question was whether it was a security bug!

It’s very easy to host and run arbitrary code on Google servers, use Google Cloud services! I created a Google App Engine instance and hosted a javascript file. I then used the URL of this javascript file on Google Sites as a external script resource and updated the Google Sites page. The javascript was successfully fetched and parsed by Google Caja server. I then checked my Google App Engine instance logs to see from where the resource was fetched and it came from 10.x.x.201, a private network IP! This looked very promising.

I used the private IP as the url for the Google Sites javascript external resource and waited for the moment of truth. The request took more than 30 seconds to complete and at that time I really thought the request was blocked and I almost closed the page since I never had any luck with SSRF on Google before. However, when Google Caja replied, I saw that the reply size wasn’t around 1 KB like for a typical error message but 1 MB instead! One million bytes of information coming from a 10.x.x.x IP from Google internal network, I can tell you I was excited at this point! 🙂
I opened the file and indeed it was full of private information from Google! \o/

 

Google, from the inside

First I want to say that I didn’t scan Google’s internal network. I only made 3 requests in the network to confirm the vulnerability and immediately sent a report to Google VRP. It took 48 hours to Google to fix the issue (I reported it on a Saturday), so in the meantime I couldn’t help but test 2-3 more requests to try to pivot the SSRF vulnerability into unrestricted file access or RCE but without luck.

The first request was to http://10.x.x.201/. It responded with a server status monitoring page of a “Borglet”. After a Google search, I could confirm that I was indeed inside Borg, Google’s internal large-scale cluster management system (here is a overview of the architecture). Google have open sourced the successor of Borg, Kubernetes in 2014. It seems that while Kubernetes is getting more and more popular, Google is still relying on Borg for its internal production infrastructure, but I can tell you it’s not because of the design of Borg interfaces!
The second request was to http://10.x.x.1/ and it was also a monitoring page for another Borglet. The third request was http://10.x.x.1/getstatus, a different status monitoring page of a Borglet with more details on the jobs like permissions, arguments.

Each Borglet represents a machine, a server.

On the hardware side, both servers were using Haswell’s CPU @2.30GHz with 72 cores, which corresponds to a set of 2 or 3 Xeon E5 v3. Both servers were using the CPUs at 77%. They had 250GB of RAM, which was used at 70%. They had 1 HDD each with 2TB and no SSD. The HDD were almost empty with only 15GB used, so the data is stored elsewhere.

The processing jobs (alloc and tasks) are very diverse, I believe this optimizes ressource usage with some jobs using memory, others using CPU, network, some with high priority, etc… Some services seem very active : Video encoding, Gmail and Ads. That should not be surprising since video processing is very heavy, Gmail is one of the main Google services and Ads is, well, Google’s core business. 😉
I didn’t see Google Sites or Caja in the jobs list, so either the SSRF was going through a proxy or the Borglet on 10.x.x.201 was from a different network than the 10.x.x.201 IP I saw in my Google App Engine instance logs.

Regarding the architecture, we can find jobs related to almost all of the components of the Google Stack, in particular MapReduce, BitTable, Flume, GFS…
On the technology side, Java seems to be heavily used. I didn’t see any mention of Python, C++, NodeJS or Go, but that doesn’t mean it wasn’t used so don’t draw conclusions. 😛
I should mention that Borg, like Kubernetes, relies on containers like Docker, and VMs. For video processing, it seems they are using Gvisor, a Google open-source tool that looks like a trade-off between containers performance and VMs security.

Parameters gives some information on how to reach the applications through network ports. On Borg, it seems that all applications on a server share the same IP address and each has some dedicated ports.

Apps arguments were the most fun part for me because it is almost code. I didn’t find Google Search secret algorithm but there was some cool queries like this:

MSCR(M(Customer.AdGroupCriterion+Customer.AdGroupCriterion-marshal+FilterDurianAdGroupCriterion+FilterNeedReviewAdGroupCriterion+GroupAdGroupCriterionByAdGroupKey+JoinAdGroupData/MakeUnionTable:3)+M(JoinAdGroupData/MakeUnionTable:2)+M(Customer.AdGroup+Customer.AdGroup-marshal+FilterDurianAdGroup+ParDo(AdGroupDataStripFieldsFn)+JoinAdGroupData/MakeUnionTable)+R(JoinAdGroupData/GroupUnionTables+JoinAdGroupData/ConstructJoinResults+JoinAdGroupData/ExtractTuples+ExtractCreativeAndKeywordReviewables))

If you wonder what’s Gmail system user, it’s

gmail@prod.google.com

There is also a user “legal-discovery@prod.google.com” that has permission “auth.impersonation.impersonateNormalUser” on “mdb:all-person-users” but that should not be a surprise to anybody.

There was also a little bit of history which showed that most jobs where aborted before finishing.

At last, there was a lot of url to other servers or applications endpoints. In particular, I tried to access a promising-looking http://wiki/ url but it didn’t work. I tested a

/getFile?FileName=/sys/borglet/borglet.INFO

url but got an unauthorized response. I also tried to change the FileName parameter but got error messages.

