UnboundID LDAP SDK for Java 4.0.9

We have just released version 4.0.9 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository, from the Files page of our SourceForge repository, and from the Maven Central Repository.

The most significant changes included in this release are:

  • Updated the command-line tool framework to allow tools to have descriptions that are comprised of multiple paragraphs.
  • Updated the support for passphrase-based encryption to work around an apparent JVM bug in the support for some MAC algorithms that could cause them to create an incorrect MAC.
  • Updated all existing ArgumentValueValidator instances to implement the Serializable interface. This can help avoid errors when trying to serialize an argument configured with one of those validators.
  • Updated code used to create HashSet, LinkedHashSet, HashMap, LinkedHashMap, and ConcurrentHashMap instances with a known set of elements to use better algorithms for computing the initial capacity for the map to make it less likely to require the map to be dynamically resized.
  • Updated the LDIF change record API to make it possible to obtain a copy of a change record with a given set of controls.
  • Added additional methods for obtaining a normalized string representation of JSON objects and value components. The new methods provide more control over case sensitivity of field names and string values, and over array order.
  • Improved support for running in a JVM with a security manager that prevents setting system properties (which also prevents access to the System.getProperties method because the returned map is mutable).

UnboundID LDAP SDK for Java 4.0.8

We have just released version 4.0.8 of the UnboundID LDAP SDK for Java. It is available for download from the releases page of our GitHub repository (https://github.com/pingidentity/ldapsdk/releases), from the Files page of our SourceForge repository (https://sourceforge.net/projects/ldap-sdk/files/), and from the Maven Central Repository (https://search.maven.org/search?q=g:com.unboundid%20AND%20a:unboundid-ldapsdk&core=gav).

The most significant changes included in this release are:

  • Fixed a bug in the modrate tool that could cause it to use a fixed string instead of a randomly generated one as the value to use in modifications.
  • Fixed an address caching bug in the RoundRobinDNSServerSet class. An inverted comparison could cause it to use cached addresses after they expired, and to cached addresses that weren’t expired.
  • Updated the ldapmodify tool to remove the restriction that prevented using arbitrary controls with an LDAP transaction or the Ping-proprietary multi-update extended operation.
  • Updated a number of locations in the code that caught Throwable so that they re-throw the original Throwable instance (after performing appropriate cleanup) if that instance was an Error or perhaps a RuntimeException.
  • Added a number of JSONObject convenience methods to make it easier to get the value of a specified field as a string, Boolean, number, object, array, or null value.
  • Added a StaticUtils.toArray convenience method that can be useful for converting a collection to an array when the type of element in the collection isn’t known at compile time.
  • Added support for parsing audit log messages generated by the Ping Identity Directory Server for versions 7.1 and later, including generating LDIF change records that can be used to revert change records (if the audit log is configured to record changes in a reversible form).

Ping Identity Directory Server 7.0.1.0

The Ping Identity Directory Server version 7.0.1.0 has been released and is available for download from the Ping Identity website, along with the Directory Proxy Server, Data Synchronization Server, Data Metrics Server, Server SDK, and Delegated User Admin.

The release notes include a summary of the changes included in this release, but the major enhancements include:

  • Updates to the Delegated Admin application, including managing group memberships.
  • The mirror virtual attribute has been updated to make it possible to mirror the values of a specified attribute in another entry whose DN is computed in a manner that is relative to the target entry’s DN.
  • The Directory Proxy Server’s failover load-balancing algorithm has been updated to make it possible to consistently route requests targeting different branches to different sets of servers. This is useful to help distribute load more evenly across servers while still avoiding potential problems due to propagation delay.
  • Added a new replication state detail virtual attribute that provides more detailed information about an entry’s replication state.
  • Improved the server’s behavior when attempts to write to a client are blocked.
  • Added support for unbound GSSAPI connections that are not tied to any specific server instance and work better in some kinds of load-balanced environments.
  • Updated JMX MBean support so that keys and values better conform to best practices by default.

UnboundID LDAP SDK for Java 4.0.7

We have just released the UnboundID LDAP SDK for Java version 4.0.7, available for download from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository. The most significant changes in this release include:

  • Fixed an issue in the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes when created with a connection that is already established and authenticated (as opposed to being created from a server set and bind request). Internally, the LDAP SDK created its own server set and bind request from the provided connection’s state information, but it incorrectly included bind credentials in the server set. Under most circumstances, this would merely cause the LDAP SDK to send two bind requests (the second a duplicate of the first) when establishing a new connection as part of the pool. However, it caused a bigger problem when using the new setBindRequest methods that were introduced in the 4.0.6 release. Because the server set was created with bind credentials, the pool would create a connection that tried to use those old credentials before sending a second bind request with the new credentials, and this would fail if the old credentials were no longer valid.
  • Fixed an issue with the behavior that the LDAP SDK exhibited when configured to automatically follow referrals. If the server returned a search result reference that the LDAP SDK could not follow (for example, because none of the URLs were valid, none of the servers could be reached, none of the searches succeeded, in those servers, etc.), the LDAP SDK would assign a result code of “referral” to the search operation, which would cause it to throw an exception when the search completed (as is the case for most non-success result codes). The LDAP SDK will no longer override the result code for the search operation, but will instead use whatever result code the server returned in its search result done message. Any search result references that the LDAP SDK could not automatically follow will be made available to the caller through the same mechanism that would have been used if the SDK had not been configured to automatically follow referrals (that is, either hand them off to a search result listener or collect them in a list to include in the search result object). The LDAP SDK was already making the unfollowable search result references available in this manner, but the client probably wouldn’t have gotten to the point of looking for them because of the exception resulting from the overridden operation result code.
  • Added a new LDAPConnectionPoolHealthCheck.performPoolMaintenance method that can be used to perform processing on the pool itself (rather than on any individual connection) at regular intervals as specified by the connection pool’s health check interval. This method will be invoked by the health check thread after all other periodic health checking is performed.
  • Added a new PruneUnneededConnectionsLDAPConnectionPoolHealthCheck class that can be used to monitor the size of a connection pool over time, and if the number of available (that is, not currently in use) connections is consistently greater than a specified minimum for a given length of time, then the number of connections in the pool can be reduced to that minimum. This can be used to automatically shrink the size of the pool during periods of reduced activity.
  • Updated the Schema class to provide additional constructors and methods that can be used to attempt to retrieve the schema without silently ignoring errors about unparsable elements. Previously, if a schema entry contained one or more unparsable elements, they would be silently ignored. It is now possible to more easily obtain information about unparsable elements or to have the LDAP SDK throw an exception if it encounters any unparsable elements.
  • Added createSubInitialFilter, createSubAnyFilter, and createSubFinalFilter methods to the Filter class that are more convenient to use than the existing createSubstringFilter methods for substring filters that only have one type of component.
  • Updated the Entry.diff method when operating in reversible mode so that when altering the values of an existing attribute, the delete modifications will be ordered before the add modifications. Previously, the adds came before the deletes, but this could cause problems in some directory servers, especially when the modifications are intended to change the case of a value in a case-insensitive attribute (for example, the add could be ignored or rejected because the value already exists in the entry, or the delete could end up removing the value entirely). Ordering the deletes before the adds should provide much more reliable results.
  • Updated the modrate tool to add a new “--valuePattern” argument that can be used to specify the pattern to use to generate new values. This argument is an alternative to the “--valueLength” and “--characterSet” arguments and allows for more flexibility in the types of values that can be generated.
  • Updated the manage-account tool so that the arguments related to TOTP secrets are marked sensitive. This will ensure that the value is not displayed in the clear in certain cases like interactive mode output or tool invocation logging.
  • Added a new “streamfile” value pattern component that operates like the existing “sequentialfile” component except that it limits the amount of the file that is read into memory at any given time, so it is more suitable for reading values from very large files.
  • Added a new “timestamp” value pattern component that can be used to include either the current time or a randomly selected time from a given range in a variety of formats.
  • Added a new “uuid” value pattern component that can be used to include a randomly generated universally unique identifier (UUID).
  • Added a new “random” value pattern component that can be used to include a specified number of randomly selected characters from a given character set.
  • Added a StaticUtils.toUpperCase method to complement the existing StaticUtils.toLowerCase method.
  • Added Validator.ensureNotNullOrEmpty methods that work for collections, maps, arrays, and character sequences.
  • Added LDAPTestUtils methods that can be used to make assertions about the diagnostic message of an LDAP result or an LDAP exception.
  • Added client-side support for a new exec task that can be used to invoke a specified command in the Ping Identity Directory Server (subject to security restrictions imposed by the server).
  • Added client-side support for a new file retention task that can be used to examine files in a specified directory, identify files matching a given pattern, and delete any of those files that do not match count-based, age-based, or size-based criteria.
  • Added client-side support for a new delay task that can be used sleep for a specified period of time, until the server work queue reports that all worker threads are idle and there are no pending operations, or until a given search or set of searches match at least one entry. The delay task is primarily intended to be used as a spacer between other tasks in a dependency chain.
  • Updated support for the ignore NO-USER-MODIFICATION request control to make it possible to set the criticality when creating an instance of the control. Previously, new instances were always critical.
  • Updated the ldapmodify tool to include the ignore NO-USER-MODIFICATION request control in both add and modify requests if the --ignoreNoUserModification argument was provided. Previously, that argument only caused the control to be included in add requests. Further, the control will now be marked non-critical instead of critical.
  • Updated the task API to add support for a number of new properties, including the email addresses of users to notify on task start and successful completion (in addition to the existing properties specifying users to email on error or on any type of completion), and flags indicating whether the server should alert on task start, successful completion, or failure.
  • Updated the argument parser’s properties file support so that it expects the file to use the ISO 8859-1 encoding, and to support Unicode escape sequences that are comprised of a backslash followed by the letter u and four hexadecimal digits.
  • Updated the tool invocation logger to add a failsafe mechanism for preventing passwords from being included in the log. Although it will already redact the values of any arguments that are declared sensitive, it will now also redact the values of any arguments whose name suggests that their value is a password.

Ping Identity Directory Server 7.0.0.0

We have just released the Ping Identity Directory Server version 7.0.0.0, along with supporting products including the Directory Proxy Server, Data Synchronization Server, and Data Metrics Server. They’re available to download at https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html.

Full release notes are available at https://documentation.pingidentity.com/pingdirectory/7.0/relnotes/, and there are a lot of enhancements, fixes, and performance improvements, but some of the most significant new features are described below.

 

Improved Encryption for Data at Rest

We have always supported TLS to protect data in transit, and we carefully select from the set of available cipher suites to ensure that we only use strong encryption, preferring forward secrecy when it’s available. We also already offered protection for data at rest in the form of whole-entry encryption, encrypted backups and LDIF exports, and encrypted changelog and replication databases. In the 7.0 release, we’re improving upon this encryption for data at rest with several enhancements, including:

  • Previously, if you wanted to enable data encryption, you had to first set up the server without encryption, create an encryption settings definition, copy that definition to all servers in the topology, and export the data to LDIF and re-import it to ensure that any existing data got encrypted. With the 7.0 release, you can easily enable data encryption during the setup process, and you can provide a passphrase to use to generate the encryption key. If you supply the same passphrase when installing all of the instances, then they’ll all use the same encryption key.
  • Previously, if you enabled data encryption, the server would encrypt entries, but indexes and certain other database metadata (for example, information needed to store data compactly) remained unencrypted. In the 7.0 release, if you enable data encryption, we now encrypt index keys and that other metadata so that no potentially sensitive data is stored in the clear.
  • It was already possible to encrypt backups and LDIF exports, but you had to explicitly indicate that they should be encrypted, and the encryption was performed using a key that was shared among servers in the topology but that wasn’t available outside of the topology. In the 7.0 release, we have the option to automatically encrypt backups and LDIF exports, and that’s enabled by default if you configure encryption at setup. You also have more control over the encryption key so that encrypted backups and LDIF exports can be used outside of the topology.
  • We now support encrypted logging. Log-related tools like search-logs, sanitize-log, and summarize-access-log have been updated to support working with encrypted logs, and the UnboundID LDAP SDK for Java has been updated to support programmatically reading and parsing encrypted log files.
  • Several other tools that support reading from and writing to files have also been updated so that they can handle encrypted files. For example, tools that support reading from or writing to LDIF files (ldapsearch, ldapmodify, ldifsearch, ldifmodify, ldif-diff, transform-ldif, validate-ldif) now support encrypted LDIF.

 

Parameterized ACIs

Our server offers a rich access control mechanism that gives you fine-grained control over who has access to what data. You can define access control rules in the configuration, but it’s also possible to store rules in the data, which ensures that they are close to the data they govern and are replicated across all servers in the topology.

