« October 2005 | Main | January 2006 »

December 31, 2005

Windows zero day exploit

The vast majority of software has bugs. The ones that haven't are either two small to do something useful, or written with rigid rules, during long years. We can argue the fine points of this, but it's rare the software that doesn't have them.

The issue with bugs is not that they exist, it's how long you have to wait until they get fixed.

It seems that we now have active exploits roaming around for the latest Windows bug. Even XP2 is not safe, and basically you just have to browse to a site containing a special image (not Britney, a special crafted one).

This worries me because a lot of friends and family use Windows. My wife has a small business and uses Windows. So we are in for a ride in the next couple... what? Days? Weeks? Months? Microsoft hasn't acknowledge the bug yet...

Let's hope someone is able to write a Firefox extension to block these pesky images, and make sure your anti-virus are updated, people.

I wont rant about how Mac's or UNIX in general are more safe from this kind of thing. It's wasted time, really. Security has become some sort of battlefield between OSs (my is bigger than yours kind-of-thing), and most OSs can be made safe, if you are willing to loose flexibility (a anti-windows friend of mine would say that if you are willing to loose network connectivity, Windows is pretty safe...). I myself know that I set up my Mac in certain ways because it's more flexible that way, but I loose security. It's a trade off.

Update: there is fix for the WMF exploit. I find it amusing that it doesn't come from Microsoft, and predates the (so far missing) acknowledgment from them. There isn't a single mention of this in the Microsoft Security page.

Update 2: Ahh, found the Microsoft Security Advisory 912840. It's not in the Security home page, so this is probably me that don't understand where we should look for these things. The wording of the title is amusing: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. Emphasis mine.

Posted by Pedro Melo at 12:18 PM | | Comments (view)

December 30, 2005

Housekeeping stuff

Just a quick post to note some things:

  • I had problems with my upgrade to MT 3.2. I decided to reinstall from scratch. Everything seems much better now. Comments seem to work, and all the feeds validate;
  • During the upgrade, I forgot to include two feeds I had previously: rss-full.xml and index.rdf. They are back but they are not announced anywhere. My recommendation is to use the Atom feed, or the RSS 2.0 feed if you want comments and trackbacks as well;
  • Technorati seems to know me again, after ignoring me for 70+ days. I add to delete my claim and reclaim this blog;
  • I'll be moving DNS and HTTP servers in the next few days, some things might break, so sorry for the inconvenience.

And if I don't see you again, have a very good New Year.

Technorati Tags:

Posted by Pedro Melo at 01:22 PM | | Comments (view)

December 29, 2005

Wake up and smell the fastcgi

You might have noticed that fastcgi has been getting a lot of momentum in the past few months. The biggest deployment I know is Yahoo! Small Bussiness Web Hosting service using Moveable Type under fastcgi.

Most rails apps are deployed using it, Catalyst also has support out of the box, and even PHP works very well with it.

The main advantages I see with it is that it splits the application from the webserver. You can run your fastcgi process under a different user id, and even chroot'ed for increased security. At the same time, static content can be streamed very efficiently by the webserver.

It also helps to improve the webserver because you can make it threaded or add other tweaks without having to worry about if it will break modules like modphp, or modperl.

And you can mix and match, a threaded webserver with a non-threaded app.

There are limitations for now: with mod_perl, for example, you can hook into all of Apache processing phases, and modify almost everything you want on the requests.

But all in all, it's a good technology with a lot of advantages.

But Apache has been lagging behind in the fastcgi support department. The mod_fcgi module is a third party install, and without some patches, it will not work with Apache 2.2.

The big winner seems to be Lighty which has very good fastcgi support.

But it seems that the big boy has awaken, and you should all look forward to mod_proxy_fcgi. It will behind the mod_proxy_* set, so you'll be able to use it with mod_proxy_balancer.

It's good to see decent support for fastcgi in Apache, even if it is a couple of days after I switched to Lighty.

