Older blog entries for mcr (starting at number 79)

9 May 2011 (updated 9 May 2011 at 20:11 UTC) »

Problems (insecurities) in ActiveResource

I have an application that talks to Redmine/Chiliproject using its API with results in JSON. I use ActiveResource to make these calls, and it suddendly started failing after an upgrade from redmine to chiliproject:

test_retrieve_the_thomas_watson_project_by_id(ProjectTest):
ActiveRecord::UnknownAttributeError: unknown attribute: created_on

The fact that I was getting an error from ActiveRecord and not ActiveResource was puzzling. My ActiveResource class was called ProjectResource. The thing that I was retrieving was a "project", and yes, I happened to have a model called "Project", which was a subclass of ActiveRecord.

Looking at the JSON results using curl:

marajade-[~/C/dracula/hourbank3] mcr 10293 %curl 'http://localhost:3100/projects/show/16?format=json&key=abcdAPIKEY09123456789'
{"project":{"description":"Voice and Video softphone system for Android, with SIP support.","updated_on":"2010/10/08 10:10:24-0400","identifier":"thomas-watson","homepage":"","name":"Thomas-Watson","created_on":"2009/08/23 12:21:38 -0400","id":16}}

and also in the debugger, at

(rdb:1) c
Breakpoint 1 at /var/lib/gems/1.8/gems/activeresource-3.0.4/lib/active_resource/base.rb:889
/var/lib/gems/1.8/gems/activeresource-3.0.4/lib/active_resource/base.rb:889
new(record).tap do |resource|
(rdb:1) p record
{"project"=>{"name"=>"Thomas-Watson", "created_on"=>"2009/08/23 12:21:38 -0400", "id"=>16, "updated_on"=>"2010/10/08 10:10:24 -0400", "homepage"=>"", "description"=>"Voice and Video softphone system for Android, with SIP support.", "identifier"=>"thomas-watson"}}

what happens next is that the word "project" is passed to

find_or_create_resource_for(key)

and this finds and returns the "Project" class which is in my model. My model does not have a field created_on, thus the error.

So there three problems with this behaviour:

additions to the API should not break my old code, I should just ignore them.

there is no guarantee that the class that was found, "Project" has any of the behaviour that I need in the thing returned from ActiveResource.

worst, since the word "project" came from the remote system, the remote system could pick any class it wanted and invoke code on it. It's a reverse attack by a server on a client, but it's wrong to assume that the server is fully trusted by the client.

I'm not sure what the easiest way to fix this, but it's certainly wrong, and it's been there awhile in ActiveResource.

Syndicated 2011-05-09 15:07:00 (Updated 2011-05-09 20:11:02) from Michael's musings

24 Apr 2011 (updated 9 May 2011 at 19:11 UTC) »

A novel way to do PBX extensions

At CREDIL we are expanding our Asterisk out to service the entire floor. We didn't do our extensions particularly efficiently (numberwise), and I was thinking about ways to do them.

A really (math) geeky way occured to me: give employee number n the n+2'th prime (1-first prime, 2-second prime, first employee gets extension 3).

Then, if you need to have a conference call with employees number 4, 6 and 9, then you need to dial their product. Primes are 1,2,3,5,7,11,13,17,19,23,29,31,.. 4+2 = 6th prime is 11, 6+2=8th prime is 17, and 9+2=11th prime is 29. So dial 11*17*29 = 5423.

Primes are still in the 4 digits for the first 1000.

http://primes.utm.edu/lists/small/1000.txt

All multiples of your extension are yours to do anything you want with, and since the multiples times powers of 2 are never conference bridges, you have a lot of bits you can use to encode useful things. Want to call me and avoid ringing me? Okay, set bit number 2. Want to call me and never go to voice mail? Okay, set bit number 3... etc.

Syndicated 2011-04-24 15:15:00 (Updated 2011-05-09 19:11:44) from Michael's musings

