Apr 29, 2008

recipe for success

Example 1

In 2003, an Internet meme known as "How You Remind Me of Someday", or "Nickelback to Back", was created to illustrate the similarities between the songs "How You Remind Me" and "Someday".

In response, bass player Mike Kroeger said "I think that's remarkable for someone to notice that there is a hit quality. If all hits sound the same, then sorry. When you are a band that has a distinct style such as us or AC/DC, that happens. When you have a distinct style, you run the risk of sounding similar."

--Wikipedia (NickelBack)

Example 2
Batman vs The Dark Knight Trailer

So the Question is? is there actually a recipe for success?

is there a difference between short term, medium term, and long term success? How is it that the Parthenon is greater than the Empire State Building (or even the tallest building currently being constructed) Why has Beethoven and Mozart survived the Centuries but Michael Jackson (Prince of Pop) couldn't survive the decades.

Could we analyze and find formula's for success perhaps there are more Golden Ratio's.

Apr 27, 2008

Making secure recoverable passwords

For the basic you need a calculator with a decimal to hex function. Your OS should have one built in (scientific mode), many calculator's do to. For advanced you'll need special hashing software, suggestions for it can be found below.

Windows HashCalc
Macintosh MacHash
Linux/(*nix) Gnu Coreutils

Now that we have the software we need. You'll need an 8 digit (minimum) number that you won't forget. Guess what numbers fit the bill perfectly. Dates. All date's can be expressed in 8 digits, but they require a year. The date we'll use (for example) is Linux's Birthday. August 25, 1991 (I recommend something more personal like your anniversary or birthday).

So we are going to write down the date we picked for the password (note we aren't done yet).

something like

Linux BDay

Date's can be formatted in several ways, Just make sure to remember the numeric format you use. For our example we'll use the ISO 8601 standard. Which leaves our example date in format, YYYYMMDD, looking like 19910825.

So let's make a note of the format (to throw people off use a diff format say DDMMYYYY).

Linux Bday ISO

whatever you do make sure YOU understand your note, but that it isn't easily understandable by OTHERS.

alright... now we're going to take our number and make it hex. So open your calculator enter 19910825, then use the convert to hex function and you should have this 12FD0A9 (if you aren't using our example you may have a different 'number', or it may not be displayed exactly like this, display's vary between calculators). This is your first basic password. you can use it as is, or you can make it a bit more secure by using one of the hexadecimal notations. example: 0x12FD0A9. You can add a word or funny characters to either side of it to make it stronger too, just make sure to note anything you add to it.

Due to a Rainbow Table database you should make sure your password is at least 8 characters but I would recommend no less than 9.

But your hex number is less than 9 and what do the programs you listed have to do with this?

good point... let's make something a bit more crypto and less predictable.

Take the same date and plug it in to your hash creator, I'm going to use an md5sum for my first example.

if you put 19910825 into md5sum you get 6f9822851dfc6c1045c6fef827e5d729 (for you nix people enter the number like this 'echo -n "19910825" | md5sum'
on the cli otherwise you might end up with newline issues because different operating systems use different newlines).

so lets say you need an 12 character password you could just use the first 12 characters of your hash, example: 6f9822851dfc if you need an 8, example: 6f982285 ,etc etc.

if a stupid 'cracker' or black hat hacker get his hands on your actual password he might think he hasn't decrypted it fully because it'll look like a hash or memory error. want to throw people off even more just remember you aren't using the first 8 but the first 8 after the first 2 example 9822851d.

Or use a different has like sha1 or sha512.

Ultimately you could make your note to yourself like this

Sha1LinuxBDayISO to a non IT person this will look like a random password as is.

Also the cryptographic hashes take words too. So you could do your name. Caleb into an md5sum is


but it's different if I use caleb.


if you always enter them the same you will always get the same result back. I guarantee after a couple days typing your new password you won't need to have it written down. If you work at a place that requires things like monthly changes.. just put the date you changed it on in to create the hash. Just make sure no one knows but the number/word(s) you used and the hash you used or they will be able to duplicate your password. Of course you're smart and you added somthing to it right? like a symbol (!@#$%^*{}|:"<>?[]\;',./) will all work find if the auth methods allow it.

have fun never having a hard time creating passwords again.

Apr 26, 2008

Tracking your home directory with a VCS

Josh Carter has done some interesting benchmarking in this area.