In many cases, it’s possible to define a small number of access control rules at the top of the DIT that govern access to all data. But there are other types of deployments (especially multi-tenant directories) where the data is highly branched, and users in one branch should have a certain amount of access to data in their own branch but no access to data in other branches. In the past, the only way to accomplish this was to define access control rules in each of the branches. This was fine from a performance and scalability perspective, but it was a management hassle, especially when creating new branches or if it became necessary to alter the rules for all of those branches.

In the 7.0 release, parameterized ACIs address many of these concerns. Parameterized ACIs make it possible to define a pattern that is automatically interpreted across a set of entries that match the parameterized content.

For example, say your directory has an “ou=Customers,dc=example,dc=com” entry, and each customer organization has its own branch below that entry. Each of those branches might have a common structure (for example, users might be below an “ou=People” subordinate entry, and groups might be below “ou=Groups”). The structure for an Acme organization might look something like:

  • dc=example,dc=com
    • ou=Customers
      • ou=Acme
        • ou=People
          • uid=amanda.adams
          • uid=bradley.baker
          • uid=carol.collins
          • uid=darren.dennings
        • ou=Groups
          • cn=Administrators
          • cn=Password Managers

If you want to create a parameterized ACI so that members of the “ou=Password Managers,ou=Groups,ou={customerName},ou=Customers,dc=example,dc=com” group have write access to the userPassword attribute in entries below “ou=People,ou={customerName},ou=Customers,dc=example,dc=com”, you might create a parameterized ACI that looks something like the following:

(target=”ldap:///ou=People,ou=($1),ou=Customers,dc=example,dc=com”)(targetattr=”userPassword”)(version 3.0; acl “Password Managers can manage passwords”; allow (write) groupdn=”ldap:///cn=Password Managers,ou=Groups,ou=($1),ou=Customers,dc=example,dc=com”;)

 

Recurring Tasks

The Directory Server supports a number of different types of administrative tasks, including:

  • Backing up one or more server backends
  • Restoring a backup
  • Exporting the contents of a backend to LDIF
  • Importing data from LDIF
  • Rebuild the contents of one or more indexes
  • Force a log file rotation

Administrative tasks can be scheduled to start immediately or at a specified time in the future, and you can define dependencies between tasks so that one task won’t be eligible to start until another one completes.

In previous versions, when you scheduled an administrative task, it would only run once. If you wanted to run it again, you needed to schedule it again. In the 7.0 release, we have added support for recurring tasks, which allow you to define a schedule that causes them to be processed on a regular basis. We have some pretty flexible scheduling logic that allows you to specify when they get run, and it’s able to handle things like daylight saving time and months with different numbers of days.

Although you can schedule just about any kind of task as a recurring task, we have enhanced support for backup and LDIF export tasks, since they’re among the most common types of tasks that we expect administrators will want to run on a recurring basis. For example, we have built-in retention support so that you can keep only the most recent backups or LDIF exports (based on either the number of older copies to retain or the age of those copies) so that you don’t have to manually free up disk space.

 

Equality Composite Indexes

The server offers a number of types of indexes that can help you ensure that various types of search operations can be processed as quickly as possible. For example, an equality attribute index maps each of the values for a specified attribute type to a list of the entries that contain that attribute value.

In the 7.0 release, we have introduced a new type of index called a composite index. When you configure a composite index, you need to define at least a filter pattern that describes the kinds of searches that will be indexed, and you can also define a base DN pattern that restricts the index to a specified portion of the DIT.

At present, we only support equality composite indexes, which allow you to index values for a single attribute, much like an equality attribute index. However, there are two key benefits of an equality composite index over an equality attribute index:

  • As previously stated, you can combine the filter pattern with a base DN pattern. This is very useful in directories that have a lot of branches (for example, a multi-tenant deployment) where searches are often constrained to one of those branches. By combining a filter pattern with a base DN pattern, the server can maintain smaller ID sets that are more efficient to process and more tightly scoped to the search being issued.
  • The way in which the server maintains the ID sets in a composite index is much more efficient for keys that match a very large number of entries than the way it maintains the ID set for an attribute index. In an attribute index, you can optimize for either read performance or write performance of a very large ID set, but not both. A composite index is very efficient for both reads and writes of very large ID sets.

In the future, we intend to offer support for additional types of composite indexes that can improve the performance for other types of searches. For example, we’re already working on AND composite indexes that allow you to index combinations of attributes.

 

Delegated Administration

We have added a new delegated administration web application that integrates with the Ping Identity Directory Server and Ping Federate products to allow a selected set of administrators to manage users in the directory. For example, help desk employees might use it to unlock a user’s account or reset their password. Administrators can be restricted to managing only a defined subset of users (based on things like their location in the DIT, entry content, or group membership), and also restricted to a specified set of attributes.

 

Automatic Entry Purging

In the past, our server has had limited support for automatically deleting data after a specified length of time. The LDAP changelog and the replication database can be set to purge old data, and we also support automatically purging soft-deleted entries (entries that have been deleted as far as most clients are concerned, but are really just hidden so that they can be recovered if the need arises).

With the 7.0 release, we’re exposing a new “purge expired data” plugin that can be used to automatically delete entries that match a given set of criteria. At a minimum, this criteria involves looking at a specified attribute or JSON object field whose value represents some kind of timestamp, but it can also be further restricted to entries in a specified portion of the DIT or entries matching a given filter. And it’s got rate limiting built in so that the background purging won’t interfere with client processing.

For example, say that you’ve got an application that generates data that represents some kind of short-lived token. You can create an instance of the purge expired data plugin with a base DN and filter that matches those types of entries, and configure it to delete entries with a createTimestamp value that is more than a specified length of time in the past.

 

Better Control over Unindexed Searches

Despite the variety of indexes defined in the server, there may be cases in which a client issues a search request that the server cannot use indexes to process efficiently. There are a variety of reasons that this may happen, including because there isn’t any applicable index defined in the server, because there so many entries that match the search criteria that the server has stopped maintaining the applicable index, or because the search targets a virtual attribute that doesn’t support efficient searching.

An unindexed search can be very expensive to process because the server needs to iterate across each entry in the scope of the search to determine whether it matches the search criteria. Processing an unindexed search can tie up a worker thread for a significant length of time, so it’s important to ensure that the server only actually processes the unindexed searches that are legitimately authorized. We already required clients to have the unindexed-search privilege, limited the number of unindexed searches that can be active at any given time, and provided an option to disable unindexed searches on a per-client-connection-policy basis.

In the 7.0 release, we’ve added additional features for limiting unindexed searches. They include:

  • We’ve added support for a new “reject unindexed searches” request control that can be included in a search request to indicate that the server should reject the request if it happens to be unindexed, even if would have otherwise been permitted. This is useful for a client that has the unindexed-search privilege but wants a measure of protection against inadvertently requesting an unindexed search.
  • We’ve added support for a new “permit unindexed searches” request control, which can be used in conjunction with a new “unindexed-search-with-control” privilege. If a client has this privilege, then only unindexed search requests that include this the permit unindexed searches control will be allowed.
  • We’ve updated the client connection policy configuration to make it possible to only allow unindexed searches that include the permit unindexed searches request control, even if the requester has the unindexed-search privilege.

 

GSSAPI Improvements

The GSSAPI SASL mechanism can be used to authenticate to the Directory Server using Kerberos V. We’ve always supported this mechanism, but the 7.0 server adds a couple of improvements to that support.

First, it’s now possible for the client to request an authorization identity that is different from the authentication identity. In the past, it was only possible to use GSSAPI if the authentication identity string exactly matched the authorization identity. Now, the server will permit the authorization identity to be different from the authentication identity (although the user specified as the authentication identity must have the proxied-auth privilege if they want to be able to use a different authorization identity).

We’ve also improved support for using GSSAPI through hardware load balancer, particularly in cases where the server uses a different FQDN than was used in the client request. This generally wasn’t an issue for the case in which a Ping Identity Directory Proxy Server was used to perform the load balancing, but it could have been a problem in some cases with hardware load balancers or other cases in which the client might connect to the server with a different name than the server thinks it’s using.

 

Tool Invocation Logging

We’ve updated our tool frameworks to add support for tool invocation logging, which can be used to record the arguments and result for any command-line tools provided with the server. By default, this feature is only enabled for tools that are likely to change the state of the server or the data contained in the server, and by default, all of those tools will use the same log file. However, you can configure which (if any) tools should be logged, and which files should be used.

Invocation logging includes two types of log messages:

  • A launch log message, which is recorded whenever the tool is first run but before it performs its actual processing. The launch log message includes the name of the tool, any arguments provided on the command line, any arguments automatically supplied from a properties file, the time the tool was run, and the username for the operating system account that ran the tool. The values of any sensitive arguments (for example, those that might be used to supply passwords) will be redacted so that information will not be recorded in the log.
  • A completion log message, which is recorded whenever the tool completes its processing, regardless of whether it completed successfully or exited with an error. This will at least include the tool’s numeric exit code, but in some cases, it might also include an exit message with additional information about the processing performed by the tool. Note that there may be some circumstances in which the completion log message may not be recorded (for example, if the tool is forcefully terminated with something like a “kill -9”).

UnboundID LDAP SDK for Java 4.0.6

We have just released the UnboundID LDAP SDK for Java version 4.0.6, available for download from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository. The most significant changes in this release include:

  • We fixed a number of issues in the way that the LDAP SDK handled characters whose UTF-8 representation requires more than two bytes (and therefore requires two Java chars to represent a single character). Issues related to these characters were found in code for matching rules, DNs and RDNs, and search filters.
  • We fixed an issue in the ldapsearch tool that could cause it to use an incorrect scope when constructing search requests from LDAP URLs that were read from a file.
  • We fixed a bug in schema handling that could arise if an object class definition did not explicitly specify an object class type (STRUCTURAL, AUXILIARY, or ABSTRACT). In some cases, the type could be incorrectly inherited from the superclass rather than assuming the default type of STRUCTURAL.
  • We updated the LDAPConnectionPool and LDAPThreadLocalConnectionPool classes to add new setServerSet and setBindRequest methods. These new methods make it possible to update an existing pool to change the logic that it uses for establishing and authenticating new connections.
  • We added a new LDAPRequest.setReferralConnector method that makes it possible to set a custom referral connector on a per-request basis. We also added a new RetainConnectExceptionReferralConnector class that makes it easier to obtain the exception (if any) that was caught on the last attempt to establish a connection for the purpose of following a referral.
  • Updated the in-memory directory server to better handle any java.lang.Errors that occur while interacting with a client connection. These kinds of errors should not happen under normal circumstances but may be generated by third-party code (for example, an InMemoryOperationInterceptor), and it is possible for the JVM to generate them in extraordinary circumstances like running out of memory. In such cases, the thread responsible for interacting with that client would exit without returning a response for the operation being processed and without closing the operation. The LDAP SDK will now attempt to return an error (if appropriate for the type of operation being processed) and close the connection.
  • Updated the manage-certificates tool to fix an incorrect interpretation of the path length element of a basic constraints extension.
  • Updated manage-certificates to add support for importing PEM-encoded RSA private keys that are not wrapped in a PKCS #8 envelope (that is, from a file whose header contains “BEGIN RSA PRIVATE KEY” instead of “BEGIN PRIVATE KEY”). Previously, it was only possible to import private keys using the PKCS #8 format.
  • Updated manage-certificates to add an --allow-sha-1-signature-for-issuer-certificates argument to the check-certificate-usability subcommand. If this argument is provided, then the tool will continue to call out issuer certificates whose signature is based on the now-considered-weak SHA-1 digest algorithm, but it will no longer cause the tool to exit with an error just because of that issue. This argument has no effect for certificates that use a signature based on the extremely weak MD5 digest, and it also does not have any effect if the certificate at the head of the chain (that is, the server certificate rather than the root certificate) has a SHA-1-based signature.
  • Added client-side support for a new “reload HTTP connection handler certificates” task that may be used in some Ping Identity server products to request that the server dynamically reload the certificate key and trust stores used by all HTTP connection handler instances that provide support for HTTPS.