21 Apr 2011 (updated 24 Apr 2011 at 20:10 UTC) »

Time for a new Monarch

To Her Majesty Her Majesty Elizabeth the Second,

by the Grace of God, of Great Britain, Ireland and the British Dominions beyond the Seas Queen, Defender of the Faith, Duchess of Edinburgh, Countess of Merioneth, Baroness Greenwich, Duke of Lancaster, Lord of Mann, Duke of Normandy, Sovereign of the Most Honourable Order of the Garter, Sovereign of the Most Honourable Order of the Bath, Sovereign of the Most Ancient and Most Noble Order of the Thistle, Sovereign of the Most Illustrious Order of Saint Patrick, Sovereign of the Most Distinguished Order of Saint Michael and Saint George, Sovereign of the Most Excellent Order of the British Empire, Sovereign of the Distinguished Service Order, Sovereign of the Imperial Service Order, Sovereign of the Most Exalted Order of the Star of India, Sovereign of the Most Eminent Order of the Indian Empire, Sovereign of the Order of British India, Sovereign of the Indian Order of Merit, Sovereign of the Order of Burma, Sovereign of the Royal Order of Victoria and Albert, Sovereign of the Royal Family Order of King Edward VII, Sovereign of the Order of Merit, Sovereign of the Order of the Companions of Honour, Sovereign of the Royal Victorian Order, Sovereign of the Most Venerable Order of the Hospital of St John of Jerusalem

(see http://en.wikipedia.org/wiki/List_of_titles_and_honours_of_Queen_Elizabeth_II )

On this, Our Birthday, where I turn 40, and you are still more than twice my age, and likely four times my wisdom, I wanted to share some thoughts I have had over the last few years.

I am your direct subject, having been born in London, as as well as your loyal subject in the "British Dominions beyond the Seas". I'm actually a fan of having a monarch, which is rather unpopular these days. I even met Your Highness once when you visited Fredericton, but I actually too little to know enough to be impressed.

First, congradulations on celebrating the marriage of your grandson. I know that things will go well next week, and we look forward his visit to Ottawa this summer.

I am sure that you have given a lot of thought to succession. I wondered if you had considered that Prince William would very nice King. A very nice Young King, one who could rally the youth of today, and bring a unity that politicians yearn for, but have seldom delivered.

Does Prince Charles actually want to be King? Perhaps after a brief Honeymoon, you and Prince Charles might consider abdicating in favour of Prince William.

I suggest sometime in 2012, maybe Feb. 29 would auspicious, or maybe April 21, 2012. I don't know: I am sure you will come up with something sensible.

Syndicated 2011-04-21 10:39:00 (Updated 2011-04-24 20:10:45) from Michael's musings

17 Mar 2011 (updated 21 Apr 2011 at 15:11 UTC) »

Dreamhost SSL certificates --- insecure

Dreamhost sells third-level GeoTrust SSL security certificates for $15/year. (You have to be an existing customer).

It seems however, they do not give you the chance to upload a CSR file. Instead, you are expected to fill out the DN information online, and then they generate a private key for you. And they keep the private key around in their database.

It also winds up in your browser cache, and if you have kind of a "trusted" SSL proxy between you and the Internet (like half of corporate users have), then it's gonna be in the cache of that device too.

This is a FAIL. Not only is your private key subject to whatever insecurity their might have, but it's total FBI Patriot Act fodder.

(If there is some place to upload a CSR, we couldn't find it)

Syndicated 2011-03-17 13:13:00 (Updated 2011-04-21 15:11:53) from Michael's musings

2 Mar 2011 (updated 17 Mar 2011 at 18:14 UTC) »

Deploying Django applications with Capistrano

Yesterday, I cooked up a deploy.rb so that Capistrano can deploy a Django application. While there is a Python app called http://docs.fabfile.org/0.9.0/ from what I could tell, it was very general to running commands on multiple servers, and not really specific to checking out a web framework and deploying it to one or more servers.

First, my deploy.rb, and then my notes about how I used it. I have changed only one or two things from my real code. My application is called "clientportal" and the host running it is called "clientportal.isp.example.net". On the server, it runs as a user called "clientportal".

This code does not yet invoke the Django database migrations, which it ought to, and I'll do another blog post once I figure out that part.

set :application, "clientportal"
set :me, "#{ENV['LOGNAME']}"
set :repository,  "git+ssh://#{me}@code.credil.org/git/path/to/repo/clientportal"

set :scm, :git
set :user, :clientportal

set :ssh_options, { :forward_agent => true }
set :use_sudo, false
set :git_enable_submodules, true
set :deploy_to, "/home/#{user}/#{application}"

role :web, "clientportal.isp.example.net"     # Your HTTP server, Apache/etc
role :app, "clientportal.isp.example.net"