 

Google VRP response

I reported the issue on Saturday May 12, 2018, and it was automatically triaged as a P3 (medium priority) issue. On Sunday I sent an email to Google Security that they might want someone to have a look at this. On Monday morning the issue was escalated to P0 (critical) then later decreased to P1. On Monday night the vulnerable endpoint was removed and the issue fixed.

It’s not easy to determine the impact of an SSRF because it really depends on what’s in the internal network. Google tends to keep most of its infrastructure available internally and uses a lot of web endpoints, which means that in case of a SSRF, an attacker could potentially access hundreds if not thousands of internal web applications. On the other hand, Google heavily relies on authentication to access resources which limits the impact of a SSRF.
In this case, the Borglet status monitoring page wasn’t authenticated, and it leaked a lot of information about the infrastructure. My understanding is that in Kubernetes, this page is authenticated.

Google VRP rewarded me with $13,337, which corresponds to something like unrestricted file access! They explained that while most internal resources would require authentication, they have seen in the past dev or debug handlers giving access to more than just info leaks, so they decided to reward for the maximum potential impact. I’d like to thank them for the bounty and for their quick response. I hope they won’t beat me with a stick for disclosing any of this. 🙂

 

That’s it for this story, I hope you enjoyed it as much I did and feel free to comment!

Comments

[I am not a sleep specialist. Please consult with one before making any drastic changes or trying to treat anything serious.]

Van Geiklswijk et al describe supplemental melatonin as “a chronobiotic drug with hypnotic properties”. Using it as a pure hypnotic – a sleeping pill – is like using an AK-47 as a club to bash your enemies’ heads in. It might work, but you’re failing to appreciate the full power and subtlety available to you.

Melatonin is a neurohormone produced by the pineal gland. In a normal circadian cycle, it’s lowest (undetectable, less than 1 pg/ml of blood) around the time you wake up, and stays low throughout the day. Around fifteen hours after waking, your melatonin suddenly shoots up to 10 pg/ml – a process called “dim light melatonin onset”. For the next few hours, melatonin continues to increase, maybe as high as 60 or 70 pg/ml, making you sleepier and sleepier, and presumably at some point you go to bed. Melatonin peaks around 3 AM, then declines until it’s undetectably low again around early morning.

Is this what makes you sleepy? Yes and no. Sleepiness is a combination of the circadian cycle and the so-called “Process S”. This is an unnecessarily sinister-sounding name for the fact that the longer you’ve been awake, the sleepier you’ll be. It seems to be partly regulated by a molecule called adenosine. While you’re awake, the body produces adenosine, which makes you tired; as you sleep, the body clears adenosine away, making you feel well-rested again.

In healthy people these processes work together. Circadian rhythm tells you to feel sleepy at night and awake during the day. Process S tells you to feel awake when you’ve just risen from sleep (naturally the morning), and tired when you haven’t slept in a long time (naturally the night). Both processes agree that you should feel awake during the day and tired at night, so you do.

When these processes disagree for some reason – night shifts, jet lag, drugs, genetics, playing Civilization until 5 AM – the system fails. One process tells you to go to sleep, the other to wake up. You’re never quite awake enough to feel energized, or quite tired enough to get restful sleep. You find yourself lying in bed tossing and turning, or waking up while it’s still dark and not being able to get back to sleep.

Melatonin works on both systems. It has a weak “hypnotic” effect on Process S, making you immediately sleepier when you take it. It also has a stronger “chronobiotic” effect on the circadian rhythm, shifting what time of day your body considers sleep to be a good idea. Effective use of melatonin comes from understanding both these effects and using each where appropriate.

1. Is melatonin an effective hypnotic?

Yes.

That is, taking melatonin just before you want to get to sleep, does help you get to sleep. The evidence on this is pretty unanimous. For primary insomnia, two meta-analyses – one by Brzezinski in 2005 and another by Ferracioli-Oda in 2013 – both find it safe and effective. For jet lag, a meta-analysis by the usually-skeptical Cochrane Collaboration pronounces melatonin “remarkably effective”. For a wide range of primary and secondary sleep disorders, Buscemi et al say in their abstract that it doesn’t work, but a quick glance at the study shows it absolutely does and they are incorrectly under-reporting their own results. The Psychiatric Times agrees with me on this: “Results from another study reported as negative actually demonstrated a statistically significant positive result of a decrease in sleep latency by an average of 7.2 minutes for melatonin”.

Expert consensus generally follows the meta-analyses: melatonin works. I find cautious endorsements by the Mayo Clinic and John Hopkins less impressive than its less-than-completely-negative review on Science-Based Medicine, a blog I can usually count on for a hit job on any dietary supplement.

The consensus stresses that melatonin is a very weak hypnotic. The Buscemi meta-analysis cites this as their reason for declaring negative results despite a statistically significant effect – the supplement only made people get to sleep about ten minutes faster. “Ten minutes” sounds pretty pathetic, but we need to think of this in context. Even the strongest sleep medications, like Ambien, only show up in studies as getting you to sleep ten or twenty minutes faster; this New York Times article says that “viewed as a group, [newer sleeping pills like Ambien, Lunesta, and Sonata] reduced the average time to go to sleep 12.8 minutes compared with fake pills, and increased total sleep time 11.4 minutes.” I don’t know of any statistically-principled comparison between melatonin and Ambien, but the difference is hardly (pun not intended) day and night.