His tests include Subversion, Mercurial, Git, and Bazaar

Apr 25, 2008

More Advice to a Young Developer

More Advice to a Young Developer

I think most of it applies to IT In general or even the world at large.

Poor Support - READ WHAT I SAID

For Starters I'm annoyed and ranting. I'm going to pick on some particular companies, but this problem applies to the WHOLE support industry.

Stop using generic scripted answers for problems where they obviously don't apply. I've used them myself in the support industry, but where they apply.

Examples are paraphrased
Example1: Amazon.com and there poorly worded emails

Me> I received an email saying that I had recently bought or viewed lawnmowers, I haven't. Has my account been compromised?

amazon> this email is phishing...(generic phishing email reply here)

(I received another similar)
Me> Hi I received an email that says I've bought or viewed power tools. Here are the headers, they pass spamassassin and googles filters. Plus I've checked it myself. Maybe, you could fix the emails to not to suggest that I've purchased or viewed something I haven't.

amazon> this email is phishing...(generic phishing email reply here)

Solution: disable amazon from sending me emails on products... and it worked. I guess amazon's support should have paid attention?

Example2: safari.oreilly.com

Me> I can't get this book to load... I'm not sure why. The 'spinner' keeps going
round and round but it doesn't load. I don't have problems with anything

(ok so I could have been clearer on 'anything else' what I meant to say was 'any other books'.)

Safari> I tested the book and do not experience any issues. Here's How to enable scripting in IE.

Me> I'm sorry wouldn't I have had problems with 'anything else' if I didn't have scripting enabled? Also I'm not using IE and it's not on my OS (I don't use windows).

Solution: this seemed to resolve itself overnight... I didn't change anything.

Stop telling me that it isn't an issue when it is. because you are too lazy to do simple checking.

Example3: bugs.gentoo.org

Me> new PackageA Stabilized can't be used by packageB version...

Gentoo> PackageB version is unstable marking invalid
(I poke around)

Me> This is a problem on the stable version as well

Gentoo> Oh...

Solution: I mask packageA to keep it from being pulled... as they seem to refuse de-stabilizing a package that causes problems.

There are always other support problems. But the 2 worst I think are not actually paying attention to a support request, and not doing more than a cursory check, for the validity of a problem.

EDIT: If your company/whatever has this problem, you aren't alone, the almighty google has this problem too.

Apr 23, 2008

firefox 3 beta5

I installed firefox 3 beta5 the other day. I't really fast and has some really cool new features. Unfortunately it's still too buggy for me. I'm downgrading back to 2.0 I'll see firefox 3 when it's stable.

Apr 22, 2008

busybox vi

although there isn't much to say about it, it's even more limited than the original vi. If you are like me and have been using a vi clone for so long that other editor's are unimaginable. I suggest trying busybox vi on your *nix cli. At least until you can install vi(m).

Apr 20, 2008

Seagate Kills Linux Support

This was on Mad Penguin (wish he had cited it). I guess my next new hard drive won't be a seagate. I'll Stick with Western Digital and Maxtor (I've never had problems with maxtor's going bad before 3 years. Mine have lived ~5 maybe more).

Apr 18, 2008

Open Source it or not?

When building a new web service should you open source it or not? if you do open source it, it may make it harder to have a revenue.

I am of course building my product on a LAMP stack, and I'm a huge open source proponent. But if the majority of the revenue model is based around people using my site, wouldn't it hurt me to allow others to basically rebuild my site on there own?

I am thinking that a dual license (like Trolltech's qt licensing) may be best in this case, preventing people to use the code commercially without paying for a license. But even then I wonder... part of the idea is that the product will help generate a community that will then be interested in buying 'dead tree (books)' products.

I'm going to stop 'beating around the bush' on what the proposed product is now (even though this hypothetical question applies to other products as well).

I'm building a 3 part product, first is a character database for PnP(like World of Darkness, and Dungeons and Dragons) RPG games, people will be able to use it to store/share there characters and NPC's. Second, will be a chat system allowing Storytellers/Game/Dungeon Masters to play online. Third is an O'Reilly Safari Clone that will allow people to read the books (and get definitions in game) online.

I see my possible revenue's as Advertising, Library Subscription, Reselling, Support.

What do people think? How should I license the product(s) (I may build it as 3 ultimately)?