# This is where Rails migrations will run
role :db,  "clientdb.isp.example.net", :primary => true

namespace :deploy do
  task :start do ; end
  task :stop do ; end

  # this overrides a rails specific thing.
  task :finalize_update do ; end
  task :migrate         do ; end

  task :restart, :roles => :app, :except => { :no_release => true } do
    # something to restart django.
    run "sudo /usr/sbin/apache2ctl graceful"

  end
  task :update_database_yml, :roles => [:app,:web] do
    db_config = "/home/#{user}/settings.py"
    run "cp #{db_config}   #{release_path}/settings.py"
    run "ln -f -s #{release_path} /home/clientportal/clientportal/clientportal"
    puts "Ran update database settings"
  end

end

after "deploy:update_code", "deploy:update_database_yml"

Some details. First, I put my settings.py file into my /home/clientportal directory. I do not check this file into my repo, because it always specific to the installation (it's different on your laptop than on the devel server or the production server). Also see my:

Like http://blog.perplexedlabs.com/2010/02/08/deployment-using-capistrano-and-webistrano-via-rails-and-phusion-passenger/ I had to adjust my django.wsgi file as well. I wound up with:

import site
site.addsitedir('/usr/local/pythonenv/CLIENTPORTAL/lib/python2.5/site-packages')

import os, sys

sys.path.append('/home/clientportal/clientportal')
sys.path.append('/home/clientportal/clientportal/current')
os.environ['DJANGO_SETTINGS_MODULE'] = 'clientportal.settings'

import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

The important changes were to the path that was added. It used to add $HOME/clientportal and $HOME to the path, but now it is one directory deeper, and you will notice above in the update_database_yml task that it creates a symlink in $HOME/clientportal with the name "clientportal" that is essentially the same as "current".

This is necessary because the settings are loaded as "clientportal.settings", and python basically turns the . into a / when looking for the file. I could have just changed the name of the settings file, but we had other modules that were loaded using the clientportal. namespace.

Note that the server already had it's apache configured to do what was needed. I would normally package these config files up into a .deb file, but I haven't done that yet for this project, it being my first django project.

I am not sure if I actually have to restart apache. I added that for good luck, and and I added:

clientportal ALL=NOPASSWD: /usr/sbin/apache2ctl graceful
to sudoers.

My apache config looks like:

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName clientportal.isp.example.net
        ServerAlias portal1.isp.example.net
        ServerAlias portal.example.net

        DocumentRoot /home/clientportal/clientportal/current
        <Directory "/home/clientportal/clientportal/current">
                Options Indexes FollowSymLinks
                Options -MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        Alias /media/ /home/clientportal/clientportal/current/media/
        WSGIScriptAlias / /home/clientportal/clientportal/current/wsgi/django.wsgi
        <Directory /home/clientportal/clientportal/current/apache/>
                Order allow,deny
                Allow from all
        </Directory>
...

Some other links I found, but I didn't use much: http://groups.google.com/group/django-developers/browse_thread/thread/f34e59275e04f9c5?pli=1 http://gnuvince.wordpress.com/2008/01/10/deploying-django/

Syndicated 2011-03-02 12:06:00 (Updated 2011-03-17 18:14:24) from Michael's musings

8 Feb 2011 (updated 2 Mar 2011 at 17:14 UTC) »

To disable gnome-settings daemon from messing with your background

If you are like me, and do not use much of gnome, when you start a gnome application, it may start gnome-settings-daemon, which will mess with your background.

gconftool-2 --set /apps/gnome_settings_daemon/plugins/background/active --type bool False

Thank you to: http://ubuntuforums.org/archive/index.php/t-874816.html

Syndicated 2011-02-08 11:03:00 (Updated 2011-03-02 17:14:36) from Michael's musings

3 Jan 2011 (updated 8 Feb 2011 at 16:09 UTC) »

How can Research in Motion survive?

There are lots and lots of opinions in the media about whether or not RIM and it's flagship product, the Blackberry can survive. For instance, a quick google gives me: http://gigaom.com/apple/poking-holes-in-rims-anti-apple-rhetoric/

http://www.cbc.ca/technology/story/2010/07/14/rim-blackberry-6-annual-meeting.html

http://www.thestar.com/business/companies/rim/article/834957--rim-could-face-tough-questions-today

A friend and I discussed this over lunch the other day. We care only because as far as the Government of Canada's IT policy is concerned, they see RIM as a golden goose who can do nothing wrong. RIM is an endorsement for the government of canada's "IT policy" --- it's a sign of success: those of in the industry see it as more of a four-leaf clover. Something that was happened in Canada by chance, not by design.

Assuming that we wanted RIM to survive, what would we do as CEO?