Rather than say “melatonin is crap”, I would argue that all sleeping pills have measurable effects that vastly underperform their subjective effects. The linked article speculates on one reason this might be: people have low awareness around the time they get to sleep, and a lot of people’s perception of whether they’re insomniac or not is more anxiety (or sometimes literally dream) than reality. This is possible, but I also think of this in terms of antidepressant studies, which find similarly weak objective effects despite patients (and doctors) who swear by them and say they changed their lives. If I had to guess, I would say that the studies include an awkward combination of sick and less-sick people and confuse responders and non-responders. Maybe this is special pleading. I don’t know. But if you think any sleeping pill works well, melatonin doesn’t necessarily work much worse than that.

Sleep latency statistics are hard to compare to one another because they’re so dependent on the study population. If your subjects take an hour to fall asleep, perhaps melatonin could shave off thirty-four minutes. But if your subjects take twenty minutes to fall asleep, then no sleeping pill will ever take off thirty-four minutes, and even an amazing sleeping pill might struggle to make fifteen. I cannot directly compare the people who say melatonin gives back ten minutes to the people who say melatonin gives back thirty-four minutes to the people who say Ambien gives back twelve, but my totally unprincipled guess is that melatonin is about a third as strong as Ambien. It also has about a hundred times fewer side effects, so there’s definitely a place for it in sleep medicine.

2. What is the right dose of melatonin?

0.3 mg.

“But my local drugstore sells 10 mg pills! When I asked if they had anything lower, they looked through their stockroom and were eventually able to find 3 mg pills! And you’re saying the correct dose is a third of a milligram?!”

Yes. Most existing melatonin tablets are around ten to thirty times the correct dose.

Many early studies were done on elderly people, who produce less endogenous melatonin than young people and so are considered especially responsive to the drug. Several lines of evidence determined that 0.3 mg was the best dose for this population. Elderly people given doses around 0.3 mg slept better than those given 3 mg or more and had fewer side effects (Zhdanova et al 2001). A meta-analysis of dose-response relationships concurred, finding a plateau effect around 0.3 mg, with doses after that having no more efficacy, but worse side effects (Brzezinski et al, 2005). And doses around 0.3 mg cause blood melatonin spikes most similar in magnitude and duration to the spikes seen in healthy young people with normal sleep (Vural et al, 2014).

Other studies were done on blind people, who are especially sensitive to melatonin since they lack light cues to entrain their circadian rhythms. This is a little bit of a different indication, since it’s being used more as a chronobiotic than a sleeping pill, but the results were very similar: lower doses worked better than higher doses. For example, in Lewy et al 2002, nightly doses of 0.5 mg worked to get a blind subject sleeping normally at night; doses of 20 mg didn’t. They reasonably conclude that the 20 mg is such a high dose that it stays in their body all day, defeating the point of a hormone whose job is to signal nighttime. Other studies on the blind have generally confirmed that doses of around 0.3 to 0.5 mg are optimal.

There have been disappointingly few studies on sighted young people. One such, Attenburrow et al 1996 finds that 1 mg works but 0.3 mg doesn’t, suggesting these people may need slightly higher doses, but this study is a bit of an outlier. Another Zhdanova study on 25 year olds found both to work equally. And Pires et al studying 22-24 year olds found that 0.3 mg worked better than 1.0. I am less interested in judging the 0.3 mg vs. 1.0 mg debate than in pointing out that both numbers are much lower than the 3 – 10 mg doses found in the melatonin tablets sold in drugstores.

UpToDate, the gold standard research database used by doctors, agrees with these low doses. “We suggest the use of low, physiologic doses (0.1 to 0.5 mg) for insomnia or jet lag (Grade 2B). High-dose preparations raise plasma melatonin concentrations to a supraphysiologic level and alter normal day/night melatonin rhythms.” Mayo Clinic makes a similar recommendation: they recommend 0.5 mg. John Hopkins’ experts almost agree: they say “less is more” but end up chickening out and recommending 1 to 3 mg, which is well above what the studies would suggest.

Based on a bunch of studies that either favor the lower dose or show no difference between doses, plus clear evidence that 0.3 mg produces an effect closest to natural melatonin spikes in healthy people, plus UpToDate usually having the best recommendations, I’m in favor of the 0.3 mg number. I think you could make an argument for anything up to 1 mg. Anything beyond that and you’re definitely too high. Excess melatonin isn’t grossly dangerous, but tends to produce tolerance and might mess up your chronobiology in other ways. Based on anecdotal reports and the implausibility of becoming tolerant to a natural hormone at the dose you naturally have it, I would guess sufficiently low doses are safe and effective long term, but this is just a guess, and most guidelines are cautious in saying anything after three months or so.