CVE-2018-1000134 and the UnboundID LDAP SDK for Java

On Friday, March 16, 2018, CVE-2018-1000134 was published, describing a vulnerability in the UnboundID LDAP SDK for Java. The vulnerability has been fixed in LDAP SDK version 4.0.5, which is available for immediate download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

This post will explain the issue in detail (see the release notes for information about other changes in LDAP SDK version 4.0.5). However, to quickly determine whether your application is vulnerable, you should check to see if all of the following conditions are true:

  • You are using the LDAP SDK in synchronous mode. Although this mode is recommended for applications that do not require asynchronous functionality, the LDAP SDK does not use this mode by default.
  • You use the LDAP SDK to perform simple bind operations for the purpose of authenticating users to a directory server. This is a very common use case for LDAP-enabled applications.
  • Your application does not attempt to verify whether the user actually provided a password. This is unfortunately all too common for LDAP-enabled applications.
  • The simple bind requests are sent to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a non-empty DN and an empty password. Although this recommendation is part of the revised LDAPv3 specification published in 2006, there are apparently some directory servers that still do not follow this recommendation by default.

If your application meets all of these criteria, then you should take action immediately to protect yourself. The simplest way to fix the vulnerability in your application is to update it to use the 4.0.5 release of the LDAP SDK. However, you should also ensure that your applications properly validate all user input, and it may also be a good idea to consider switching to a more modern directory server.

The Vulnerability in LDAPv3

The original LDAPv3 protocol specification was published as RFC 2251 in December 1997. LDAPv3 is a very impressive protocol in most regards, but perhaps the most glaring problem in the specification lies in the following paragraph in section 4.2.2:

If no authentication is to be performed, then the simple authentication option MUST be chosen, and the password be of zero length. (This is often done by LDAPv2 clients.) Typically the DN is also of zero length.

It’s that word “typically” in this last sentence that has been the source of a great many vulnerabilities in LDAP-enabled applications. Usually, when you want to perform an anonymous simple bind, you provide an empty string for both the DN and the password. However, according to the letter of the specification above, you don’t have to provide an empty DN. As long as the password is empty, the server will treat it as an anonymous simple bind.

In applications that use an LDAP simple bind to authenticate users, it’s a very common practice to provide two fields on the login form: one for the username (or email address or phone number or some other kind of identifier), and one for the password. The application first performs a search to see if they can map that username to exactly one user in the directory, and if so, then it performs a simple bind with the DN of that user’s entry and the provided password. As long as that the server returns a “success” response to the bind request, then the application considers the user authenticated and will grant them whatever access that user is supposed to have.

However, a problem can arise if the application just blindly takes whatever password was provided in the login form and plugs it into the simple bind request without actually checking to see whether the user provided any password at all. In such cases, if the user provided a valid username but an empty password, then the application will perform a simple bind request with a valid DN but no password. The directory server will interpret that as an anonymous simple bind and will return a success result, and the application will assume that the user is authenticated even though they didn’t actually provide any password at all.

This is such a big problem in LDAP-enabled applications that it was specifically addressed in the updated LDAPv3 specification published in June 2006. RFC 4513 section 5.1.2 states the following:

Unauthenticated Bind operations can have significant security issues (see Section 6.3.1). In particular, users intending to perform Name/Password authentication may inadvertently provide an empty password and thus cause poorly implemented clients to request Unauthenticated access. Clients SHOULD be implemented to require user selection of the Unauthenticated Authentication Mechanism by means other than user input of an empty password. Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface. Additionally, Servers SHOULD by default fail Unauthenticated Bind requests with a resultCode of unwillingToPerform.

Further, section 6.3.1 of the same RFC states:

Operational experience shows that clients can (and frequently do) misuse the unauthenticated access mechanism of the simple Bind method (see Section 5.1.2). For example, a client program might make a decision to grant access to non-directory information on the basis of successfully completing a Bind operation. LDAP server implementations may return a success response to an unauthenticated Bind request. This may erroneously leave the client with the impression that the server has successfully authenticated the identity represented by the distinguished name when in reality, an anonymous authorization state has been established. Clients that use the results from a simple Bind operation to make authorization decisions should actively detect unauthenticated Bind requests (by verifying that the supplied password is not empty) and react appropriately.

In directory servers that follow the recommendation from RFC 4513 section 5.1.2, clients can perform an anonymous simple bind by providing an empty DN and an empty password, but an attempt to bind with a non-empty DN and an empty password will be rejected. This very good recommendation was made over ten years ago, and the code change needed to implement it is probably very simple. However, for some reason, there are directory server implementations out there that haven’t been updated to follow this recommendation, and therefore leave client applications open to this inadvertent vulnerability.

The Vulnerability in the UnboundID LDAP SDK for Java

Ever since its initial release, the UnboundID LDAP SDK for Java has attempted to protect against simple bind requests that include a non-empty DN with an empty password. The LDAPConnectionOptions class provides a setBindWithDNRequiresPassword(boolean) method that you can use to indicate whether the LDAP SDK will reject a simple bind request that has a non-empty DN with an empty password. If you don’t explicitly use this option, then the LDAP SDK will assume a default value of true. If you try to send a simple bind request that includes a non-empty DN and an empty password, then the LDAP SDK won’t actually send any request to the server but will instead throw an LDAPException with a result code of ResultCode.PARAM_ERROR and a message of “Simple bind operations are not allowed to contain a bind DN without a password.”

Or at least, that’s the intended behavior. And that is the behavior that you’ll get if you send the bind request in the asynchronous mode that the LDAP SDK uses by default. However, Stanis Shkel created GitHub issue #40 (“processSync in SimpleBindRequest allows empty password with set bindDN”), which points out that this check was skipped for connections operating in synchronous mode.

LDAP is an asynchronous protocol. With a few exceptions, it’s possible to have multiple operations in progress simultaneously over the same LDAP connection. To support that asynchronous capability, the LDAP SDK maintains an extra background thread that constantly read data from a connection and makes sure that any data sent from the server gets delivered to whichever thread is waiting for it. This is just fine most of the time, but it does come at the cost of increased resource consumption, and a small performance hit from handing off data from one thread to another. To minimize this impact for applications that don’t take advantage of the asynchronous capabilities that LDAP provides, we added a synchronous mode to the LDAP SDK way back in version 0.9.10 (released in July of 2009). In this mode, the same thread that sends a request to the server is the one that waits for and reads the response. This can provide better performance and lower resource consumption, but you have to explicitly enable it using the LDAPConnectionOptions.setUseSynchronousMode(boolean) method before establishing a connection.

In the course of implementing support for the synchronous mode for a simple bind request, we incorrectly put the check for synchronous mode before the check for an empty password. For a connection operating in synchronous mode, we branched off to another part of the code and skipped the check for an empty password. The fix for the problem was simple: move the check for an empty password above the check for synchronous mode, and it was committed about three and a half hours after the issue was reported, including a unit test to ensure that a simple bind request with a non-empty DN and an empty password is properly rejected when operating in synchronous mode (there was already a test to ensure the correct behavior in the default asynchronous mode).

Conditions Necessary for the Vulnerability

Although there was unquestionably a bug in the LDAP SDK that created the possibility for this bug, there are a number of factors that could have prevented an application from being susceptible to it. Only an application that meets all of the following conditions would have been vulnerable:

  • The application must have explicitly enabled the use of synchronous mode when creating an LDAP connection or connection pool. If the application was using the default asynchronous mode, it would not have been vulnerable.
  • The application must have created simple bind requests from untrusted and unverified user input. If the application did not create simple bind requests (for example, because it did not perform binds at all, or because it used SASL authentication instead of simple), then it would not have been vulnerable. Alternately, if the application validated the user input to ensure that it would not attempt to bind with an empty password, then it would not have been vulnerable.
  • The application must have sent the simple bind request to a server that does not follow the RFC 4513 recommendations. If the server is configured to reject simple bind requests that contain a non-empty DN with an empty password, then an application communicating with that server would not have been vulnerable.

While we strongly recommend updating to LDAP SDK version 4.0.5, which no longer has the bug described in CVE-2018-1000134, we also strongly recommend ensuring that applications properly validate all user input as additional mitigation against problems like this. And if you’re using a directory server that hasn’t been updated to apply a very simple update to avoid a problem that has been well known and clearly documented for well over a decade, then perhaps you should consider updating to a directory server that takes security and standards compliance more seriously.

Movies Watched Theatrically in January 2018

Molly’s Game (2017; first-time watch) — After her hopes of being an Olympic skier are dashed, Molly Bloom (Jessica Chastain) finds herself running regular high-stakes poker games with celebrities, the rich, and the powerful. And when she’s busted by the FBI, she convinces a top attorney (Idris Elba) to defend her. Written and directed by Aaron Sorkin, it feels like a lesser effort from him, with much less snappy dialogue than I would have expected, and many elements recycled from his earlier work. Adequate, but disappointing.

Bombshell: The Hedy Lamarr Story (2017; first-time watch) — This documentary tells the largely tragic story of a woman with the odds often stacked against her. As a promising and beautiful young actress, she had to overcome the stigma of appearing in films that were too racy for her time and a string of failed marriages, but she also was saddled with an image of a dumb beauty despite conceiving an idea that became a foundation of modern wireless network communication. While it has interesting content, the film does feel a little superficial and repetitive at times.

Downsizing (2017; first-time watch) — Scientists have come up with a way to shrink humans to a height of just a couple of inches. Paul (Matt Damon) and his wife Audrey (Kristen Wiig) have decided to do go through the procedure because it will allow them to live more extravagant lives, but Audrey backs out at the last minute after Paul has already downsized. She also puts him through a costly divorce, leaving him alone and broke. It’s an interesting premise, but then the film undergoes several major shifts that are increasingly dumb and boring.

Idiocracy (2006; rewatch) — Joe (Luke Wilson) and Rita (Maya Rudolph) are subjects in a human hibernation experiment that is expected to last a year, but they wake up 500 years later to a much different world. Civilization has declined so severely that they are now the most intelligent people in the world and humanity is on the brink of destruction. As a comedy, it’s very funny, but its prediction of a potential future feels like it’s turning out to be too close for comfort.

The Shape of Water (2017; first-time watch) — A secret government facility has captured an amphibious humanoid and is subjecting it to a lot of testing (performed by characters played by Michael Shannon and Michael Stuhlbarg) in the hopes that it will help unlock secrets to help the United States beat Russia in the space race. But a mute cleaning woman (Sally Hawkins) develops a special bond with the creature, and she enlists the help of her best friends (Octavia Spencer and Richard Jenkins) to hatch a plan to free it. It feels much less like a del Toro film than most of his other movies, which may be a contributing factor to me liking it a lot more than most of his other movies.

Barking Dogs Never Bite (2000; rewatch) — A graduate student hopes to become a professor, but his studies are hindered by a dog that won’t stop yapping somewhere in his apartment complex. He finds a dog and takes care of the problem, only to learn that it wasn’t the responsible animal and now he’s got the same problems plus a guilty conscience. From there, things go downhill in this very funny first film from Bong Joon-ho that features Bae Doo-na in one of her earliest roles.

Beggars of Life (1928; first-time watch) — Hoping to exchange work for breakfast, a hobo (Richard Arlen) walks into a house with an open door and discovers a dead man at the breakfast table. He then sees the man’s daughter (Louise Brooks) and learns that she killed him in self-defense while he was trying to get too familiar with her. The hobo takes pity on her and agrees to help her escape to Canada. In an attempt to avoid drawing attention to themselves, she disguises herself as a boy, but the ruse doesn’t hold up, and now she faces more of the same harassment from several other hobos. It’s great until the end, where it loses some momentum and leaves you walking out of the theater with a hint of disappointment.

I Don’t Feel at Home in This World Anymore (2017; first-time watch) — Ruth (Melanie Lynskey) is in a funk because the world is full of assholes and she’s had a run of bad luck. To top it all off, her house has been robbed, and the police are clearly not interested in finding out who did it. With the help of Tony (Elijah Wood), a weird neighbor who’s into God and martial arts, she does her own investigating and soon finds herself just getting deeper into trouble. It’s much funnier than its title would suggest, and a great first directorial effort from Macon Blair.

The Other Side of Hope (2017; first-time watch) — A Syrian refugee arrives in Finland after stowing away on a ship and decides to seek political asylum. Meanwhile, a salesman decides to try his hand at running a restaurant. Their paths cross, and they find themselves facing significant obstacles. An anticipated film from Aki Kaurismäki, the acting is good, but the story is a little flat, and it takes too long for the storylines to meet.

Deadfall (1993; rewatch) — Joe (Michael Biehn) is a con man who just lost his father Mike (James Coburn) on a job gone wrong. He learns that his father had a twin brother Lou (also Coburn) and decides to seek him out. Lou is also a con man with a plan for a big score, and Joe wants in, much to the dismay of Lou’s right-hand man Eddie (Nicolas Cage). It’s a terrible movie, but Cage’s performance is so enthusiastic and unusual that it may be worth watching just for that (although you’d probably be better off just searching for a supercut video).