Technorati Tags: , ,

Posted by Pedro Melo at 12:59 PM | | Comments (view)

The quest for fastcgi MT setup

After successfully placing Trac under fastcgi with Lighty, I'm now targeting Moveable Type.

It's not as important as Trac was, I'm pretty happy doing it via CGI, I'm very low traffic. One of the caveats with this approach is that some plugins might not work correctly, due to the persistent nature of fastcgi processes. But, hey, this is the way Yahoo! is doing it, so if that is really a problem, I think they will be corrected shortly.

Anyway, I've collected some links to how-to's about this:

Technorati Tags: , ,

Posted by Pedro Melo at 01:12 AM | | Comments (view)

Tip: use TextMate and Ecto

Quick tip for those who are using ecto and Textmate: you can edit your drafts using Textmate directly from ecto. In case you use Markdown to write your posts, this is great. The Markdown bundle in Textmate is very good.

Just choose Edit > Edit with > TextMate and you're done. The text updates in ecto after you save in Textmate.

For more information, see this article on the ecto blog.

Technorati Tags: , ,

Posted by Pedro Melo at 12:56 AM | | Comments (view)

Trac and Lighty

I'm moving this and other simplicidade.org sites to Lighty.

My main motivation was memory usage and the fact that I'm starting to use Trac a lot, and using that as a CGI is painful. I wanted to use fastcgi and Lighty is high-rated in that area.

After reading some articles about Trac and fastcgi, I settled on this config:

$HTTP["host"] == "projects.simplicidade.org" {
  server.document-root = "/servers/sites/projects.simplicidade.org/docs"
  accesslog.filename   = "/servers/logs/lighty/sites/projects.simplicidade.org_access_log"

  server.indexfiles    = ( "index.html" )

#  fastcgi.debug        = 1
  fastcgi.server       = ( "/project" =>
                           ( "trac" =>
                             ( "socket" => "/servers/workspace/lighty/sites/projects_simplicidade_org-trac-fcgi.sock",
                               "bin-path" => "/usr/share/trac/cgi-bin/trac.fcgi",
                               "check-local" => "disable",
                               "min-procs" => 1,
                               "max-procs" => 3,
                               "max-load-per-proc" => 1,
                               "idle-timeout" => 30,
                               "bin-environment" => (
                                   "TRAC_ENV_PARENT_DIR" => "/servers/workspace/trac/instances/simplicidade"
                               )
                             )
                           )
                         )
  alias.url            = ( "/trac/" => "/usr/share/trac/htdocs/" )

  auth.backend         = "htpasswd"
  auth.backend.htpasswd.userfile = "/servers/workspace/trac/passwd/simplicidade/trac.htpasswd"

  $HTTP["url"] =~ "^/project/[^/]+/login" {
    auth.require       = ( "/" =>
                           ( "method" => "basic",
                             "realm" => "projects at simplicidade.org",
                             "require" => "valid-user"
                           )
                         )
  }
}

Works very well. The trick to have several Trac instances with a single fastcgi server is the TRAC_ENV_PARENT_DIR environment. You should point it to the parent directory of all your Trac instances.

Oh, and the site projects.simplicidade.org is not up and running yet. I'll announce it soon though.

Technorati Tags: , ,

Posted by Pedro Melo at 12:47 AM | | Comments (view)

TextMate: cool stuff so far

In my quest to implement my 2006 Resolutions, I decided to start early and I've switched to TextMate already.

I will not dump all the links to the documentation on you. I will only point to some "Wow, cool"-type of things I found in the last couple hours browsing stuff.

Some of the links are from the Macromates blog, a resource I would recommend you to, if you are also switching to Textmate. The author posts some lengthy articles, and I was able to pick up general Mac OS X tidbits I didn't knew about.

So far, so good. Snippets and Macros are my new best friends.