3. What are circadian rhythm disorders? How do I use melatonin for them?

Circadian rhythm disorders are when your circadian rhythm doesn’t match the normal cycle where you want to sleep at night and wake up in the morning.

The most popular circadian rhythm disorder is “being a teenager”. Teenagers’ melatonin cycle is naturally shifted later, so that they don’t want to go to bed until midnight or later, and don’t want to wake up until eight or later. This is an obvious mismatch with school starting times, leading to teenagers either not getting enough sleep, or getting their sleep at times their body doesn’t want to be asleep and isn’t able to use it properly. This is why every reputable sleep scientist and relevant scientific body keeps telling the public school system to start later.

When a this kind of late sleep schedule persists into adulthood or becomes too distressing, we call it Delayed Sleep Phase Disorder. People with DSPD don’t get tired until very late, and will naturally sleep late if given the chance. The weak version of this is “being a night owl” or “not being a morning person”. The strong version just looks like insomnia: you go to bed at 11 PM, toss and turn until 2 AM, wake up when your alarm goes off at 7, and complain you “can’t sleep”. But if you can sleep at 2 AM, consistently, regardless of when you wake up, and you would fall asleep as soon as your head hit the pillow if you first got into bed at 2, then this isn’t insomnia – it’s DSPD.

The opposite of this pattern is Advanced Sleep Phase Disorder. This is most common in the elderly, and I remember my grandfather having this. He would get tired around 6 PM, go to bed by 7, wake around 1 or 2 AM, and start his day feeling fresh and alert. But the weak version of this is the person who wakes up at 5 each morning even though their alarm doesn’t go off until 8 and they could really use the extra two hours’ sleep. These people would probably do fine if they just went to bed at 8 or 9, but the demands of work and a social life make them feel like they “ought” to stay up as late as everyone else. So they go to bed at 11, wake up at 5, and complain of “terminal insomnia”.

Finally, there’s Non-24-Hour-Sleep Disorder, where somehow your biological clock ended up deeply and unshakeably convinced that days on Earth are twenty-five (or whatever) hours long, and decides this is the hill it wants to die on. So if you naturally sleep 11 – 7 one night, you’ll naturally sleep 12 – 8 the next night, 1 to 9 the night after that, and so on until either you make a complete 24-hour cycle or (more likely) you get so tired and confused that you stay up 24+ hours and break the cycle. This is most common in blind people, who don’t have the visual cues they need to remind themselves of the 24 hour day, but it happens in a few sighted people also; Eliezer Yudkowsky has written about his struggles with this condition.

Melatonin effectively treats these conditions, but you’ve got to use it right.

The general heuristic is that melatonin drags your sleep time towards the direction of when you take the melatonin.

So if you want to go to sleep (and wake up) earlier, you want to take melatonin early in the day. How early? Van Geijlswijk et al sums up the research as saying it is most effective “5 hours prior to both the traditionally determined [dim light melatonin onset] (circadian time 9)”. If you don’t know your own melatonin cycle, your best bet is to take it 9 hours after you wake up (which is presumably about seven hours before you go to sleep).

What if you want to go to sleep (and wake up) later? Our understanding of the melatonin cycle strongly suggests melatonin taken first thing upon waking up would work for this, but as far as I know this has never been formally investigated. The best I can find is researchers saying that they think it would happen and being confused why no other researcher has investigated this.

And what about non-24-hour sleep disorders? I think the goal in treatment here is to advance your phase each day by taking melatonin at the same time, so that your sleep schedule is more dependent on your own supplemental melatonin than your (screwed up) natural melatonin. I see conflicting advice about how to do this, with some people saying to use melatonin as a hypnotic (ie just before you go to bed) and others saying to use it on a typical phase advance schedule (ie nine hours after waking and seven before sleeping, plausibly about 5 PM). I think this one might be complicated, and a qualified sleep doctor who understands your personal rhythm might be able to tell you which schedule is best for you. Eliezer says the latter regimen had very impressive effects for him (search “Last but not least” here). I’m interested in hearing from the MetaMed researcher who gave him that recommendation on how they knew he needed a phase advance schedule.

Does melatonin used this way cause drowsiness (eg at 5 PM)? I think it might, but probably such a minimal amount compared to the non-sleep-conduciveness of the hour that it doesn’t register.

Melatonin isn’t the only way to advance or delay sleep phase. Here is a handy cheat sheet of research findings and theoretical predictions:

TO TREAT DELAYED PHASE SLEEP DISORDER (ie you go to bed too late and wake up too late, and you want it to be earlier)
– Take melatonin 9 hours after wake and 7 before sleep, eg 5 PM
– Block blue light (eg with blue-blocker sunglasses or f.lux) after sunset
– Expose yourself to bright blue light (sunlight if possible, dawn simulator or light boxes if not) early in the morning
– Get early morning exercise
– Beta-blockers early in the morning (not generally recommended, but if you’re taking beta-blockers, take them in the morning)

TO TREAT ADVANCED PHASE SLEEP DISORDER (ie you go to bed too early and wake up too early, and you want it to be later)
– Take melatonin immediately after waking
– Block blue light (eg with blue-blocker sunglasses or f.lux) early in the morning
– Expose yourself to bright blue light (sunlight if possible, light boxes if not) in the evening.
– Get late evening exercise
– Beta-blockers in the evening (not generally recommended, but if you’re taking beta-blockers, take them in the evening)

These don’t “cure” the condition permanently; you have to keep doing them every day, or your circadian rhythm will snap back to its natural pattern.

