Running as Root

I’ve been listening to back episodes of the Agile Toolkit Podcast. One of the things that really caught my attention was the frequent mentioning of something called CodeGreen Labs. From elsewhere on the internet:

We are dedicated to creating a unique training experience that uses real projects with real deliverables. Labs work on projects that make a difference in the world, benefiting organizations that are working to improve the environment, human rights, social justice, health and economic development. By marrying the efforts of dedicated professionals learning Agile Development techniques with not for profit and research communities that need high quality software, we hope to be a small part of a positive change. Each training class will work on a specific software project for a specific cause.

It’s volunteering to work on a real software project that is, hopefully, well run so that you can get real world experience. Sure, they get something out of it, but who cares about the other guy? I imagine they get mainly students. A few of the people in my work circles and I have been talking about something exactly like this. The head of my current company has mentioned to me numerous times that he’s seeing disturbingly bad candidates coming to him fresh out of college CS programs. I can’t comment as to the overall quality of CS programs around the country, but something like CodeGreen Labs seems like a brilliant idea on many levels. Unfortunately, I was a little disappointed at how unfriendly their home page was:

Yesterday at work I got a question from a co-worker about doing something under AIX. I don’t really work with AIX, but I managed to answer the question. This is for another project that I don’t work on. It got me to wondering if I could run AIX in a VM on PC hardware, probably using a PPC emulator. I’ll save you the suspense and tell you that I couldn’t find a way to do it. There are a couple of projects that are sort of trying to do it but they haven’t done it successfully that I could find. Those would be PearPC and QEMU. I’m sure one of these projects will get it working someday, as soon as some really capable programmer wants it badly enough. I briefly thought about suggesting purchasing an RS6000 from eBay but decided it wasn’t a project I needed to poke my nose into.

This is not a rant against AIX, although in a world gone mad with a billion distros of Linux, OpenSolaris, and PC hardware that is criminally cheap and available I don’t feel the need to brush up on that incredibly rusty skill set. No, this is more about that fact that I don’t think I would ever choose to work with any operating system and/or software product that I can’t run in a VM on PC hardware–it’s just too damn handy these days, especially when it comes to QA. That of course includes any non-hacked up version of MacOS, not that they’ll miss my business. Also, sadly, I don’t always get to pick what I want to work with. Still, it’s definitely something to consider when picking your stack and deployment/hosting environment.

A few years back when I was looking for anti-virus software, I read a review that put Trend Micro’s PC-cillin as the best available. I bought it and have used it on all of my ever dwindling number of Windows computers ever since. When I got computers for my parents, I put PC-cillin on them. I’ve always found it to be a good, non-intrusive, non-resource hungry Windows anti-virus product. My last purchase was a three license package that had a rebate that never came. Whatever.

However, their recent shenanigans have me insanely pissed off. I get a particularly spammy looking piece of e-mail on Monday with the subject of “Your Subscription will be renewed in 2 days.” The email explains that my 1 year subscription is going to expire but that it’ll auto-renew 7 days before expiration at a 10% discount. Yay! While the email does include my name it lacks any other identifying information. As I mouse over one of the links I see that it’s pointed to dr.bluehornet.com. In fact, the email has no links pointing to any Trend Micro site. The email even came from trendmicro.cs@digitalriver.com. Surely this is spam so I ignore it.

On Wednesday I get an email saying I’ve been billed for the renewal. This time the email actually has more personal (and accurate) information, including a serial number. It’s still from digitalriver.com but at least it has one link that points to the Trend Micro site. I begin to get very unhappy. Since when is billing my credit card for software an opt out situation? I follow the link (to digitalriver.com) to cancel the order to find that the order number isn’t in that system yet. I cancel it using the email and am told that although they managed to bill me very quickly, it may take up to a week to cancel the order. I also use the original email to go to the same site to opt out of the auto-renewal program. Of course, I make sure that I don’t have to provide any additional personal information on any of these sites since I’m still somewhat suspicious of things. We’ll see if this manages to actually cancel the order. If not I’ll take it up with the credit card company.