Technorati Tags:

Posted by Pedro Melo at 12:25 AM | | Comments (view)

utf-8 and DBD::mysql

After an afternoon trying to understand why some of my output from a utf8 table in MySQL was coming out garbled, I finally realize that:

  • even if your tables and database are all created with utf8 charset;
  • even if you set your connection charset to utf8 with SET NAMES 'utf8';

your scalar results in perl will not have the utf8 flag set, so any print, concatenation or XML generation further on will result in a mess, when finally printed out to a XMPP stream, for example.

So, on all your code, after you retrieve data from MySQL, you must set the utf8 flag on that scalar.

For now I'm using this code. Probably not the best one, but it suffices for now.

if (! utf8::is_utf8($message)) {
  utf8::decode($message);
}

There is some discussion about this online. It seems that the DBD::mysql people are waiting for a general solution for the problem to appear in a future version of DBI. There is also a patch floating around that sets the flag on utf8 content.

If you use Class::DBI, you can also look at Class::DBI::utf8 that does the right thing.

Regarding support for this in DBI itself, there is a thread by Tim Bunce that talks about utf8 support in DBI in a future version, in particular bullet 4 of the initial post. But the next bullet points the responsibility of the utf8 flag to the drivers.

This quote in particular should self explanatory about Tim's reasoning:

Some features, like charsets, vary greatly in how they're handled by database APIs. For these kind of features the DBI usually lags the drivers. Once a few drivers have implemented their own driver-specific interfaces, and had them proven as practical by users, then I can work with driver authors to see how best to extend the DBI API in a way that'll work well for those drivers and others.

And a more specific one regarding DBD::mysql:

Basically it should be the job of the drivers to set the uft8 flag on data being retrieved if it is utf8. I believe that the new mysql v4.1 protocol does provide information about the characterset of each colum. DBD::mysql can use that.

I would like to see that patch into the DBD::mysql mainline. It seems that Tim Bunce is passing on the responsibility of the utf8 flag to the driver author. It makes some sense. If the DBI layer was responsible to set the flag, it would need to obtain charset information from the DBD driver anyway. In that case, if the driver already knows which charset it is using, why not just set the flag? This would make it easier to work with utf8 in the meantime...

Stay tuned for the next chapters in the utf8+DBD::mysql saga...

Update: another interesting link about MySQL, utf8, and Moveable Type.

Technorati Tags: , , ,

Posted by Pedro Melo at 12:04 AM | | Comments (view)

December 28, 2005

Resolutions for 2006

I've never written down my new year resolutions before, but I want to keep track of them this time, so here they are. I thing my friends already have sufficient ammo to embarrass me on a daily basis, but I want to make their life even easier, one year from now.

The first thing I want to do is to change my main text editor. I've been using vi and/or vim since 1991/92. I've used other editors briefly. LightEditor was one of them, in early 90's, written by two friends of mine, Ulisses and Oscar. But I quickly switched to vi/vim. I had a few months of experience with emacs, but I already had a operating system, I didn't need another one. So I stuck with vim for the last few years.

But times move on, and for the past year or so, my life with vim is more of a struggle to have decent utf-8 support with Terminal.app than anything else. It's probably my fault, but I think that in 2005, utf-8 support is something that should just work. It should be the default. Specially if you are using a Mac.

So after 14 years, I'm switching to a new editor. My choice was TextMate. I'll be posting my findings in the coming weeks. Changing editors, specially when the keyboard shortcuts are already hard-wired inside your fingers, is scary.

The second thing I'm doing is dumping all the PC-style Logitech keyboards I've been using during the last 4 years. I've used them successfully with my last choice of operating system, Linux, but with the Mac they where never a perfect fit. The Logitech drivers where not that good, and I had to switch mentally from a PC-style keyboard to a Mac-style keyboard whenever I used the laptop keyboard directly. Things only get worse if you take in account that I use a PT layout.

The third thing is to make a decent "About me"-page somewhere around here. It seems that some people want to contact me and don't know how. Can't blame them really.

The fourth and last one I intend to do is complete or share more projects. I tend to talk about things I want to write/do, start documenting and coding, and then nothing sees the light of day. It seems that I'm a starter and not a finisher. I would like to change that.