What is the correct dose for these indications? Here there is a lot more controversy than the hypnotic dose. Of the nine studies van Geijlswijk describes, seven have doses of 5 mg, which suggests this is something of a standard for this purpose. But the only study to compare different doses directly (Mundey et al 2005) found no difference between a 0.3 and 3.0 mg dose. The Cochrane Review on jet lag, which we’ll see is the same process, similarly finds no difference between 0.5 and 5.0.

Van Geijlswijk makes the important point that if you take 0.3 mg seven hours before bedtime, none of it is going to be remaining in your system at bedtime, so it’s unclear how this even works. But – well, it is pretty unclear how this works. In particular, I don’t think there’s a great well-understood physiological explanation for how taking melatonin early in the day shifts your circadian rhythm seven hours later.

So I think the evidence points to 0.3 mg being a pretty good dose here too, but I wouldn’t blame you if you wanted to try taking more.

4. How do I use melatonin for jet lag?

Most studies say to take a dose of 0.3 mg just before (your new time zone’s) bedtime.

This doesn’t make a lot of sense to me. It seems like you should be able to model jet lag as a circadian rhythm disorder. That is, if you move to a time zone that’s five hours earlier, you’re in the exact same position as a teenager whose circadian rhythm is set five hours later than the rest of the world’s. This suggests you should use DSPD protocol of taking melatonin nine hours after waking / five hours before DLMO / seven hours before sleep.

My guess is for most people, their new time zone bedtime is a couple of hours before their old bedtime, so you’re getting most of the effect, plus the hypnotic effect. But I’m not sure. Maybe taking it earlier would work better. But given that the new light schedule is already working in your favor, I think most people find that taking it at bedtime is more than good enough for them.

5. I try to use melatonin for sleep, but it just gives me weird dreams and makes me wake up very early

This is my experience too. When I use melatonin, I find I wake the next morning with a jolt of energy. Although I usually have to grudgingly pull myself out of bed, melatonin makes me wake up bright-eyed, smiling, and ready to face the day ahead of me…

…at 4 AM, invariably. This is why despite my interest in this substance I never take melatonin myself anymore.

There are many people like me. What’s going on with us, and can we find a way to make melatonin work for us?

This bro-science site has an uncited theory. Melatonin is known to suppress cortisol production. And cortisol is inversely correlated with adrenaline. So if you’re naturally very low cortisol, melatonin spikes your adrenaline too high, producing the “wake with a jolt” phenomenon that I and some other people experience. I like the way these people think. They understand individual variability, their model is biologically plausible, and it makes sense. It’s also probably wrong; it has too many steps, and nothing in biology is ever this elegant or sensible.

I think a more parsimonious theory would have to involve circadian rhythm in some way. Even an 0.3 mg dose of melatonin gives your body the absolute maximum amount of melatonin it would ever have during a natural circadian cycle. So suppose I want to go to bed at 11, and take 0.3 mg melatonin. Now my body has a melatonin peak (usually associated with the very middle of the night, like 3 AM) at 11. If it assumes that means it’s really 3 AM, then it might decide to wake up 5 hours later, at what it thinks is 8 AM, but which is actually 4.

I think I have a much weaker circadian rhythm than most people – at least, I take a lot of naps during the day, and fall asleep about equally well whenever. If that’s true, maybe melatonin acts as a superstimulus for me. The normal tendency to wake up feeling refreshed and alert gets exaggerated into a sudden irresistable jolt of awakeness.

I don’t know if this is any closer to the truth than the adrenaline theory, but it at least fits what we know about circadian rhythms. I’m going to try to put some questions about melatonin response on the SSC survey this year, so start trying melatonin now so you can provide useful data.

What about the weird dreams?

From a HuffPo article:

Dr. Rafael Pelayo, a Stanford University professor of sleep medicine, said he doesn’t think melatonin causes vivid dreams on its own. “Who takes melatonin? Someone who’s having trouble sleeping. And once you take anything for your sleep, once you start sleeping more or better, you have what’s called ‘REM rebound,’” he said.

This means your body “catches up” on the sleep phase known as rapid eye movement, which is characterized by high levels of brain-wave activity.

Normal subjects who take melatonin supplements in the controlled setting of a sleep lab do not spend more time dreaming or in REM sleep, Pelayo added. This suggests that there is no inherent property of melatonin that leads to more or weirder dreams.

Okay, but I usually have normal sleep. I take melatonin sometimes because I like experimenting with psychotropic substances. And I still get some really weird dreams. A Slate journalist says he’s been taking melatonin for nine years and still gets crazy dreams.

We know that REM sleep is most common towards the end of sleep in the early morning. And we know that some parts of sleep structure are responsive to melatonin directly. There’s a lot of debate over exactly what melatonin does to REM sleep, but given all the reports of altered dreaming, I think you could pull together a case that it has some role in sleep architecture that promotes or intensifies REM.