A wee bit of research shows that this is not a new situation. I’m still pretty pissed not only about the opt out notion of charging me for shit I didn’t request but also by the fact that my information has been shared/sold/whatever to a third party. I’m pissed that an email sent on behalf of an anti-virus, anti-phishing, anti-bullshit software company is made to look so goddamn spammy that I don’t want to acknowledge it.

Fuck Trend Micro. I won’t buy their products any more. I won’t recommend their products. I will, as much as I can, campaign against the use of their products. I’ll use an inferior product from another company just out of spite. We are no longer happy customer and vendor. Fuck you, your questionable business practices, your sharing of my information, your opt out auto-renewal program, your inability to instantly cancel my unsolicited order, and your choice of partners. Did I mention fuck Trend Micro and PC-cillin? Eat shit, go fuck yourself, rot in hell. There’s no fixing the situation, I will not be “talked down”, I cannot be recovered as a customer. Good job, assholes.

I ran across a post in my RSS feeds today that referenced a paper on Bypassing Web Authentication and Authorization with HTTP Verb Tampering. What an awesome title. I’m immediately adding “verb tampering” to the list of things I randomly exclaim in meetings. The short version of the paper (that’s represented pretty well by the other blog post) is:

• some developers secure URLs in their web application by URL and method (POST, GET, etc). Everything else is allowed (for some strange reason)
• some servers when they receive an invalid HTTP method or often HEAD will perform a GET and then just discard the body of the response. This is fine and is part of the RFC apparently, since the headers have to match between the two. I just wasn’t aware of the fact
• there are still programmers that have non-idempotent GETs in their applications

The scenario is you find these applications / servers and do something like send a HEAD to the URL “deleteUser?userId=27″ and then the server does it, despite the fact that you’re not logged in.

I’m amazed that this is a problem, for multiple reasons. Who are these people that still don’t understand that you don’t use GET to do things like delete records from your system? I’d hate to see what one of those crazy internet spiders could do to these guys.

This is also a reason why I’m a big advocate of pushing your security checks as close to the data as you can comfortably stand. Certainly you should have protection at a service or DAO layer to prevent users with inadequate permissions (unauthenticated users fall into this category) from performing most operations in your system. This is also a good practice to ensure that different types of potential front ends don’t accidentally grant access to the wrong users. The URL level of security is just icing and fluffery to make the application a little more user friendly.

Of course, that being said I work on an application that relies on mostly on URL level restrictions (I didn’t do it and I’m working on changing it) and, if I remember correctly, so does my favorite Java web stack. I should point out that neither of these suffer from the problem described in the paper.

As I mentioned in another post, I’m giving Twitter a retry. I must say I’m enjoying it a lot more now that I’m not trying to treat it like other mediums of communication both in terms of what I follow and in how I use it to communicate. I’m definitely more willing to tweet things that don’t warrant a blog post or an email.

A great example of this is when I was able to find out that a former co-worker had left their previous job. While that might be email or blog worthy, most people wouldn’t bother putting that kind of information out there, but he tweeted it. As such, I didn’t have to wait for that information to make it through the traditional grapevine. For once, I even knew about the news before some of the other people I know.

While I’m using it to keep in more constant contact with friends and former co-workers, some people are using it for a lot more. This post as a few recommendations for using Twitter that I found interesting. I’m not sold on a few of them, such as event updates. I realize that quite a few events are using Twitter to update attendees on things. This just seems like an alternative to email lists and RSS feeds. Does Twitter have better penetration than email or RSS? Is it just that I have more noise in my RSS reader? Won’t Twitter suffer from that eventually? I don’t know. It just seems like using an alternative form of communication just for the novelty of it.

Another use I’ve seen is people soliciting feedback or getting votes on an issue via Twitter. I think that’s a great use, but I don’t think I’ll ever have enough followers to do it effectively. There’s a big difference between asking your 1-10k followers for feedback and asking 20 people. Maybe I’m wrong. Maybe I should tweet the question (and get feedback from 1 or 2 people).

The idea of using Twitter to create and track ToDo lists intrigues me, but again, I just can’t get my mind around the advantages. While Remember the Milk seems interesting I haven’t gotten off my ass long enough to try it. I hear good things though.