I, Tonya (2017; first-time watch) — Tonya Harding (Margot Robbie) is an ice skater and Olympic hopeful, but her white trash background is hurting her both in the scores from judges and in the beatings from her husband Jeff Gillooly (Sebastian Stan). Purportedly unbeknownst to her, Jeff arranges for Nancy Kerrigan (Caitlin Carver), America’s leading female skater, to be clubbed in the knee in the hopes of keeping her out of the competition and ensuring Tonya a spot. It’s a frustrating movie that’s based on a true story but refuses to take a side in any particular version of the truth. Margot Robbie and especially Allison Janney (as Harding’s mother, LaVona) give good performances, but the movie as a whole is just mediocre.

Brimstone & Glory (2017; first-time watch) — Tultepec, Mexico is known for its fireworks. It has many fireworks factories, and they put on an impressive multi-day display during the annual San Juan de Dios festival. However, Mexico does not have the safety standards that America has, and it seems that the people of Tultepec are all complete morons because this documentary shows such ludicrous acts of stupidity as climbing a tower loaded with fireworks that have just been set off by a lightning strike and shooting off fireworks into crowds. While the film is often pretty to look at, it also demonstrates a level of stupid and careless that I just can’t get behind.

Memories of Murder (2003; rewatch) — A bunch of bumbling detectives in rural South Korea are joined by an investigator from Seoul to investigate a series of rapes and murders that seem to happen whenever it rains. Directed by Bong Joon-ho and starring Song Kang-ho, it’s a darkly terrific crime drama laced with the typical incompetent police comedy that so often frequents South Korean film.

Midnight Express (1978; first-time watch) — Billy Hayes (Brad Davis) is about to leave Turkey with his girlfriend Susan (Irene Miracle), but he gets busted at the airport with a couple of kilos of hashish strapped to his body. He’s given a harsh four-year sentence in a prison with other inmates that include John Hurt and Randy Quaid, and that is ruled by a torturous guard (Paul Smith). Hopeful that his father (Mike Kellin), lawyer, and the American ambassador will be able to reduce his sentence, Billy bides his time and tries to be an ideal inmate. But when the Turkish appeals court decides to increase the charge to trafficking and the sentence to life in prison, he decides that he needs to find his own way out. It’s a very dark film that I enjoyed a whole lot.

Scott Pilgrim vs. the World (2010; rewatch) — 22-year-old Scott Pilgrim (Michael Cera) is in a band with Stephen Stills (Mark Webber), Kim Pine (Alison Pill), and “Young” Neil Nordegraf (Johnny Simmons). He was brutally dumped over a year ago by his girlfriend Natalie “Envy” Adams (Brie Larson) and has just entered a new stage of his recovery by starting to date Knives Chau (Ellen Wong), a 17-year-old Chinese Catholic schoolgirl. But then he falls in love with Ramona Flowers (Mary Elizabeth Winstead), only to learn that if they are to date, he must fight and defeat her seven evil exes. Also featuring Kieran Culkin, Chris Evans, Brandon Routh, Jason Schwartzman, Anna Kendrick, and Aubrey Plaza, it is perhaps the best film representation of a graphic novel loaded with video game elements, not to mention an incredible movie with great comedy and an amazing soundtrack, and it remains one of my favorite movies.

The Post (2017; first-time watch) — When the New York Times runs a story exposing over a decade of presidents lying to the American people about Vietnam, the struggling Washington post rushes to get in on the action. Unfortunately, the Times has been sued for the government for printing information from classified documents, and Post owner Kay Graham (Meryl Streep) must balance her desire to pursue the story (including great pressure from editor-in-chief Ben Bradlee, played by Tom Hanks, as well as reporters including those played by Bob Odenkirk, David Cross, Carrie Coon, and Pat Healy) with the pressure of turning the paper into a publicly-traded company, including a very nervous legal team and set of investors. It ends where All the President’s Men begins, but it tells a very different story with a very different focus. It’s a good film loaded with stars (also including Bradley Whitford, Bruce Greenwood, Sarah Paulson, Tracy Letts, Alison Brie, and Jesse Plemons), if a bit heavy-handed at times and clearly fishing for awards.

The Commuter (2018; first-time watch) — Michael (Liam Neeson) is approached by a mysterious woman (Vera Farmiga) who tells him that she wants his help in finding someone who is supposed to be taking the commuter train that he’s been riding for years. If he helps, he’ll get a lot of money. If he doesn’t, his family will be murdered. It’s basically Cellular on a train, and it sucks. It depends heavily on making obviously stupid choices, and none of the “surprises” are actually surprising.

Proud Mary (2018; first-time watch) — Mary (Taraji P. Henson) is an assassin. A year ago, she took out a father but left the son Danny (Jahi Di’Allo Winston) alive, and she’s been secretly following and watching over him out of a sense of guilt. When Danny turns to a life of crime and is beaten up by his boss, Mary intervenes, takes out the boss, and takes Danny into her apartment. But Danny’s boss was one of the higher-ups in the local mafia and a competitor to Mary’s boss Benny (Danny Glover). Amid fears that a war will break out between the two rival organizations, Mary just wants out and to get Danny safe. It’s a story that we’ve seen before, but it’s usually entertaining enough and the action scenes are directed well. Unfortunately, the ending is very weak and Danny Glover continues his streak of terrible acting.

Paddington 2 (2017; first-time watch) — Paddington’s aunt is about to turn 100 years old, and Paddington wants to get her the perfect gift. She had always dreamed of coming to London but never got the chance, so when he stumbles across a one-of-a-kind pop-up book that shows off the city, he wants to get it for her. The only trouble is, it’s very expensive so he’ll have to work to earn the money to buy it. But just before he reaches his goal, the book is stolen, and Paddington is framed for the robbery. It’s almost hard to believe how great this movie is. It’s a totally enthralling plot loaded with jokes and intelligent references, and it’s expertly executed by an amazing cast that includes Sally Hawkins, Hugh Grant, Jim Broadbent, Brendan Gleeson, Hugh Bonneville, Peter Capaldi, Imelda Staunton, Michael Gambon, Jessica Hynes, Noah Taylor, Joanna Lumley, and others.

Darkest Hour (2017; first-time watch) — While Hitler continues to overtake Europe, Neville Chamberlain (Ronald Pickup) is ousted as Prime Minister of Great Britain, and Winston Churchill (Gary Oldman) is in. Britain’s troops are in grave danger of being overtaken, and Churchill’s advisors are urging him to enter into peace talks with Germany, but he refuses to consider it despite their chances looking ever more bleak. It’s a well-acted film that provides a clearer depiction of the events and context than Dunkirk, even if the two movies have very different focuses, and the makeup job used to transform Oldman into Churchill is one of the most impressive of all time.

The Apple (1980; rewatch) — In the future, a giant music publisher called BIM rules the world. Alphie (George Gilmour) and Bibi (Catherine Mary Stewart) want to make it as musicians, but the head of BIM, Mr. Boogalow (Vladek Sheybal), has some pretty steep terms. Bibi agrees to them and becomes a star. Alphie rejects them and struggles. It’s a very clumsy and un-subtle religious allegory full of repetitive and suggestive music that is terrible and incomprehensible, but also pretty fascinating.

Days of Heaven (1978; first-time watch) — After he accidentally kills someone, Bill (Richard Gere) flees with his girlfriend Abbey (Brooke Adams) and his little sister Linda (Linda Manz) to become migrant workers. For some reason, Bill and Abbey decide to pretend to be brother and sister, and the farmer (Sam Shepard) takes a liking to Abbey. Seeing an opportunity to get rich, they decide to try to use that to their financial advantage. The film has about 20 minutes of content spread out over 94 minutes, making Days of Heaven boring as hell.

Princess Cyd (2017; first-time watch) — 16-year-old Cydney (Jessie Pinnick) and her dad have been fighting a lot lately, and he decides it might be a good idea for her to visit her aunt (his late wife’s sister) Miranda (Rebecca Spence). Miranda is a fairly well-known author without much experience taking care of a teenager, but they make a go of it. Meanwhile, Cyd meets Katie (Malic White), and it’s love at first sight. The film is so wonderfully, effortlessly charming, with terrific characters and an oddly subtle obviousness to it that allows it to make all of its points without feeling clumsy or heavy-handed.

There Will Be Blood (2007; rewatch) — Daniel Plainview (Daniel Day-Lewis) is an oil prospector whose relentless drive makes him a very wealthy baron, but at the expense of his personal relationships, including one with his adopted son, and a persistently bothersome evangelist (Paul Dano). It’s got good performances, and I suppose that it’s good, but it’s also terribly long, so it’s a good thing that this screening was cut down to 90 minutes, and that version was expertly mocked by Austin’s Master Pancake Theater comedy troupe.

Small Soldiers (1998; rewatch) — A small toy company is bought by a mega-corporation that includes a military research division. The toy designers (David Cross and Jay Mohr) are instructed to make army men who are supposed to fight aliens, but they use superpowered military chips that make the toys self-aware and go haywire. At first, young Alan (Gregory Smith) is the only one to notice, but soon his neighbor Christy (Kirsten Dunst) also becomes aware. By the time their parents (including Phil Hartman, Wendy Schaal, Kevin Dunn, and Ann Magnuson) learn the truth, they’re already in serious trouble. Directed by Joe Dante, it’s much like Gremlins in that it might appear to be for kids on the surface but is probably really more suitable for an older audience. And while it’s not nearly as good as Gremlins, Small Soldiers is still a well-made film that’s pretty fun to watch.

Coming Home (1978; first-time watch) — When her husband Bob (Bruce Dern) goes off to fight in Vietnam, Sally (Jane Fonda) decides to volunteer at a hospital on the military base. She runs into Luke (Jon Voight), who went to the same high school as she did, and who had been paralyzed in the war. Although Luke is initially very mad at the world, Sally manages to calm him down, and they become good friends, and then more. It’s not surprising that Hal Ashby can so expertly craft a film like this, with a clear message that doesn’t feel pushed down your throat, but it is surprising that he could pull off what feels like a pretty low-budget film and yet still include tons of iconic music from the time from giant groups like The Beatles and The Rolling Stones.

Call Me by Your Name (2017; first-time watch) — Oliver (Armie Hammer) is an American graduate student who has gone to Italy to work for a professor (Michael Stuhlbarg). The professor has a 17-year-old son, Elio (Timothée Chalamet), who is initially intrigued, and then infatuated with, Oliver. While the movie is executed well, it’s also full of boredom and pretension, and it feels like everyone is trying to put on an air of sophisticated enlightenment that makes a lot of the content feel fake.

Phantom Thread (2017; first-time watch) — Reynolds (Daniel Day-Lewis) is a renowned fashion designer who is very full of himself and largely hostile to pretty much everyone else. His sister Cyril (Lesley Manville) is his right-hand man who tries to keep everyone else in line, but she often gets fed up with him. When he tires of one assistant/model/lover, Cyril suggests that he go find another, and that’s when he comes across Alma (Vicky Krieps). They have a fling that leads to her becoming his new model/assistant/muse, and she’s determined to not allow him to cut her out. It’s a surprisingly non-boring film for a fashion-themed period piece, and the ending is really what sealed the deal for me.

The Last of the Mohicans (1992; first-time watch) — Hawkeye (Daniel Day-Lewis) is a white man who was adopted as an orphaned baby by a Mohican family and raised as a member of the tribe. It’s pre-revolution America, when the British are squaring off against the French and the colonists are being pressed into service. Somehow, Hawkeye and his Mohican father and brother find themselves trying to help a pair of British sisters make it through the fighting to their father in a fort. It’s hard to think of any good movie that focuses on America in the revolutionary/pre-revolutionary period, and this certainly isn’t one of them.

The Curse of the Crying Woman (1963; first-time watch) — A woman has inherited a house, but the only problem is that it, and the woods surrounding it, are haunted and deadly to anyone who enters. One of the haunters is a so-called crying woman, whose howls can be heard every night. It’s a short and simple Mexican horror film (dubbed into English by K. Gordon Murray), but surprisingly good.

The Robot vs. the Aztec Mummy (1958; first-time watch) — Through the help of hypnosis, a doctor learns that his wife is the reincarnation of an Aztec princess, and she’s able to guide them to the tomb. That tomb is guarded by a mummy, who will relentlessly pursue any who attempt to disturb anything inside. A mad scientist wants to rob the grave, so he builds a robot to fight the mummy. It’s just over an hour long, with no hint of a robot for over 50 minutes (and much of the content repurposed from an earlier movie in the series), but the lack of quality is more than atoned for by its schlocky enjoyability.