We have a lot of challenges, and we think that many of them are internal, not external. The major one is the huge amounts of Not-Invented-Here (NIH). The second major issue is the degree to which RIM is the centre of the Blackberry world, with data from most models of phones going through expensive data centres for reprocessing. When the Blackberry first appeared, it did not have Internet connectivity, but rather worked through various proxy servers and HTML-reformatters. We were surprised that more people didn't ask questions when CIBC sued some former employes, and subpeoned emails from their BlackBerry.. Why was the subpeaona served to RIM? http://www.robhyndman.com/2005/01/06/cibc-sues-six-former-employees/ http://www.heydary.com/publications/blackberry-pin-monitoring.html

Today, it does better, but few developers really want to write apps for the Blackberry JavaMobileEdition. Android is seriously taking a lot of market.

What advantages does RIM have? Sure some patents about some user interface things (mostly physical stuff).

What it does have is a brand name, and Blackberry devices are considered serious status symbols. For instance,a salesperson I was meeting with explained to me that, "of course", his company offered to get him the latest BlackBerry, but he found the keyboard too small for his aging eyesight, and preferred to keep his 2 year old unit.

Along with this brand name is a pretty good email system with pretty good integration into Microsoft Exchange. This is something that Google and Apple does not have as well done. (Yes, Google has most of it, but they don't have the same level of trust from the right places, and many Microsoft IT fanboys hate Google, just on principle)

The problem that I see is that Blackberry has started to go after the consumer market, and with this, they are diluting the BlackBerry brand name. Used to be only big companies could get email integration, and only the important people had BlackBerrys. Now every second person on the bus has one... and they aren't even the cool people. The cool people have their own iPhone or Android. If a cool person has a BlackBerry, it is because their company made them take one because it integrated, but said person has their own phone for their real use.

So, my advice to RIM is as follows:

1) break up the company. Spin off BlackBerry hardware as private company. Have them make handsets under the BlackBerry name. Sell them for premium dollars. For about 18 months (one hardware design cycle), they can make BlackBerry OS units, but by mid-2012 they have to shipping Android as the base OS.

2) port all of BlackBerry's custom software to Android in native mode. (i.e. not Java). I do not think much of the core software on the Blackberry is written in Java Mobile (I could be wrong, it could all be JavaME now, but it wasn't a few years ago). Porting to native is probably easier, and may even make it easier for them offer some unique features.

Native mode code often requires a rooted phone to work well. In this case, it is a feature, not a bug: the target audience is not end users in some sense, but rather, carriers. If you can get BlackBerry Email on just ANY smartphone, then the carrier does not get a chance to charge more for this.

Many carriers have a BlackBerry plan which is different than just Internet, because they know that BlackBerry's can't run torrent clients.

3) create the RIM cloud, and go into competition with GMAIL, Rackspace's Mailtrust, etc. Offer strong integration into corporate email, and offer various DRM-ish controls on what can be done with email that is accessed via the native apps. (it's all pretend security of course, but many people seem to insist on drinking coolaid...)

What is the result?

  1. RIM is no longer competing on price at the low end. Rather they are using the existing low-end smartphone makes to drive corporate/carrier business to them.
    1. RIM's hardware spin-off is still making high-end, high-margin handsets for executives. This helps to return much of their status symbol. The new handsets should be easily distinguished from the old low-cost ones they used to make. (New colour? Breath-mint dispenser? ...)

      Since they are offering the same integrated apps on other vendor's phones, it means that the peons who need to be "integrated" no longer need BlackBerry handsets, and so nobody will confuse them with important people.

      1. RIM's communication cloud can expand into areas they have no yet been into. This is where the money is in the future. How about if executives can now approve expense reports/authorize-purposes from their units via digital signatures?

Will RIM do this? Unlikely. RIM will be Canada's Polaroid.

Syndicated 2011-01-03 17:36:00 (Updated 2011-02-08 16:09:49) from Michael's musings

14 Dec 2010 (updated 3 Jan 2011 at 23:10 UTC) »

WIND Holiday Miracle

<pre>

Michael Richardson: what can you tell me about the Holiday Miracle Plan?
WIND Mobile: Connection established.
WIND Mobile: Initiating Call, please hang in there!.
WIND Mobile: Connecting...
WIND Mobile: Hey, Welcome to Live Help! A WIND Specialist will be with you soon.
Michael Richardson: I hear that there is a $40 plan, which is unlimited calls and unlimited data.
Tiffany: Hi there. Thanks for joining the conversation with WIND!
Tiffany: I see you would like some information on the Holiday Mircale plan
Michael Richardson: yes.
Michael Richardson: I couldn't find anything about it on the web site.
Michael Richardson: I have the 100minutes plus unlimited data.
Tiffany: It's not listed on our website at the present time
Tiffany: It includes: *        Unlimited Canada-wide calling