Foamee is another one that I like. You can let someone know that you owe them a drink for something. I haven’t used it yet. Maybe I’m too stingy with my kudos. Maybe I’m just an asshole. Who could say? Is my reluctance to use these and many, many other services that integrate with Twitter another example of me being too set in my ways to “get it”? Maybe in another few months I’ll be writing posts about how I’ve come around to using them.

I switched jobs recently and although the current company used to do daily stand up status meetings ala Scrum/XP/Agile/Wagilefall, they had stopped at some point. As near as I can tell, they stopped because they couldn’t keep the meetings short and on track. I expressed to my manager(s) that I thought it’d be great to start doing them again and lo and behold we had one on Monday.

Of course, the first issue that came up was the notion of the correct time. Inevitably when you try to start a meeting “on time” you get bogged down with the fact that no one thinks they’re late because their clock says they’re not. In the past I’ve used web based atomic clocks, but I’m now convinced that anyone planning to start meetings on time has to invest in a digital clock that synchronizes with the official time. I further suspect that anyone thinking that the people they work with are too mature to have this “argument” is probably wrong. We also haven’t settled on the “punishment” for being late. I’m a big fan of cash fines though.

Bitstrips now has real RSS feeds. I’ve made a Feedburner feed for Flat Organization that points to the Bitstrips feed for the comic, if anyone is interested.

At the same time, I’ve added a feeds page to this blog with nearly all of my available RSS feeds, including a new super feed (made with Yahoo! Pipes) with everything in it to save people the trouble of subscribing to everything individually.

Sure, I could have named the post something like “Laying Pipe” but that’s a bit obvious, isn’t it? As my two blog readers have no doubt noticed (with some annoyance), I’ve been playing around with Bitstrips and throwing together the occasional comic (complete with my first comment directed at how shitty my “artwork” is). One problem with Bitstrips (other than the fact they co-own everything you do) is that they don’t have an RSS feed for either your comics or your series. I opened a bug on the matter but rather than sit back and wait for it, I decided it might be time to have some more fun with Yahoo! Pipes.

The Plan

Bitstrips provides a link to a pseudo feed for each series. The series ID is passed in as a parameter and you get a paginated view of all of the episodes. I figured I’d just grab that page in pipes, create a title off of the episode title, grab the associated URL for the episode, grab the image of the strip for the episode, and throw the whole thing together to make a feed for my series.

Execution

Numerous problems occurred after I start implementing that simple plan–most of the problems being in the Bitstrips layout. I won’t go into detail about it, but here’s a summary of the steps I went through to get my feed:

• Get the series “feed” page - http://bitstrips.com/feed.php?feed=s_9713 in this case
• Find the URL of whatever page is associated with the “go to last” button - The feed page outputs the series in order. For the feed, I want the most recent stuff. There is no option to just go to the last page, so I need to find that button, grab its associated URL, and then retrieve that URL as my new starting point.
• Regex some fields - I use the regular expression module in Pipes to pull out values for the title field, the publication date, and the link for the item.
• Clean up the date - The date isn’t in the proper format, so I need to use the Date Formatter and re-assign the value to “item.y:published”. This is how you get a pubDate into an RSS feed from Pipes (thank you Yahoo! discussion forums). This all happens inside of a loop.
• Sort - I want to include this feed into a spliced super feed, so I want to sort it by publication date. However, the publish date in the comic has no time stamp. Luckily, the URL for the comic uses an auto-incrementing ID, so I just sort by that.
• Get the image for the comic - Now we follow the link that we got earlier that goes to the individual episodes. We do this inside of a loop to get images for each item. After that loop, we use a regular expression to get rid of all the extra HTML around the image so we’re just left with a nice img element.
• Ship it! - We now have the title, a link to the comic, and the image of the comic. We’re done.

Results

Here’s what the pipe looks like from way up here:

You can see the results of the pipe here or even examine the “source code” a little more closely by editing it (requires a Yahoo! login and you can’t actually edit my version, so there).