Mom and Dad (2017; rewatch) — Kendall (Selma Blair) tries to be the perfect stay-at-home mom, but she’s frustrated by her husband Brent’s (Nicolas Cage) mid-life crisis, her teenage daughter Carly’s (Anne Winters) rebellion, and her young son Josh’s (Zackary Arthur) typical boyish curiosity and way of finding trouble. And then the world seems to be hit by some mysterious force in which parents get an uncontrollable urge to kill their own children (although not those of anyone else). Things get crazy, and Cage does what he does best in an insignificant but highly enjoyable horror comedy.

Robinson Crusoe on Mars (1964; first-time watch) — Commander Kit Draper (Paul Mantee) and Colonel Dan McReady (Adam West) are orbiting Mars when their attempt to dodge an incoming meteor causes them to crash into the planet. Draper survives, along with his monkey, but McReady does not, and now Draper is forced to deal with a limited supply of food, water, and oxygen, and no ability to communicate back to Earth. It’s like The Martian fifty years before The Martian, with less science but a pretty entertaining storyline.

Mother (2009; rewatch) — Do-joon is an adult with the mental faculties of a young child. He’s always getting into trouble, and his mother is always having to bail him out. When police find evidence that puts Do-joon at a murder scene, they just want to close the case as quickly as possible, so it’s up to his mother to prove that he’s innocent. While not quite as good as Memories of Murder, it is nonetheless another very solid crime drama from master Korean filmmaker Bong Joon-ho.

To Have and Have Not (1944; first-time watch) — Harry Morgan (Humphrey Bogart) is the captain of a fishing boat on the Caribbean island of Martinique, along with his drunken sidekick Eddie (Walter Brennan). The island is under French control, but there’s a resistance building, and Morgan is approached about using his boat to help transport key members of that resistance onto the island. He wants to stay out of it and entertain the very attractive new arrival Marie (Lauren Bacall), but circumstances beg to differ, and he finds himself being targeted by the police. It’s got a lot in common with Casablanca, not the least of which is that it’s an excellent film.

On the Beach at Night Alone (2017; first-time watch) — A former actress goes on vacation in Germany for a while, and then she returns home and meets up with some people. There’s really not much more to it than that, and it is a completely boring film with virtually no plot and even less talent on either side of the camera. It’s presented entirely in master shots with only the occasional clunky pan or zoom (which always seems to result in watching someone have a conversation with someone off screen). There’s not even a scene on the beach at night alone. It’s just pure garbage.

Blow-Up (1966; first-time watch) — Thomas (David Hemmings) is a photographer with a giant ego and little regard for others. While trying to covertly take pictures of a couple in a park, the woman (Vanessa Redgrave) asks him to stop and then is insistent on getting the film. He becomes intrigued with finding out what he might have captured and discovers something in his photos that becomes an obsession. It may take a while to get over Thomas’s grating personality, but it ultimately becomes a very good film on the level with other movies I’d rather not mention to avoid any potential spoilers.

Only the Young (2012; rewatch) — It’s a simple documentary that follows the lives of three Southern California teenagers: Garrison, Kevin, and Skye. It’s got a laid-back feel that seems to capture a lot of honest interaction, intercut with occasional sequences of confiding to the camera. I’d seen it once before and was a little put off by some of the obviously bad decisions on display, but it seems to have more to offer when revisiting it after a few years.

Sullivan’s Travels (1941; rewatch) — John Sullivan (Joel McCrea) is a director who wants to break out of comedy and do a drama about the hardships of the less fortunate. Believing that he can’t really make such a movie without experiencing that kind of life, he tries to forego his Hollywood luxury and spend some time as a hobo. Things don’t go as well as planned, but he does meet a girl (Veronica Lake) who has failed in her shot at becoming an actress and decides to accompany him. It’s a Preston Sturges film, so of course it’s amazing, but it does feel a little more clumsy in areas than some of his other A-plus comedies like The Lady Eve, The Palm Beach Story, and The Miracle of Morgan’s Creek.

Dark Night of the Scarecrow (1981; rewatch) — Bubba (Larry Drake) is an adult with the mental faculties of a young child. Some of the townspeople, including mailman Otis Hazelrigg (Charles Durning), farmer Harless Hocker (Lane Smith), grain dealer Philby (Claude Earl Jones), and mechanic Skeeter (Robert F. Lyons), think that he’s a danger to the children, and when a girl (Tonya Crowe) gets hurt while playing with him, they jump at the chance to make sure he never hurts anyone ever again. And then they find they’re the ones who need protecting. It’s a classic made-for-TV horror movie with a fun cast, some impressive direction and camerawork, and just an overall good time.

Paper Moon (1973; rewatch) — Moses “Moze” Pray (Ryan O’Neal) is a con man who travels from town to town looking for suckers. He attends the funeral of a woman he once knew and gets roped into driving the deceased woman’s daughter, Addie (Tatum O’Neal), to some relatives the next state over. Along the way, Addie gets hooked on scamming people and proves that she’s not one to be bullied or underestimated. It’s an utterly charming film that just sucks you in and won’t relent any more than Addie will.

UnboundID LDAP SDK for Java 4.0.4

We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

There are a few noteworthy changes included in this release. The release notes go into more detail, but the highlights of these changes include:

  • We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause).
  • We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool.
  • We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process.
  • We updated the LDAP SDK’s ServerSet implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable.
  • We updated the GetEntryLDAPConnectionPoolHealthCheck class to provide support for invoking the health check after a pooled connection has been authenticated.
  • We fixed a bug in the GetEntryLDAPConnectionPoolHealthCheck class that could cause it to behave incorrectly when checking the validity of a connection after an LDAPException was caught.
  • We updated the Attribute.hasValue method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the Filter.matchesEntry method for equality filters that target similar types of attributes.
  • We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy.
  • We updated the LDAPConnectionOptions class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the LDAPConnectionOptions class can now be set via system properties.

My Favorite First-Time Watches of 2017

2017 represented a bit of a shift for me in terms of movies watched. My overall watching declined by quite a bit over previous years, and I didn’t even see a thousand movies total in the year (although I did spend quite a bit of time watching classic television and ended up seeing over a thousand TV episodes). I ended up with only 947 movies total for the year (589 in theater and 358 outside of a theater), with 609 of those being movies I’d never seen before. 338 of those first-time watches were in a theater, with 186 of them being new releases and 152 of them repertory screenings.

It feels appropriate to look back over the year and try to come up with a list of my favorite first-time watches. I think that I’d have to classify the following as my top ten new release favorites for the year (in alphabetical order; I don’t want to try ranking them):

  • 20th Century Women
  • Brigsby Bear
  • Command and Control
  • The Florida Project
  • Gilbert
  • Hidden Figures
  • Hounds of Love
  • My Life as a Zucchini
  • Thelma
  • The Transfiguration

And my eleven (I just can’t cut it down to ten) favorite first-time-watch repertory screenings would be:

  • American Movie (1999)
  • Geteven (aka Get Even aka Road to Revenge; 1993)
  • Ghost Dog: The Way of the Samurai (1999)
  • Kirikou and the Sorceress (1998)
  • Mafioso (1962)
  • Magnificent Obsession (1954)
  • The Peanut Butter Solution (1985)
  • Shoes (1916)
  • Steamboat Bill, Jr. (1928)
  • Truth or Dare?: A Critical Madness (1986)
  • The Uncanny (1977)

But in actuality, there are a lot more than these twenty-one movies that deserve to be seen, so here’s an alphabetical list of the first-time watches that are among the best or most fun new discoveries for the year, along with a brief description of each of them. Note that some of them are festival films that may not have actually been released yet so you might need to keep an eye out for them.

20th Century Women (2016) — Dorothea (Annette Bening) is a single mother who rents a couple of rooms to Abbie (Greta Gerwig) and William (Billy Crudup), and she enlists their help in raising her son without a father. It’s an excellent film that is a pure joy to watch. Full review at https://nawilson.com/2017/01/21/20th-century-women/.

78/52 (2017) — Psycho is one of the greatest films of all time, horror or otherwise, and the shower scene is its centerpiece. This documentary focuses on that one scene, both in the context of Psycho itself, as well as its impact on and influence over other films. It’s got everything you’d expect to see in a documentary of that one scene, from a breakdown of the shots to Bernard Herrmann’s score to what exactly is and isn’t shown, but it’s also full of interviews with film lovers putting it into both historical and personal context. It’s clearly a labor of love and a must-see movie for anyone who loves Psycho, Hitchcock, or film in general.

American Movie (1999) — Mark Borchardt is an aspiring filmmaker with a vision of how he wants his film to turn out and the drive to see it through. He’s currently finishing a half-hour short film called Coven that he hopes will make enough money to help him make his next movie, Northwestern. With the help of his friends and relatives, he hopes to make his dream a reality. While Mark has a highly abrasive personality and level of recklessness that I’m sure would be unbearable in real life, and while his best friend Mike is burned out and uninspired, their story makes for some tremendous entertainment.

Armored Car Robbery (1590) — Purvis (William Talman) has a plan to rob an armored car near the end of its run when it’s full of cash. It’s a great plan, and he’s very careful, but he has to use an inexperienced crew to pull it off. And that inexperience turns out to be deadly when things start to go wrong. It’s an incredible 67-minute film with no fat and a great story.

The Battle of Algiers (1966) — A film that depicts the Algerian struggle for independence against the French government, and the tactics that the French used in an attempt to quell that resistance. It’s a tremendous, powerful film that only suffers from not providing enough context for modern audiences who may not be as familiar with the Algerian rebellion as audiences at the time the film was released.

The Beguiled (2017) — During the Civil War, a student at a Virginia all-girls school happens upon a Union soldier (Colin Farrell) who has been shot in the leg. She helps him make his way to the school, where her teachers (Nicole Kidman and Kirsten Dunst) clean and stitch up the wound. After some discussion, the women decide that the best thing to do is to give him time to heal before they hand him over to be taken prisoner by the Confederate army. But that’s not exactly what happened. Full review at https://nawilson.com/2017/06/30/the-beguiled-2017/.

Brief Encounter (1945) — A loyal but bored British housewife finds herself falling in love with an out-of-town doctor whose weekly travel schedule just happens to align with hers. Despite their best efforts to the contrary, they fall in love and make their lives complicated. It’s stiff and proper but darned if it isn’t also really good.

Brigsby Bear (2017) — James (Kyle Mooney) has lived all his life alone with his parents (Mark Hamill and Jane Adams) in a survival shelter, afraid to go out into the world without a protective mask. His main source of entertainment is the television show Brigsby Bear, and he’s obsessed with it. Then he finds that his entire life has been a lie. Full review at https://nawilson.com/2017/08/11/brigsby-bear/.

Buster’s Mal Heart (2016) — Jonah (Rami Malek) worked as the nighttime concierge at a hotel, which was just about the only job he could get. He really wanted to be able to provide for his wife (Kate Lyn Sheil) and his daughter, with the hope of someday buying a house on their own property, but he just couldn’t get ahead in his dead-end job, and his body couldn’t adjust to the hours, so he wasn’t much more than a sleep-deprived zombie most of the time. Then some things happened, and he started living alone in the woods, living off the land when it was warm enough, and breaking into unoccupied vacation homes when it got too cold. And when he started calling into radio shows with his crackpot ideas about a wormhole, he picked up the nickname Buster.

I’d heard good things about this one from last year’s Fantastic Fest, and it mostly lived up to the hype. Its nonlinear structure can be a bit confusing at times, while at the same time making it much too easy to guess at least one of the film’s twists, but it’s still entertaining even when you’ve got a pretty good idea about what’s coming. Also featuring DJ Qualls and Lin Shaye.

Cameraperson (2016) — A fascinating compilation of footage shot by long-time documentary cinematographer Kirsten Johnson. The clips tend toward dark, heavy subjects like rape, torture, and genocide, so it’s certainly not an uplifting film, but it is an incredibly powerful and human look behind the scenes of documentary filmmaking. Full review at https://nawilson.com/2017/01/05/cameraperson/.

Carpinteros (aka Woodpeckers; 2017) — Julián is a new inmate in a Dominican men’s prison that is located next to a women’s prison. The men and women can communicate with each other through a kind of sign language that they’ve invented called “woodpeckering” or “pecker-talk”. Julián befriends Manaury, who has been sent to another area of the prison where he can no longer see the women’s prison and can therefore no longer communicate with his beloved Yanelly, so he enlists Julián’s help to act as an intermediary. Before long, Julián and Yanelly fall in love and Manaury isn’t happy about it. It’s an amazing film in its own right but is made all the more impressive by the fact that it was done in a real, working prison in which most of the supporting characters (including some with speaking roles) are actual inmates.