6. Does this relate to any other psychiatric conditions?

Probably, but this is all still speculative.

Seasonal affective disorder is the clearest suspect. We know that the seasonal mood changes don’t have anything to do with temperature; they seem to be based entirely on winter having shorter (vs. summer having longer) days.

There’s some evidence that there are two separate kinds of winter depression. In one, the late sunrises train people to a late circadian rhythm and they end up phase-delayed. In the other, the early sunsets train people to an early circadian rhythm and they end up phase-advanced. Plausibly SAD also involves some combination of the two where the circadian rhythm doesn’t know what it’s doing. In either case, this can make sleep non-circadian-rhythm-congruent and so less effective at doing whatever it is sleep does, which causes mood problems.

How does sunrise time affect the average person, who is rarely awake for the sunrise anyway and usually sleeps in a dark room? I think your brain subconsciously “notices” the time of the dawn even if you are asleep. There are some weird pathways leading from the eyes to the nucleus governing circadian rhythm that seem independent of any other kind of vision; these might be keeping tabs on the sunrise if even a little outside light is able to leak into your room. I’m basing this also on the claim that dawn simulators work even if you sleep through them. I don’t know if people get seasonal affective disorder if they sleep in a completely enclosed spot (eg underground) where there’s no conceivable way for them to monitor sunrise times.

Bright light is the standard treatment for SAD for the same reason it’s the standard treatment for any other circadian phase delay, but shouldn’t melatonin work also? Yes, and there are some preliminary studies (paper, article) showing it does. You have to be a bit careful, because some people are phase-delayed and others phase-advanced, and if you use melatonin the wrong way it will make things worse. But for the standard phase-delay type of SAD, normal phase advancing melatonin protocol seems to go well with bright light as an additional treatment.

This model also explains the otherwise confusing tendency of some SAD sufferers to get depressed in the summer. The problem isn’t amount of light, it’s circadian rhythm disruption – which summer can do just as well as winter can.

I’m also very suspicious there’s a strong circadian component to depression, based on a few lines of evidence.

First, one of the most classic symptoms of depression is awakening in the very early morning and not being able to get back to sleep. This is confusing for depressed people, who usually think of themselves as very tired and needing to sleep more, but it definitely happens. This fits the profile for a circadian rhythm issue.

Second, agomelatine, a melatonin analogue, is an effective (ish) antidepressant.

Third, for some reason staying awake for 24+ hours is a very effective depression treatment (albeit temporary; you’ll go back to normal after sleeping). This seems to sort of be a way of telling your circadian rhythm “You can’t fire me, I quit”, and there are some complicated sleep deprivation / circadian shift protocols that try to leverage it into a longer-lasting cure. I don’t know anything about this, but it seems pretty interesting.

Fourth, we checked and depressed people definitely have weird circadian rhythms.

Last of all, bipolar has a very strong circadian component. There aren’t a whole lot of lifestyle changes that really work for preventing bipolar mood episodes, but one of the big ones is keeping a steady bed and wake time. Social rhythms therapy, a rare effective psychotherapy for bipolar disorder, revolves around training bipolar people to control their circadian rhythms.

Theories of why circadian rhythms matter so much revolve either around the idea of pro-circadian sleep – that sleep is more restorative and effective when it matches the circadian cycle – or the idea of multiple circadian rhythms, with the body functioning better when all of them are in sync.

7. How can I know what the best melatonin supplement is?

Labdoor has done purity tests on various brands and has ranked them for you. All the ones they highlight are still ten to thirty times the appropriate dose (also, stop calling them things like “Triple Strength!” You don’t want your medications to be too strong!). As usual, I trust NootropicsDepot for things like this – and sure enough their melatonin (available on Amazon) is exactly 0.3 mg. God bless them.

New iOS app and web service that makes it easy for people to book appointments with you. From their blog announcement, on what makes WhenWorks unique:

There are many competitive services in this space. What they all have in common is that they are purely web-based solutions. What makes WhenWorks unique is that it is a mobile app that integrates directly with the Calendar app on your iOS device, is far easier to configure and use, more secure, and always with you when you need it.

WhenWorks supports all of the leading calendar services (iCloud, Google Calendar, Office 365 and Outlook.com) but is particularly well-suited for those who use iCloud, due to its deep integration with the built-in Calendar on iOS.

WhenWorks was founded by John Chaffee, of BusyMac and, back in the day, Now Up-to-Date fame, and he’s put together a really good team. The pricing is outstanding too: 14-day free trial, free-to-use for up to five appointments per month after that, and just $5/month for the pro account with no limits.

It’s a really great app, and setting it up couldn’t be easier. Worth checking it out just to examine the UI and on-boarding process, and if you’re the sort of person who has a busy calendar packed with appointments, you’re nuts if you don’t try it.