Unlimited US Long Distance

Unlimited Canada/US Text messaging

Unlimited Canada/US MMS (picture messaging)

Unlimited Global Text Messaging

Caller ID

Unlimited WIND to WIND calling

Call Waiting, Call Forwarding, 3-Way calling

Voicemail

Infinite BlackBerry or Infinite Mobile (depending on the device)

Michael Richardson: I really need more minutes, but actually can live with less data. Tiffany: for $40 Michael Richardson: sounds perfect. How do I switch to it? Michael Richardson: is the the $40 a special rate, or a regular rate? Michael Richardson: will I find myself paying more in 6 months? Tiffany: It's a special rate Michael Richardson: what is the regular rate?

Tiffany: It's more than a $95 value Michael Richardson: I understand it's a good deal. Michael Richardson: How long does the deal last? Tiffany: The last day is Dec 26 Michael Richardson: what will I pay when the promotion runs out? Tiffany: It will go back to regular price Michael Richardson: what is the regular price? $95? Tiffany: more than $95 Michael Richardson: Please listen carefully. Michael Richardson: Is Wind going to give me this deal for $40/month forever? Michael Richardson: Or, like your %50 off on the 100 minute plan, only for 6 months? Michael Richardson: At the end of six months, what will I pay for the same thing? Tiffany: It's forever but you would have to make sure your account is active Tiffany: on a monthly basis Michael Richardson: I see. Thank you! Michael Richardson: How do I sign up for it?

Syndicated 2010-12-14 14:49:00 (Updated 2011-01-03 23:10:25) from Michael's musings

Ruby has problems with getaddrinfo(3)

Today I was trying to deploy some rails code to a host with both an RFC1918 and IPv6 address. The RFC1918 address is only valid within my CREDIL office, while the IPv6 is globally unique. When I'm in the office, IPv4 or IPv6 is fine, when I'm not, then it has to be IPv6.

With other applications when I do this, I sometimes get a delay as it tries the RFC1918 address, fails and tries IPv6 instead. SSH works great like this.

Ruby 1.8 (at least) fails: the RFC1918 address does not connect, and then ruby gives up. This makes Capistrano fail.

Capistrano uses Net::SSH, which calls TCPSocket.open. This is implemented in C code in the ruby interpreter. My reading of ruby-1.9.2-p0/ext/socket/ipsocket.c suggests that it might be okay in ruby 1.9, but I didn't look at the 1.8 code yet, and I haven't tried ruby 1.9.p

The following code exercises the problem, but you need to have an address which is both IPv6 and IPv4. It also does not seem to be consistent: it seems to depend on the network activity a bit. In theory, /etc/gai.conf can change the order that is returned, but I suspect that ruby is not using the system getaddrinfo(3).

% cat socktest.rb require 'socket' require 'timeout' factory = TCPSocket n = factory.open("sakura.gatineau.credil.org", 22) puts n.readlines n.close

Syndicated 2010-11-23 04:10:00 from Michael's musings

Ruby has problems with getaddrinfo(3)

Today I was trying to deploy some rails code to a host with both an RFC1918 and IPv6 address. The RFC1918 address is only valid within my CREDIL office, while the IPv6 is globally unique. When I'm in the office, IPv4 or IPv6 is fine, when I'm not, then it has to be IPv6.

With other applications when I do this, I sometimes get a delay as it tries the RFC1918 address, fails and tries IPv6 instead. SSH works great like this.

Ruby 1.8 (at least) fails: the RFC1918 address does not connect, and then ruby gives up. This makes Capistrano fail.

Capistrano uses Net::SSH, which calls TCPSocket.open. This is implemented in C code in the ruby interpreter. My reading of ruby-1.9.2-p0/ext/socket/ipsocket.c suggests that it might be okay in ruby 1.9, but I didn't look at the 1.8 code yet, and I haven't tried ruby 1.9.p

The following code exercises the problem, but you need to have an address which is both IPv6 and IPv4. It also does not seem to be consistent: it seems to depend on the network activity a bit. In theory, /etc/gai.conf can change the order that is returned, but I suspect that ruby is not using the system getaddrinfo(3).

% cat socktest.rb require 'socket' require 'timeout' factory = TCPSocket n = factory.open("sakura.gatineau.credil.org", 22) puts n.readlines n.close

Syndicated 2010-11-22 23:10:00 from Michael's musings

70 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!