Cinderella Liberty (1973) — John (James Caan) is a sailor who’s on temporary leave because the Navy lost his records. Maggie (Marsha Mason) is a hooker who’s struggling to support herself and her mixed-race son. It’s got the wonderful, dark feel of a 70s desperation film, but it also can’t help but remind you of The Last Detail (which also came out the same year). Throw in Eli Wallach, Burt Young, Bruno Kirby, and a little bit of Dabney Coleman, and you’ve really got something.

Cold Hell (2017) — Özge is a taxi driver who can take care of herself. One night after getting home from a shift, she sees a killer in the act through her window. Except she can’t make out his face, and now he knows where she lives. What follows is an intense thriller with no downtime in which each hunts the other and Özge just can’t catch a break. The premise has been done before, but rarely this well.

Columbus (2017) — Casey (Haley Lu Richardson) is a self-taught architecture enthusiast who has chosen to stay in the relatively small city of Columbus, Indiana with her mom rather than pursue goals elsewhere like all of her friends. Jin (John Cho) is the son of a famous architect who was slated to give a talk in Columbus before collapsing and falling into a coma. They become friends and, often begrudgingly, help each other work through their issues. It’s a pretty minimal film with slow pacing, but surprisingly good. Full review at https://nawilson.com/2017/09/01/columbus/.

Command and Control (2016) — A harrowing documentary about the little-known September 1980 incident that nearly led to an atomic bomb detonation in a missile silo in Damascus, Arkansas. It includes archival footage interspersed with training video content, reenactments, and interviews with many of the people involved. Full review at https://nawilson.com/2017/01/13/command-and-control/.

Dark Night of the Scarecrow (1981) — Bubba (Larry Drake) is a mentally challenged man who acts like a child and whose best friend, Marylee (Tonya Crowe) is a little girl. Otis, Harless, Skeeter, and Philby (Charles Durning, Lane Smith, Robert F. Lyons, and Claude Earl Jones, respectively) are convinced that he’s going to do something bad to her. They kill him and get off by claiming self defense. But then they start to die. This is a surprisingly good TV slasher with a strong cast (also including Jocelyn Brando and Alice Nunn) and terrific cinematography, sound design, and direction.

Death Warrior (1984) — Murat (Turkish superstar Cüneyt Arkin) is a police officer with advanced martial arts skills. He’s on vacation, but that ends early when an evil ninja unleashes his well-trained clan of killers on the world, kidnapping a high-ranking officer. His boss just wants to pay the ransom and hope the bad guys will go away, but Murat knows the only way to win is to take them down. It’s a very short video (only 65 minutes) from the director and star of The Man Who Saves the World (aka Turkish Star Wars), but Death Warrior somehow manages to outshine it with virtually non-stop insanity and horrible subtitles.

Der Fan (aka The Fan aka Trance; 1982) — Simone (Désirée Nosbusch) is obsessed with German pop singer R (Bodo Steiger). She’s written him several letters and has all but ruined her academic life by frequently skipping school to wait for the mailman in hopes of a reply, and by a complete lack of concentration when she does make it to class. When it becomes clear that her parents won’t continue to put up with her behavior, she runs away and actually gets the chance to meet him. But things don’t go in quite the way she had envisioned. It’s a good movie that is fairly predictable until the end, where it goes off the rails in a pretty enjoyable way.

Divorce Italian Style (1961) — Ferdinando (Marcello Mastroianni) is married to Rosalia (Daniela Rocca). It’s not a happy marriage, and he really wants to get with his 16-year-old cousin, Angela (Stefania Sandrelli). But this is Italy, and divorce is illegal. Ferdinando decides that his only way out is to kill Rosalia, but he doesn’t want to go to jail for too long. To get the lightest sentence possible, he’ll have to catch her cheating on him, which means that he’ll have to find a way to make her cheat on him. It’s both ridiculous and hilarious, and it’s an intelligent comedy with jokes that run the gamut from highbrow to lowbrow. And speaking of brows, Rosalia only has one, and it goes well with her mustache.

The Duellists (1977) — Feraud (Harvey Keitel) is an officer in Napoleon’s army, and he loves swordfighting. But when he picks a fight with the mayor’s nephew, fellow officer d’Hubert (Keith Carradine) is sent to arrest him. Feraud doesn’t like this, so he picks a fight with d’Hubert. Feraud loses this fight, but doesn’t take it well and continues to challenge d’Hubert at every opportunity over the course of their lives. It’s the kind of film that should be mind-numbingly boring, and yet it’s somehow captivating, even through its Frenchiest and most periody scenes.

Fists of the White Lotus (aka The Clan of the White Lotus; 1980) — After the members of the White Lotus Clan destroy the Shaolin Temple and kill its master, two of the remaining Shaolin students, brothers in law, kill the head of the White Lotus Clan. So the White Lotus retaliates, killing one of the Shaolin students, leaving the other to seek further revenge while caring for his widowed pregnant sister. But his attempts at revenge keep failing because his technique can’t touch that of the White Lotus master. It’s an incredible film that pulls of the rare feat of having multiple endings without feeling like it goes on too long.

The Fog of War (2003) — Errol Morris interviews Robert McNamara about his experiences as Secretary of Defense under Presidents Kennedy and Johnson. It’s mostly a simple talking head documentary often showing McNamara in close-up, and mostly responding to questions and prompts that are withheld from the audience, but it is engaging and fascinating and offers great insight into the state of the world around the time of the Vietnam War.

Geteven (aka Get Even aka Road to Revenge; 1993) — Normad (William Smith), Huck Finney (Wings Hauser), and Rick Bode (writer/director/producer/singer/songwriter John De Hart) are police officers. But when Normad frames Huck and Rick for selling drugs, he’s promoted to judge, and they’re kicked off the force and get jobs as limo drivers. Normad is also the leader of a satanic cult in which Rick’s former girlfriend (Pamela Jean Bryant) was a member until she freaked out and returned to Rick when they sacrificed a human baby. Now Normad and his fellow cult members are after her, while Rick and Huck still hold a grudge against Normad for his past and ongoing shenanigans. No one would ever call this a good movie in the classical sense, but it is far more entertaining than the vast majority of classically good movies.

Ghost Dog: The Way of the Samurai (1999) — Ghost Dog (Forest Whitaker) loves birds and samurai stuff. When he was younger, a mobster named Louie (John Tormey) helped him out, and Ghost Dog felt indebted to him. Since then, he’s become a master assassin. Now, another mobster has been messing around with Louise (Tricia Vessey), the daughter of the big boss, Ray (Henry Silva). Ray tells Louie to take out the thug, and Ghost Dog handles it. But since the guy was also a mobster, they couldn’t let his murder go unpunished, and now Ghost Dog has become the scapegoat. It’s surprisingly good for a rap-infused modern samurai tale, but then again it’s directed by Jim Jarmusch, so maybe that shouldn’t be a surprise after all.

Gifted (2017) — Mary Adler (played by McKenna Grace) is a mathematical genius, just like her mother, Diane, was before she committed suicide. So Mary now lives with her uncle Frank (Chris Evans), who occasionally gets a little help raising her with his landlord Roberta (Octavia Spencer). Frank wants Mary to be well-rounded, so he sends her to public school where her teacher Bonnie (Jenny Slate) quickly recognizes her abilities and inadvertently sets off a chain of events that leads to a bitter custody battle between Frank and his mother Evelyn (Lindsay Duncan). It sounds like it should be Oscar bait, but the incredible performances elevate the somewhat ordinary story into something pretty special. Full review at https://nawilson.com/2017/04/14/gifted/.

Gilbert (2017) — Gilbert Gottfried is a comedian with an abrasive voice and who frequently has an equally abrasive act. He’s vulgar and insensitive and doesn’t consider anything out of bounds. But at home, he’s different. He’s got a sweet, loving wife and two cute kids. He’s got two sisters that he visits on an almost daily basis when he’s not traveling. And to call him frugal would be an understatement. This totally engrossing documentary shows him at home and on the road, and it’s mostly hilarious in appropriate and inappropriate ways, but it’s also very personal and touching. It’s the kind of film that few people might want, but everyone will love.

The Golem: How He Came into the World (1920) — A rabbi creates a large man out of clay and brings it to life with a magic amulet. He hopes to use the golem to protect the Jewish people from the oppressive rulers. He has some success, but he also doesn’t have as much control over the golem as he would like. It’s like a German expressionist precursor to Frankenstein, and it’s not quite as amazing as the later James Whale film, but it’s still an impressive under-seen work.

Hell’s Half Acre (1954) — Donna Williams (played by Evelyn Keyes) lost her husband Richard when the Japanese bombed Pearl Harbor. But she never really accepted it, and nearly a dozen years later, she has reason to believe that he’s still alive, living in Hawaii under the name Chet Chester (played by Wendell Corey), and that he’s been arrested for murder. She goes to see him and finds herself caught in the middle between cops, criminals, and the man who might be her husband. Aside from some old-fashioned racism masquerading as comedy, it’s a terrific, tightly-paced Hawaiian noir film with a lot of surprises.

Hidden Figures (2016) — An inspirational dramatization of the true stories of three African-American women (Katharine Goble-Johnson, Mary Jackson, and Dorothy Vaughan, played by Taraji P. Henson, Janelle Monáe, and Octavia Spencer, respectively) who were critical to the success of NASA in the 1960s and beyond, in spite of their color and their gender. Full review at https://nawilson.com/2017/01/08/hidden-figures/.

High Sierra (1941) — Roy Earle (Humphrey Bogart) has just gotten out of jail, and he’s called to California for a heist. He’s going to help rob the safe of a posh resort hotel during its busy season. He’s paired up with a couple of inexperienced accomplices, and one of them brings Marie (Ida Lupino) for companionship while they plan. She’s immediately smitten with Roy, but he’s got feelings for a young girl, Velma (played by Joan Leslie; her grandfather was played by Henry Travers) that he met on the drive out. It’s a very good film with an ending that’s probably the best they could do given the restrictions of the Hollywood production code, and several scenes were stolen by Bogart’s own dog in the role of Pard.

Hitchcock/Truffaut (2015) — In the 1960s, budding French New Wave director François Truffaut was granted an extensive interview with master filmmaker Alfred Hitchcock, who was nearing the end of his career. The result of that interview was published as a book that became an essential reference for filmmakers and movie enthusiasts, and that book spawned a documentary in which a number of modern directors (David Fincher, Paul Schrader, Martin Scorsese, James Gray, Richard Linklater, Peter Bogdanovich, Olivier Assayas, Arnaud Desplechin, Kiyoshi Kurosawa, and unfortunately Wes Anderson) discuss the book and more generally the effect and influence that Hitchcock’s films had on their lives as film fans and their careers as filmmakers.

Hounds of Love (2016) — Vicki is a high school student who has just been kidnapped by John and Evelyn. They intend to use her for their own sexual gratification, then kill her and hide the body, like they’ve done before. It’s a highly uncomfortable movie, with a lot of intensity and some great cinematography. It’s not always easy to watch but is definitely worth seeing. Full review at https://nawilson.com/2017/05/14/hounds-of-love/.

I Am Not Your Negro (2016) — A powerful documentary/autobiography about race in America in the 1960s, and throughout the nation’s history, through the writing and speech of James Baldwin. Baldwin may be less known than his contemporaries like Martin Luther King, Jr., Malcolm X, and Medgar Evers, but seems even more eloquent, logical, calm, and compelling. Full review at https://nawilson.com/2017/02/02/i-am-not-your-negro/.

Il Boom (aka The Boom; 1963) — Giovanni Alberti is in debt. He’s surrounded by wealthy people and wants to seem like he’s one of them, but he spends more than he makes and now a loan is coming due with no way for him to repay it. Then the wife of a very rich friend makes him an interesting offer that could mean the end to his financial trouble. From director The Bicycle Thief director Vittorio De Sica and Mafioso star Alberto Sordi, it’s a light, fun film that for some reason is only just now getting a release in the United States.

Jezebel (1938) — Julie (Bette Davis) is in love with Preston (Henry Fonda), but she keeps pushing him away. He’s a successful banker, and on one trip to New York, he comes back with a new wife (Margaret Lindsay). Now Julie is extremely jealous and spiteful, and it doesn’t help things that looming war and raging yellow fever have both inflicted 1850s Louisiana. In the hands of lesser actors, this probably would have been just another boring period film, but Davis, Fonda, and director William Wyler transform it into something special.