(Note: I am looking for partners)

rss/atom bulk

I've noticed recently that some of the feeds I've subscribed to are including a lot of stuff I don't care about, I'm wondering if it would be possible to have a bayesian filter for rss/atom like I do for email.

Apr 14, 2008

What's wrong with Open Source Developers

I was going to write something up about what's wrong with open source developers. But Beranger beat me to it by explaining why Open Source is not about love.

I agree with him on everything except what he says about kde (and even that's not wrong kde4 just isn't ready to be judged yet).

I have one thing to say in addition to it though.

There are 4 kinds of open source developers

1.) The insulting arrogant loud mouth
2.) The developer that doesn't develop and is never heard from
3.) The developer that develops and says not all of us are like #1 and #2 (but is otherwise quite)
4.) The developer that speaks up, helps with fixing user problems (whether just telling you how. or writing a patch) and is polite about it. Sometimes they won't fix your problem now, but hey, programming does take time, and there are priorities.

#4 is the only good one of the bunch.

I admit that sometimes I am more like #1 than I should be. But we can't all be Buddha all of the time.

Those of you not striving to be like #4 are part of the problem. I don't want to use your project. Even if I could fix your project I wouldn't, because I have more important things to do, and better people to help.

Apr 13, 2008

Maintainance Problem

Although open source means worse case scenario you can grab the source and maintain it yourself often this doesn't happen. Many awesome projects just go into obscurity and I'm sure many people aren't even aware they are no longer maintained. There was no announcement, no project closing, no call for help. The developers just stopped coding, maybe they died, who knows.

I'm starting a blog called Maintenance Required (maybe I'll do more later) to list software that needs someone to take care of it. I probably won't find everything, but maybe I can get a few good projects picked up. Feel free to contact me if you know something not on the list.

Apr 12, 2008

Apr 11, 2008

msysgit shouldn't be used

Unfortunately the developers of this project are the kind that I don't want to deal with. Their documentation is below average, and the average documentation is already sad. Instead of plugging in to msys, they require you to use their fork of msys. I call it a fork because it isn't a 1:1 copy, they add and removing things as they see fit. Their primary installer doesn't include msys.bat (apparently other installers do) this makes launching the msys bash environment easy. They don't explain why you should pick one installer over another. I asked how I should add the git programs to an existing msys install and never got an answer. I complained that git didn't work with the msys vim-7.1 port, ultimately the response I got was git is a developer tool and as a developer I should be able to help myself, and I was ruining there fun coding (I'm sorry even if I am a developer what makes your think I have time to fix YOUR project and MINE.

I'm sorry that they don't want to support their product, make it better, or work with the parent projects (msys)

On their site it says that eventually they are planned to become an officially supported git method. I hope this isn't true, as user support will be horrible.

This unfortunately means I can't use msys as part of the reason I was going to use it was for git. I will have to switch to cygwin instead.

Apr 8, 2008

iptables for the average desktop user

The Best guide for learning the basics of iptables is here
Linux 2.4 Stateful firewall design for the most part it continues to apply to the 2.6 kernel. The only things that won't apply to your linux system will be: emerge if you aren't on gentoo, and the kernel options which have changed since 2.4 and even a couple of times during 2.6.

I'm not going to cover those here. If you need help building your kernel or installing iptables I suggest that you consult with either the iptables home page or even better your distribution. Chances are it is already installed, and may even be configured.

First Let's see if we have any rules.

The following commands require root access, and can be run in a root shell, with sudo, or in a shell script by root

iptables -L -v

your output should look something like this if you have no rules

Chain INPUT (policy ACCEPT 211 packets, 27413 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 312 packets, 211K bytes)
pkts bytes target prot opt in out source destination

If it looks different no worries it just means that your distro has already installed rules.

If so make sure BEFORE CONTINUING to flush them. FIRST check to make sure your policies are set to accept (you can see that in caps above) if they are anything else run

iptables -P INPUT ACCEPT

now that your policies are clean you should flush the rules

iptables -F #flush all rules
iptables -X #delete all chains

all right now hopefully you are at a clean state. If you have ever used iptables for nat you may not be, but that is beyond the scope of this article.

Now we need to create rules, since this is for normal deskop users you shouldn't have any services listening, also you shoudn't be routing anything.

to disable routing with iptables (I'm ignoring the kernel setting for this)

iptables -P FORWARD DROP

# set all forwarded packets to go bye bye if they reach the end of the chain

the output chain is good on accept for the normal user, only a masochist would want to write rules for it. You generally should trust your outbound traffic.