I am sure we’ve all read and wondered about God’s command to Christian wives: “Wives, submit to your own husbands, as to the Lord” (Ephesians 5:22). It seems that in the God-ordained ordering of a Christian household, God intends husbands and wives to accept differing but complementary roles and for the wife to do this, she needs to focus on the way she and her husband and all the church of Christ submit to their Savior. There must be some study and some imitation. I found myself considering this one day so, as much as possible, put wives and husbands out of my mind and simply asked this: How does the church submit to Jesus Christ? Here’s what I came up with.

The Church Submits Obediently

First, the church submits obediently, or out of obedience. Jesus Christ is king over the world and everyone in it. Jesus declared this to his disciples when he said, “All authority in heaven and on earth has been given to me.” Those are words of kingship. Jesus reigns and rules over all that is, a theme we see in cascading clarity as Scripture moves toward its close. In Revelation 1:5 we hear of: “Jesus Christ the faithful witness, the firstborn of the dead, and the ruler of kings on earth.” Jesus is king over every other king. Then in Revelation 19:16 we read this fascinating description of him: “On his robe and on his thigh he has a name written, King of kings and Lord of lords.” Jesus Christ is the king of the universe and obedience demands that we submit to his rule. To be obedient to God we must submit to Jesus Christ.

The Church Submits Willingly

Second, the church submits willingly. There is a facet to submission that is too often overlooked: Submission cannot be forced, but must be voluntary. That’s because submission is not the same as subjection. Subjection is an action taken by the one with authority where submission is an action taken by the one under authority.

Subjection is the act of a ruler to force obedience. He uses fear or force to break the wills of people so they eventually surrender to him. They give up and wave the white flag. They’ve been conquered. Submission is the act of someone who acknowledges legitimate authority and arranges himself accordingly. Submission is voluntary. It is responding to the divine order of things first in the heart and then in the life. The church is not in subjection to Jesus Christ; we haven’t been ruthlessly conquered by him. No, the church has been won by Jesus Christ, so we willingly submit to him. We acknowledge his right to rule, we acknowledge his overwhelming love, we respond to his Spirit, and we arrange ourselves accordingly.

The Church Submits Confidently

Third, the church submits confidently. When we become Christians, we enter into a relationship with Jesus. Other people may know about Jesus, they may know some facts about him, but as Christians we know Jesus. We aren’t submitting to some abstract entity or far-off deity, but to someone who is here with us, dwelling within us by his Spirit. And to know Jesus is to have confidence in Jesus. We soon learn that God’s blessings flow to us through Jesus. We learn that our lives are at peace as we live according to his ways. We learn that there is great benefit in responding to his leadership with joy and love. We learn he will never lead us astray, that he is only ever acting in love, that he is gentle and kind and patient toward us. So our submission to him is confident, not apprehensive. It is certain, not suspicious. We know him and trust him and joyfully, confidently submit to his leadership.

The Church Submits Actively

Fourth, church submits actively. God has made each of us a unique, hand-crafted individual. We are unique in our personalities, our talents, our gifting, our passions, our experiences. And when we submit to Jesus Christ, we submit all of that to him. We trust that he will work not despite these but through these. He’s not going to take them all away and make us completely the same as every other Christian. Sanctification is not becoming some generic being and it is not becoming someone else—it’s becoming the truest and best and holiest version of ourselves. Our submission is all about asking how God has made us and then actively using all of those things in his service. Our submission is handing to him all we have and all we are and saying “I submit this to your purposes. Please use it.”

The Church Submits Completely

Finally, the church submits completely. We submit to him all the way. Our submission to Christ is wholehearted. As Christians, we don’t get the option of submitting only part of the way. You might think about the parable of the talents. The servants who were rewarded were the ones who invested every talent that had been given them, and who invested them all the way. What do we call half-hearted or half-way submission to Jesus Christ? We call it sin! What do we call grudging submission to Jesus Christ? We call it sin! When we put our faith in Jesus Christ, we choose to submit to him entirely We choose to dedicate our whole lives to knowing what he calls us to and then doing it. We have a deep longing to submit to him in everything—to know all his will so we can do all his will.

Imitate this Submission!

The church of Christ submits to Christ, and in this way provides an important model for every lesser form of submission. The church submits obediently, willingly, confidently, actively, and completely. So must we all in any relationship in which God calls us to acknowledge authority and to arrange ourselves accordingly.

As a Christian husband, you are not left wondering or speculating about what it means to carry out your role in a way that pleases God and blesses your wife. To the contrary, the Bible provides clear guidance: You are to love your wife as Christ loves his church. In the closing verses of Ephesians 5, Paul describes how, out of love, Christ sacrificed himself to do for you what you could not do for yourself. Out of love he sanctified you to God’s purposes, to set you apart so you could live the life God created you to live. Out of love, he purified you, so he could put aside the sin that hinders you and instead give you his righteousness. He did this by the word of the gospel and through it all has a great and final purpose in mind. This is how Christ loved the church, so this is how a husband is to love his wife. Let me tease that out under these headings.