Kansas City Confidential (1952) — A former police chief (Preston Foster) resents being forced out of his job, and he puts together a plan to rob an armored car, get himself rich, and get rid of some nasty criminals (played by Jack Elam, Lee Van Cleef, and Neville Brand) in the process. He’s careful to wear a mask when he meets each of them, and they all wear masks whenever they’re together, so only he knows their identities, and they don’t know each other. The job goes off without a hitch, and they manage to frame an ex-con who’s now a delivery driver (John Payne) for a flower shop. The police eventually have to let him go for lack of evidence but still think that he did it, so it’s up to the driver to find the real culprits so that he can save himself. It’s a highly original and very clever story that keeps you on your toes even though you’re in on everything that’s happening.

The Killing of a Sacred Deer (2017) — Steven (Colin Farrell), a cardiac surgeon, befriends Martin (Barry Keoghan), the son of a man who died on his operating table a couple of years ago. Martin starts demanding more of Steven’s time, and tries to make himself part of the family, including Steven’s wife Anna (Nicole Kidman) and children Kim (Raffey Cassidy) and Bob (Sunny Sujlic). When Steven starts to push back against Martin, and to avoid advances from Martin’s mother (Alicia Silverstone), Martin starts to become less friendly. It’s a really good film that doesn’t try to offer any explanation for the things that are happening, but sucks you in nonetheless.

Kirikou and the Sorceress (1998) — After Kirikou crawls out of his mother and into the world, he learns that his village is under siege by an evil sorceress. She’s taken nearly all of their men, stolen all their gold, and dried up their water supply. Tiny Kirikou decides that he needs to do something about it. It’s an incredible animated film based on an African folk tale that crams so much comedy, creativity, and charm into a very tight 74 minutes. It’s a crime that it’s such a little-known film.

Last Flag Flying (2017) — Shortly after losing his wife to cancer, Larry “Doc” Shepherd (Steve Carell) learns that his son was killed during a military tour in Iraq. Larry seeks out his old Vietnam War pals, Sal (Bryan Cranston) and Mueller (Laurence Fishburne) to accompany him on the trip to retrieve his son’s body and see that he’s given a proper burial. It’s a terrific film with amazing genuine performances that finds the perfect balance of grief and humor so that it’s serious when it needs to be but isn’t a complete downer.

Lisa (1989) — Lisa (Staci Keanan) doesn’t have any family other than her mother Katherine (Cheryl Ladd), who has always been overprotective and doesn’t want Lisa to start dating until she’s sixteen. But Lisa is fourteen, and she doesn’t like that idea, especially since her best friend Wendy (Tanya Fenmore) is already dating. One day, she happens to meet an attractive man (D.W. Moffett) on the street. She finds out who she is and starts having seductive phone conversations with him, without him knowing who she is. The only problem is that Lisa doesn’t know that he’s the serial killer who has been terrorizing the neighborhood.

The Little Girl Who Lives Down the Lane (1976) — Rynn (Jodie Foster) lives with her father in a small town. Or that’s what she wants people to think. Her father died several months ago, and she’s trying to live on her own without drawing too much attention to herself. She’s doing a pretty good job of it until her landlord’s perverted son (Martin Sheen) decides that he has to have her, and until she befriends a boy magician (Scott Jacoby) who wants to help make her troubles disappear.

Lost in Paris (2016) — Fiona is a Canadian woman who receives a letter from her elderly aunt Martha, who lives in Paris. She’s not doing so well, and they want to put her in a home. Fiona heads off to Paris to try to meet her, only to get no response when she rings at her apartment. An unfortunate encounter with the Seine river leaves her with only the wet clothes on her back—no money, no passport, and no luggage.

It’s a surprisingly light and whimsical film given its somewhat dark subject matter. It feels like it’s going for a Wes Anderson sort of vibe, but fortunately, it fails at that because it’s not the worst thing ever made. Not all of the comedy works as well as I’d like, and the “Fiona and Martha are constantly missing each other” gags do get a bit tiresome, but it’s still an enjoyable film that’s worth checking out.

Mafioso (1962) — Antonio “Nino” Badalamenti lives in Milan, but he’s taking his wife and children on vacation to visit his relatives in his Sicilian homeland. He instantly feels right at home, but his wife is very much a fish out of water, in a very funny Ellen Griswold sort of way. His boss in Milan asked Nino to deliver a package to Don Vincenzo, a very powerful and respected man (with obvious ties to the mafia) in Sicily. Nino soon finds himself faced with an offer he can’t refuse. Hilarious at the beginning, serious at the end, and terrific throughout.

Magnificent Obsession (1954) — Millionaire playboy Bob Merrick (Rock Hudson) is showing off his high-speed boat for a girl when he gets into an accident that nearly kills him. Fortunately, Dr. Phillips lives across the lake, and he has a resuscitator at his house that the police are able to take and use to save Merrick’s life. Unfortunately, the reason that Dr. Phillips has the resuscitator is that he’s also in need of it, and he dies as a result of an attack that he suffers when it’s being used on Merrick. When Merrick learns of this, he wants to help the widow, Helen Phillips (Jane Wyman), but his attempts are at first rejected, and later even have more dire consequences. So Merrick devotes his life to secretly helping Helen. The movie often feels cheesy and exaggerated, but it’s also thoroughly wonderful and highly effective at making you feel things.

Mayhem (2017) — Derek Cho is a lawyer who’s doing a very good job at moving up the ladder at his firm, especially after his instrumental work in helping a big client beat a murder rap. But office politics are very serious business, and the people at the top don’t have any qualms about stepping on the people beneath them. When one of his superiors screws up, Derek finds himself the scapegoat, and he’s fired without much hesitation. But before he can be kicked out, the building is quarantined as a result of a viral infection that puts emotional reactions on overdrive. The building is overrun with fighting and violence, and, in the midst of that, Derek is determined to make his way to the top floor so he can help the executives see the error of their ways. Along the way, he’s accompanied by an angry woman who also feels that she’s been mistreated by the firm, but since he’s been her main point of contact with the company, her ire is directed as strongly at him as it is for anything else.

This is what The Belko Experiment should have been. Mayhem is a highly violent film in an office building, but it’s not as predictable or as stupid as Belko. It’s very funny, full of action, and loaded with gore, but not so stupid that it becomes hard to swallow. This is one I look forward to revisiting, and I hope I get the chance to do so in the near future.

Mom and Dad (2017) — Something is causing parents to attack and try to kill their children. It only applies to their own children; they’re indifferent to, or perhaps even protective of, other people’s children as long as they don’t get in the way. Nicolas Cage and Selma Blair just happen to be the parents of two of those kids, and they succumb to those urges. It’s an immensely fun movie overall, but Nicolas Cage going full-on Nicolas Cage at many points throughout the film really gives it that additional push of awesomeness.

My Life as a Zucchini (2016) — Zucchini’s dad is a womanizer who’s not around any more. His mom is a drunk who dies in an accident. So he’s hauled off to live in a group home with several other kids who haven’t had the best luck in their lives so far, either. There’s some bullying at first, but soon they become great friends who stick up for each other. Then Camille shows up, and it’s love at first sight for Zucchini.

This one surprised me. The claymation is done very well, and the story is surprisingly deep. It gets very dark at times, especially when dealing with some of the things the kids have been through, but then it can turn on a dime to become sweet and uplifting. It works on just about every level, its pacing is tight, and it might just leave you with some emotions.

Not of This Earth (1988) — An alien (Arthur Roberts) comes to Earth in search of blood. He goes to Dr. Rochelle (Ace Mask) for a transfusion and ends up hiring his nurse (Traci Lords) to administer the daily treatments. As strange things happen, the humans around the alien start to get suspicious. It’s a very dumb movie made on a very tight schedule that’s loaded with unnecessary nudity and cheesy effects, but it is thoroughly entertaining and right up my alley.

Notes on Blindness (2016) — When John Hull found himself going blind in the early 1980s, he began to capture his feelings and experiences on audio cassettes. The filmmakers hired actors to portray John, his wife Marilyn, and their children, with most of the dialogue taken from John’s tapes and lip-synced by the actors. Full review at https://nawilson.com/2017/01/23/notes-on-blindness/.

Offside (2006) — Controversial Iranian director Jafar Panahi provides us with this simple but very powerful film that focuses on a handful of girls caught trying to sneak into a soccer game. Women aren’t allowed in the stadium, purportedly because they might hear men swear, but really for no good reason. Through a series of interactions between the girls and the soldiers ordered to guard them, Panahi questions this practice to such an extent that it (in conjunction with other films he’d made in the past) got him banned from making films by the Iranian government. Fortunately, that didn’t stop him, and he’s continued to make films, like Taxi, that are every bit as good and continue to question the Iranian status quo.

Open Secret (1948) — A small town is plagued by a secret society intent on eliminating, or at least heavily oppressing, the Jewish population. A newlywed couple gets mixed up in this as they come to visit a friend only to find that he has been kidnapped. The more they investigate, the darker things get. A tight 68 minutes, it was very bold and timely for its release in 1948, and it still feels that way today.

The Peanut Butter Solution (1985) — When a fire breaks out in an abandoned house and kills a couple of homeless people, a young kid named Michael is intent on looking into that house. He sees something so scary that his hair falls out and he’s stricken with embarrassment. But the spirit of one of the deceased appears to him and gives him the recipe for a concoction that should allow him to regrow his hair. But he doesn’t follow the recipe exactly and ends up with hair that just won’t stop growing. It just gets weirder from there and turns into one of the greatest things to have ever come out of Canada.

Raiders of the Sacred Stone (aka Shalimar; 1978) — An old master thief (Rex Harrison) has brought four other top thieves (one of whom is a mute John Saxon who only communicates through sign language) to tell them that he has stolen a giant ruby, and to invite them to try to claim the title of world’s greatest thief by stealing it from him. They’ll have to defeat his advanced security system and outwit his army of devoted guards to do it. It’s a Bollywood attempt at making a movie suitable for American audiences, featuring American actors and a 90-minute cut with no musical numbers, but it was a flop because it’s a terrible movie. But it’s also terribly entertaining because of the ridiculous situations and characters, the defense measures, and the plans the thieves hatch to try to get around them.

Radius (2017) — A man wakes up next to a crashed vehicle with a head injury and no memory of who he is. His driver’s license gives him his name (Liam) and address, and he starts to make his way from the remote crash site back to civilization. But he soon learns that all people and animals around him die if he gets too close. Except for another woman, who claims she was also in the crash and also has amnesia but no ID to tell her who she is. For some reason, her presence suppresses whatever force causes everyone to die. The police work out that Liam is somehow connected to the deaths of many people he came in contact with before working out what was going on, so Liam and Jane Doe must work together to figure out who they are, what happened, and what to do about it before the police catch up to them and separate them. It’s a really well-done film with a kind of sci-fi that’s right up my alley.

Salon Mexico (1949) — Mercedes Gómez works at a dance hall, entertaining men and doing whatever she can (legally and otherwise) to earn enough money to help put her younger sister Beatriz through boarding school. After winning a dance contest, her gangster partner Paco refused to give her any of the winnings, so she stole it from him while he slept. This upset Paco very much, but it also drew the attention of local police officer Lupe, who learned why she took the money and felt tremendous respect for the sacrifices she was willing to make for her sister. It’s a wonderful film that is as tragic as it is engaging.

Saturn 3 (1980) — Adam and Alex (Kirk Douglas and Farrah Fawcett) are the only two people on Saturn 3, a space station intended to produce food to help sustain Earth’s population. They’re not producing as much as they could, so they’re sent help in the way of Benson (Harvey Keitel) and his robot Hector. Hector has a human brain that was raised in a laboratory that was a blank slate until Benson started teaching it by connecting it to his brain. But Benson isn’t exactly mentally stable, so the robot isn’t either. It’s a thoroughly entertaining film that only suffers because it keeps going after a great ending to have two more endings that are progressively weaker.

Sequence Break (2016) — Osgood (aka Oz, played by Chase Williamson) is a whiz at restoring and fixing old arcade games. Not only does it provide him with a job that he loves, but it also introduced him to his nerdy, game-loving girlfriend, Tess (Fabianne Therese). Then one day Oz finds a mysterious circuit board for a game that becomes a life-changing experience.

This movie is very much The Bishop of Battle (a segment in the Nightmares horror anthology) crossed with eXistenZ. I like both of those things a lot, and that probably has something to do with why I liked Sequence Break so much. It doesn’t seem like it knows how to end, so it does go a bit too far into the Cronenbergy end of the spectrum before copping out with a kind of “mega happy ending” a la Wayne’s World, but by that point I’d already been won over by everything prior that the end didn’t diminish my enjoyment all that much.