Now to secure input

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP

#this rule drops all packets with a bad state
#accept any packets that have something to do with ones we've sent on outbound
#accept any packets coming or going on localhost (this can be very important
# set all packets not matching these rules to drop

Various linux distro's may require you to do something special to save these rules so that they survive a reboot. consult your distributions community.

If you have rules that you want to keep but also want to use mine I suggest putting mine first, you should do the -A rules in reverse but use a -I for insert.

When dealing with iptables always take care when applying iptables -P DROP. You can be locked out of the machine or the internet if you apply this without the appropriate rules in place.

That's it. your desktop should be secure from an attacker that you aren't allowing in. There are of course other things that you can do to make it even more secure but those are beyond the scope of this tutorial.

Apr 4, 2008

Tagged - A site that doesn't get it right

Tagged yet another Social Networking site. I don't mind that these sites want to connect to my email and check for contacts... but always ALWAYS allow me to skip that section. I find it poor security to enter my password just because something asks for it. Fortunately I was smart enough to stop entering data, and click a link in the 'welcome to' email to go straight to my profile. I'm adding them to the hall of shame for being a security risk.

The only reason I'm even joining this is to be able to communicate with an old friend who I haven't heard from in a long time.

EDIT: HA! on top of this they won't allow me to post my blogspot url in my profile. Well I guess you know how little I think of them.In fact they won't allow you to use the word blogspot anywhere. It's 'banned content'.

EDIT: just to add another thing their site acts like complete crap in firefox on linux.

Apr 2, 2008

msys - native *nix on windows

msys home

This is not a virtual machine, not an emulator, and technically not linux. This is a native linux like environment on windows, including BASH, the coreutils, vim and more. Brought to you by the wonderful people who brought us mingw. If you are a *nix person and HAVE to use windows I highly suggest you install this. With this Firefox, Opera, Pidgin, and many more cross platform apps you will start to feel to home in windows.

EDIT: You can get git for it here. msysgit

really nice

if you are using the cfq io scheduler in linux you can use ionice to nice your io. so to really nice something you would do

nice -n 19 ionice -c 3 programname

this may not be the best idea on all programs but it works. If a program is beating your hd and cpu and you don't want it to run this when starting it.

what hack to do first?

Lets see, I could work on the ipset init script bug (meaning write the init script) for gentoo. I could start digging into amarok 2's sql.I have to figure out my Linksys WRT54GL and whether I want openwrt or ddwrt or just to leave it as is. I could be hacking my web app, or regen2. So many choices, so little time.

I don't really feel like doing the router now. So that's out. Sometime this week though.

Apr 1, 2008

Perl by Example not on O'Reilly's Safari

I like Safari. It's a great product that I pay ~$500 a year for. I just started a Perl class and the book is Perl by Example. Guess what it isn't on safari or at least searching for the exact title doesn't find it. I've queried the O'reilly and Prentice Hall people. I pay $500 a year, all the rest of the 'By Example' Books are there, I want my book.

EDIT: O'Reilly's response

Thank you for contacting us about this.

Please note that the books available on Safari Books Online are added to the service at the exclusive discretion of the individual publishers by their internal online content teams and according to their internal guidelines and procedures.

Hence I have forwarded your title request to the respective online content team for consideration. Also please note that due to various resource restraints, our participating publishers may not be able to make all titles available on Safari.

If you have any other questions, please reply to this email. We will be glad to help you in this regard.

EDIT: It's been a couple of weeks and the teacher has given an assignment from the book. The book is still not of safari. I will have to buy it, it seems.

EDIT: It's out now Perl by Example, 4th Editon

Ah typical as usual some company has made my life harder even though I'm paying them to make it easier, given I understand the reason. But I don't have to like it.

Just answer the question!

I don't mind when people offer additional advice. But when a question about package Y is asked don't suggest package X (unless you have to say not possible in Y but it is in X). I mean when I ask how do I fix this dependency blocker in portage don't suggest paludis. The blocker would still exist.

If I ask which files are my config files so I can migrate them. don't say move all of your files. Answer the question asked.

If you want to answer it with a link fine. Just make sure the link is specific (e.g. if I ask a question don't point me to the docs without citing a specific section. chance are I looked there).

If you don't know, it's ok to say you don't know.