Love Your Wife with a Sacrificial Love

Husband, love your wife with a sacrificial love. I think every husband is willing to make the ultimate sacrifice for his wife. Wouldn’t you? If someone was holding you and your wife hostage and said, “One of you needs to die” I’m sure you’d put yourself forward. “Take me, spare her.” Good! You’ll die for her, but will you live for her? This is not a one-time act where you get to go out in a blaze of glory and get written up in the newspaper, but a day-by-day dying to yourself for her sake.

Are you willing to make those day-by-day sacrifices? Will you hold loosely to your time so you can invest it in her? Will you hold loosely to your preferences so you can cede to hers? Will you let go of some of your dreams so she can achieve hers? Will you be utterly ferocious with your sin so you can be kind and gentle with her? Ultimately, will you live more for her good than for your own? This is not a difficult burden but a tremendous honor.

Love Your Wife with a Sanctifying Love

Husband, love your wife with a sanctifying love. Jesus died so that he could set apart his bride for service to God. You need to understand that your wife doesn’t exist first for your pleasure, your joy, or your comfort. She exists first for God. Yes, she has been set apart to you, but only so you can help her be ever-more set apart to God.

Your wife exists to bring glory to God by doing good to others. This means your task as a loving husband is to be committed and creative in helping her do this. It’s your task to help her unleash her gifts, her talents, her passions, her interests in doing good to others and bringing glory to God. Love her with a sanctifying love, a love that ensures she is being set apart to do what God calls her to do and to be who God calls her to be.

Love Your Wife with a Purifying Love

Husband, love your wife with a purifying love. If a wife is to submit it means a husband is to lead, and a key part of that leadership is leading, guiding, and assisting her along the path to holiness. This puts a call on you to grow in holiness first. How can you possibly lead her where you’ve never been or where you refuse to go? You need to identify your own sin and ruthlessly put it to death. It falls to you to lead the way in holiness, to lead the way in love, in character, in worship, in repentance, in maturity. And then you have the honor of accompanying her as she grows in holiness.

Now let’s be clear: Holiness is not about correcting all of those little flaws and foibles you find annoying. It’s not about perfectly conforming her to your will. It’s all about helping her grow in purity before God. It’s about helping her put sin to death so she can come alive to righteousness. It’s rejoicing in who God is making her to be. It’s identifying God’s grace in her life. It’s encouraging her in her spiritual growth and praising and thanking God for every bit of it. It’s helping her be as pure and holy as she can possibly be. Do you love your wife with a purifying love?

Love Your Wife with a Gospel Love

Husband, love your wife with a gospel love. Christ washes his church with the water of the word, which is the gospel, and in the same way, you are to wash your wife with the water of the word which is the gospel. This means your husbanding is to be drenched in the gospel. Your love is to be shaped by the gospel. Your voice is to speak the gospel. Your life is to display the gospel. You need to speak truth to your wife, to lead her to the Word of God, to remind her of those precious gospel truths, to pray with her, to worship with her.

Are you washing your wife with the water of the gospel? If you do nothing else in marriage, read the Bible and pray with your wife. Make this a daily discipline. There are few things God uses in richer ways than a husband and wife together in the Word and together on their knees.

Love Your Way with a Purposeful Love

Husband, love your wife with a purposeful love. Wedding ceremonies are occasions of great joy, but even then there is always just a hint of sorrow because we need to acknowledge from the very beginning that there will be an end. This is why we make vows to one another that say something like, “Til death do us part.” You may get 60 or even 70 years with that bride, but then one of you will die and in that moment, the marriage will be over. But she will not be over. Your wife will not cease to exist the moment she dies. No, if she is in Christ, her life will just be getting started. She has a glorious and never-ending future beyond the grave.

You need to keep that in view. Your task as a husband, and your great joy, is to help prepare her for what awaits her in eternity. It’s helping her become today what she will be fully then. It’s receiving glimpses of who and what she will be in glory. You, my friend, have the joy of helping her toward that great day. God has chosen and appointed you as the one who will accompany her, who will lead her, who will guide her, who will protect her, who will know her deepest, who will love her best, on her way to that celestial city.

So, Live For Her

So resolve to live for her, to sacrifice all you’ve got for her good. Love her with a sanctifying love that is committed to setting her apart for the great purpose God has for her. Love her with a purifying love that helps her put sin to death and come alive to righteousness. Love her with a love that is shaped by the gospel and whose content is the gospel. Love her with a purposeful love that fixes in your mind and heart the great day when she will be all that God has created her to be. Will you even recognize her in that day for all her splendor, for all her perfection? She will be perfect then, unblemished by even the smallest sin, undefiled by even the tiniest trace of depravity. She will be beautiful and radiant and glorious beyond belief.

Christ awaits the day when he will present the church to himself in splendor, without spot or wrinkle or any such thing, that she might be holy and without blemish. That is his great goal and he longs for that day. Shouldn’t you then fix in your mind the image of you presenting your wife to Christ? “Here is the wife you entrusted to me. Isn’t she radiant! Isn’t she beautiful! I’ve loved her. I’ve sacrificed for her. I’ve washed her with the word of your gospel. I’ve seen her grow in righteousness and holiness. And now I present her to you.” What an honor, what a blessing, that God has chosen you to accompany her to that place, to that day.