Shoes (1916) — An utterly devastating film with a dead-simple plot: a young woman (played by Mary MacLaren) must work to support her deadbeat father, her mother, and her three sisters, and doesn’t have the money to buy the new shoes that she desperately needs. It manages to overcome so many obstacles to become something more engrossing than just about any other film I’ve encountered. Full review at https://nawilson.com/2017/02/20/shoes-1916/.

Small Crimes (2017) — Joe (Nikolaj Coster-Waldau) is a former cop who found himself in debt to the wrong people, which led to him doing things he shouldn’t have done. He’s just gotten out of prison and is living at home with his parents (Robert Forster and Jacki Weaver). He thinks he’s done with that life, but others feel differently. Also featuring Gary Cole, Molly Parker, Macon Blair, and Pat Healy.

It’s hard to describe the film in much more detail without giving too much away, and it’s really a joy to discover the film as it unfolds. It mostly works, although there are a couple of times when it relies a little too heavily on coincidence. It’s worth seeing in a theater if you get the chance, and I’m glad that I did because after its festival run, it’s likely to only be available on Netflix, and you shouldn’t give them your money because they give it to Adam Sandler so that he can keep making movies.

The Square (2017) — Christian (Claes Bang) is the head curator at a large museum in Stockholm. They’re getting a new exhibit called “The Square”, which is simply a square on the ground whose perimeter is framed in lights. It’s supposed to represent a “be nice to each other” zone, and they’re having trouble figuring out how to market it. Meanwhile, he’s also confronted with other problems, like having his wallet and phone stolen, having a one-night stand with a reporter (Elisabeth Moss) who doesn’t think it was a one-night stand, coordinating a performance art installation featuring a man acting like an animal, and being a part-time father to his two daughters. It’s the latest comedy by Ruben Östlund, and it’s both funnier and more effective than Force Majeure.

Steamboat Bill, Jr. (1928) — Haggard, longtime captain William “Steamboat Bill” Canfield (Ernest Torrence) and his foppish, recent-college-graduate son William Jr. (Buster Keaton) are trying to keep their business afloat after wealthy businessman J.J. King (Tom McGuire) decides he wants to get into steamboating and buys a bigger and better boat for himself. Meanwhile, Bill Jr. and King’s daughter Kitty (Marion Byron) know each other from school and are sweet on each other, but their fathers don’t want them to have anything to do with each other. It’s mostly a very funny Romeo and Juliet-type story, but then it really changes gears and amps up the physical comedy in the finale with some truly impressive stunts. While not as well known as The General, it’s every bit as good.

The Sugarland Express (1974) — Lou Jean (Goldie Hawn) and her husband Clovis (William Atherton) both have criminal records, and Clovis is currently finishing up the tail end of his sentence in a minimum security facility. Lou Jean has lost custody of her baby, so she helps break Clovis out so that they can go take their baby back. They’re soon stopped by a police officer (Michael Sacks), but they take him hostage and lead a swarm of police and onlookers on a low-speed chase across the state. It’s Spielberg’s first theatrical film, and it’s like he foresaw the infamous OJ Simpson car chase, or maybe it’s a little of Smokey and the Bandit meets The Legend of Billie Jean. At any rate, it’s mostly a very lighthearted film but effortlessly becomes serious when the need arises.

Super Dark Times (2017) — Zach and Josh are best friends. They’re hanging out with acquaintances Charlie and Daryl when it comes out that Zach’s older brother, who’s joined the Marines and moved away, has a sword in his old room. The boys get the sword and go outside to engage in some ill-advised horseplay, which ends in Daryl getting accidentally stabbed and killed. The other three hide the body and make a pact to keep it a secret. But they still have to deal with the knowledge of what happened. Each of them does that poorly in his own way. It is indeed a dark time, but one well worth seeing for the performances and the conclusion.

The Sword and the Claw (aka Lionman aka Kiliç Aslan; 1975) — King Solomon is killed in a coup, but his very pregnant wife escapes for long enough to give birth to a son. She dies in childbirth, and the boy is raised by lions. When he’s grown, he has super strength and a deadly grip, and he gets involved in the fight to recover the throne. On one hand, it’s a typical Turkish film, with really low production values, the best kind of awful dubbing, and a soundtrack lifted from Spartacus. But on the other, it takes some legitimately interesting turns and does much more than the bare minimum with its plot. It may not be great art, but it’s highly entertaining.

Tampopo (1985) — A woman who owns a small ramen restaurant gets a truck driver to help her improve her food. Their quest to create the perfect broth, noodles, pork, and other components is frequently interrupted with a number of food-related tangents. It’s very funny and thoroughly enjoyable.

Teenage Gang Debs (1966) — Terry (Diane Conti) is a very assertive and very manipulative girl who’s just moved from Manhattan to Brooklyn. She’s fallen in with a local gang, the Rebels, and she goes right after the president, Johnny (John Batis), ousting his current girl. But she soon decides that she doesn’t like him, so she goes to Nino (Joey Naudic) and convinces him to drop his girl and take out Johnny so he can become the new president. At that point, it’s pretty obvious who’s really calling the shots, and it’s pretty obvious how the movie is going to end. But even with the predictable plot and the excessive amount of padding required to reach even a 75-minute runtime, it’s a highly enjoyable movie. Much of that is actually due to the padding, which includes a lot of 60s dancing, especially a karate dance to a song called “The Black Belt” that enumerates the levels needed to reach martial arts mastery.

Tender Mercies (1983) — Mac Sledge (Robert Duvall) used to be a famous singer/songwriter, married to famous singer Dixie (Betty Buckley). Then his drinking got out of control, and he lost his wife and his musical career. It took several more years for him to hit rock bottom, but when that finally happened, it was at a tiny, rural Texas hotel owned by Rosa Lee (Tess Harper). She took pity on Mac and hired him to help out around the hotel. He began to get his life back together, began to explore his musical options, and began to explore the possibility of life with Rosa Lee. It’s a simple film, but everything about it works, and it doesn’t always go where you’d expect.

Thelma (2017) — Thelma grew up with an overprotective, devoutly Christian family, but now she’s going away to college for the first time. But just as she’s getting her first tastes of freedom and temptation, and just when it looks like she might start making friends, she has a seizure. Then she has more of them. While doctors try to figure out why she’s having them, Thelma learns more about her past and her family. It’s a terrific film that captivates you right from the opening scene and easily holds your attention throughout.

There’s Always Tomorrow (1956) — A married man is tempted when an old flame re-enters his life, to the great dismay of his children. It’s a Douglas Sirk film starring Fred MacMurray and Barbara Stanwyck, and that’s really all you need to know.

Three Billboards outside Ebbing, Missouri (2017) — Frustrated with the police department’s lack of results in solving her daughter’s murder, Mildred Hayes (Frances McDormand) rents three billboards calling out Chief Willoughby (Woody Harrelson) in the hopes that it will rile them up into something that might lead to a break in the case. But it makes a lot of people mad, including officer Jason Dixon (Sam Rockwell), and they seek retaliation. What follows is an intricate, unexpected, and exceptional drama from writer/director Martin McDonagh.

The Transfiguration (2016) — Milo lives with his older brother Lewis in a poor New York neighborhood. Their parents are dead (their father through sickness and their mother by suicide), so they’re left to fend for themselves, which leads to Milo often being bullied. Milo is obsessed with vampire movies and lore, and he really wants to become a vampire himself, but his attempts thus far haven’t been all that successful. Then he meets Sophie, a new girl who’s moved into his building to live with her abusive grandfather.

This film reminds me a lot of Park Chan-wook’s Thirst in that it’s primarily a drama, and although vampirism is a key part of the film, it’s actually pretty incidental to the plot most of the time. The way that Milo is treated by others, and his relationship with Sophie, have almost nothing to do with vampires and would have been just as at home in a film that didn’t use the V word at all. But the way that it does incorporate that subject into its plot works really well and makes it all the more meaningful when it is necessary.

Truth or Dare?: A Critical Madness (1986) — Mike Strauber had a bad experience playing “truth or dare” as a kid that led to him being committed to an asylum for a while. But he’s much better now. Or at least he was until he caught his wife cheating on him with his best friend. Now he’s lost a lot of sanity, and a lot of people have to die. This film provides nonstop exhilaration resulting from its unpredictability, enthusiasm, effects, and theme song.

The Uncanny (1977) — An author (Peter Cushing) has written a book warning of the dangers of cats and is trying to sell it to a publisher (Ray Milland), and tells three cautionary tales. A wealthy old woman is killed just after changing her will, and her horde of cats make sure the guilty parties don’t get away. A recently orphaned little girl (Katrina Holden Bronson, daughter of Charles Bronson and Jill Ireland) turns to witchcraft after her jealous cousin tries to get her aunt and uncle to take her cat away. An actor (Donald Pleasence) kills his wife in an on-set “accident” and immediately convinces the producer (John Vernon) to re-cast his girlfriend (Samantha Eggar), but didn’t count on his wife’s cat seeking revenge. It’s very over the top and makes for the best kind of bad movie.

Ugetsu (1953) — Genjurô makes pottery. He’s gotten a taste of wealth and has become very greedy for more. His friend Tôbei is intent on becoming a samurai and is very happy to help Genjurô with his pottery and earn money on the side to help buy weapons and armor. Both become successful, but at the expense of their families. It’s a beautiful film, and it’s hard to describe in more detail without spoiling anything.

Violent Saturday (1955) — Three men (Stephen McNally, Lee Marvin, and J. Carrol Naish) plan to rob a bank in a small mining town and make their escape to a nearby Amish farm (run by Ernest Borgnine), where they can hide out and switch vehicles. They find themselves in the midst of a great deal of drama, including competition between the mining company boss (Richard Egan) and his second in command (Victor Mature), between the bank manager (Tommy Noonan) and a nurse (Virginia Leith), and a prim librarian (Sylvia Sidney) in financial difficulty. It’s an intricate soap-opera-esque melodrama meant to compete with the excellent films of Douglas Sirk, and it does an admirable job of it.

Who Killed Teddy Bear? (1965) — Norah (Juliet Prowse) is a pretty young woman who works at a dance club. She’s started getting threatening and harassing phone calls. She doesn’t know the identity of the caller, but we do. It’s Lawrence (Sal Mineo), who also works at the dance club and has taken to watching her through her apartment window and following her around. And to make matters worse, Norah keeps encountering unwanted creepiness from the people she goes to for help, including a cop (Jan Murray) who specializes in sex crimes and her boss (Elaine Stritch). It’s a very dark movie with a lot of artful sleaze that goes in unexpected directions.

Wind River (2017) — Cory Lambert (Jeremy Renner) is a fish and wildlife agent who comes across the body of his late daughter’s best friend. Because the body is on a Native American reservation, the FBI is called in, and they send Jane Banner (Elizabeth Olsen) to investigate. She’s clearly passionate about the case but also clearly out of her league, so she enlists Cory’s help in trying to figure out what happened. Full review at https://nawilson.com/2017/08/02/wind-river/.

Wings (1927) — Jack and David (Charles Rogers and Richard Arlen) are friends from the same small town who go to war. They’re also in a love quadrangle in which Mary (Clara Bow) loves Jack, Jack loves Sylvia (Jobyna Ralston), and Sylvia and David love each other. Both Jack and David become successful pilots, but they’re fated to fight over Sylvia. It’s a beautifully shot film with some hand-colored effects for even more impressive visuals, and the wonderful story is full of heroism and tragedy.

Wolf Warrior 2 (2017) — Leng Feng (Jing Wu) used to be a member of the elite Wolf Warrior squadron of the Chinese army, but he was stripped of his rank and locked up after killing a bad man who was terrorizing a family. And while he was in jail, some bad guys killed his fiancée, and now he wants revenge. He’s traveling the world trying to find out who’s responsible, and he finds himself in the middle of a civil war in Africa. He’s got to rescue a prestigious Chinese doctor and his godson’s mother, and he’s got to do it alone. It’s tough to describe how utterly ridiculous this movie is. It’s bad by just about every measure there is, except the measure of how utterly enjoyable it is. Full review at https://nawilson.com/2017/10/15/wolf-warrior-2/.

Your Name (2016) — Mitsuha and Taki have never met and don’t live anywhere near each other, but each keeps waking up in the other’s body. They devise a way to communicate with each other indirectly but attempts to speak to each other or meet in person keep falling apart. It’s a little confusing initially, but once you’ve gotten your bearings, it’s a very funny and highly-captivating movie. Full review at https://nawilson.com/2017/04/14/your-name/.