Of course, this is a very brittle and ill-advised way of doing things. As soon as Bitstrips changes their site my pipe will burst into flames and spew all sorts of errors into the feed. There is also probably an easier way to do it either in or out of Yahoo! Pipes, but I had fun doing it this way. I haven’t decided if I want to put this feed into a jumbo super feed yet or not, but that is most likely the way I’ll do it. For now, subscribe if you want but it may go away or be duplicated in a feed to be named later.

I’m enamored with the idea of Google Android. I briefly looked at the development kit and was very impressed by it. And then I did nothing with it. Part of the problem is that there is no Android capable phone at the moment. That takes some of the sex appeal out of developing for it. More than that is the fact that I don’t have any ideas for applications that I’m all that passionate about.

This weekend I heard that Google acquired Grand Central. They’re a company I’ve never heard of but they’ve got an impressive list of features. Grand Central is a “web-based voice communications platform”. It’ll let you do all sorts of cool things with your phones via a single number.

This got me to thinking about cool things you could do with Grand Central and Android. Where I work, we use a product called Contactual to route calls for our support number to any other phone number. You can also use their web interface to place an outgoing call and have the resulting call sent to your phone. This is in place so support technicians don’t inadvertently give their personal phone number to a customer via caller ID. Once a customer gets a personal number they think that they have a buddy in technical support that can’t help them out whenever they run into a snag, rather than going through the proper channels.

What would be interesting would be to see an Android/Grand Central application that would make a similar scenario as easy as dialing an ordinary number. Perhaps allowing you to select any of your phone numbers from a drop down when making the call.

Many of the other features listed on Grand Central’s page also look like they’d be an excellent fit with an Android phone.

• Call Record - Use the phone to signal to the server that you want to record your current call
• Block Callers - Why not use Android to let you mark an incoming call’s number (or current call) as a blocked number?
• Call Switch - Use your phone to transfer your current call to any of your other numbers.

All of these things are possible with Grand Central and become that much cooler if you can use your phone to do them more directly. It seems like a great tie in for an upcoming product and a recent acquisition all in the same related problem space. Of course, I’m far too lazy and stupid to code any of it, but it still sounds cool.

Part of this weekend was spent catching up on the movie queue. All movies but one were a disappointment.

Sweeny Todd

I’m not a big fan of musicals and I’m thinking I may not be much of a Tim Burton fan, at least not any more. I’m finding his quirky visual style tiresome lately. Maybe it’s just overexposure. I realize this crapfest is based on a hit Broadway musical, but it blows in spite of (or maybe because of) this. I think the average stretch in the movie without a song is roughly 3 minutes. To make it worse, the songs aren’t at all memorable. The story is predictable and the characters uninteresting. Yawn.

Underdog

I never expect much from what I consider to be kid movies and I’m typically not disappointed. Underdog is peppered with jokes that fall flat to the adult crowd. I’m guessing kids find this shit funny, but I really have no idea. Jason Lee voices Underdog and I can’t help but hear Earl Hickey. Patrick Warburton reprises his role as Putty, Kronk, or Agent Tee. Take your pick: it’s the same voice every time.

Margo at the Wedding

A pointless romp about quirky characters I really couldn’t give a shit about. Nicole Kidman and Jack Black in the same movie? Pinch me. At least you get a flash of Jennifer Jason Leigh’s boobies. Save yourself the agony of watching the movie and just find them on the internet.

Across the Universe

Is there anything better than hearing second rate actors/singers deliver butchered renditions of your favorite Beatles’ songs amidst a plot about the draft, musicians seeking fame, and a love story between two young American Idol rejects? Yay. The movie reminded me just how many Beatles songs I actually like when they’re not being twisted into soulless shadows of themselves by failed karaoke singers.

Dan in Real Life

Dan in Real Life was the only good movie of the bunch. I thoroughly enjoyed it. Steve Carell continues to impress me by not being pigeon holed into roles similar to his insanely good character from The Office. There’s something really honest feeling about his delivery and mannerisms in this movie. It was quite satisfying and I recommend it highly. He plays an advice columnist that is a widower and father of three daughters. The movie is centered around a yearly family reunion. I won’t spoil your enjoyment with any more information than that.