Some of the projects I would like to start and release in some form or another, are:

  • Net::Protocol::XMPP: my 3 years old project to implement a Perl library for XMPP with reusable components, and without any network code;
  • POF: POE++, a small layer of object-oriented perl around POE;
  • a Catalyst-driven PSP community site for Portuguese people: members would be able to keep their own games list, and the system would facilitate trades between them;
  • a sourceforge-like setup based on Trac for all the lisbon.pm.org mongers.
  • gather on a single wiki/trac/something all my cookbook recipes that keep me sane every day: scripts, one-liners, tips and tricks, just write the damn things somewhere;
  • Kiwi: my geek/programmer/terminal-oriented wiki/oo-database/cross-reference thingy;
  • Cronofagius: a system to keep all those cron emails from flooding your inbox/cron-folder.

Small list, I know.

This last thing, the fact that I cannot finish what I start, bothers me. If you want a excellent example, in Portugal, of somebody who seems to be a do-er, look no further than Carlos. In the last year, he put together a great set of services. Kudos to him for that. Lets see if I can catch up next year...

Technorati Tags: , , , , , , , ,

Posted by Pedro Melo at 11:03 PM | | Comments (view)

December 23, 2005

Amazon can sell anything, I guess

Too late for christmas but you never know. Amazon can sell you anything, I guess.

Posted by Pedro Melo at 11:43 AM | | Comments (view)

December 16, 2005

Jingle is out there

For those of us working with XMPP, this is probably the best christmas present we could have.

Yesterday, the Jabber Software Foundation, announced two new JEPs (similar to the RFCs of IETF, they define extensions to the basic XMPP RFCs), Jingle Signalling and Jingle Audio, to specify a standard way for XMPP clients to negotiate Voice over IP sessions.

In the wings of that announcement, Google released libjingle (also look at the SourceForge Project page for libjingle), a C++ library to implement the Jingle spec.

I'm still looking over licensing details and technical details, but the future for XMPP-based VoIP seems a lot brighter today.

BTW, my employer, is happy and proud to be part of the list of companies that pledged support for this standard. :)

Update: I'll be collecting some links to post around the comunity

Update 2: Aparently the libjingle also includes a relay server and a STUN server. From the libjingle readme file (via Celso):

Relay Server

Libjingle will also build a relay server that may be used to relay traffic when a direct peer-to-peer connection could not be established. The relay server will build in talk/p2p/base/relayserver and will listen on UDP ports 5000 and 5001. See the Libjingle Developer Guide at http://code.google.com/apis/talk/index.html for information about configuring a client to use this relay server.

STUN Server

Lastly, Libjingle builds a STUN server which implements the STUN protocol for Simple Traversal of UDP over NAT. The STUN server is built as talk/p2p/base/stunserver and listens on UDP port 7000. See the Libjingle Developer Guide at http://code.google.com/apis/talk/index.html for information about configuring a client to use this STUN server.

Technorati Tags: , , , , , ,

Posted by Pedro Melo at 09:44 AM | | Comments (view)

December 15, 2005

Embrace...

Maybe I'm old and grumpy, but after reading that Microsoft will use the same icon for RSS feeds in IE that Firefox uses, the only phrase that stuck in my memory was this one: embrace and extend.

We'll see.

Technorati Tags: , , ,

Posted by Pedro Melo at 01:30 AM | | Comments (view)

Blog recommendation

One blog that I follow with interest is Bruce Schneier Schneier on Security. I like his practical approach to security, but most of all I like to read some of the clippings he collects from several sources and from anonymous emails he receives.

Just today he posted two articles, all good:

Recommended.

Technorati Tags: ,

Posted by Pedro Melo at 01:24 AM | | Comments (view)

Harry Potter

I like the Harry Potter books, I own all of them, in both Portuguese and English. Tonight I went to see the latest Harry Potter film, The Goblet of Fire.

Let me start saying that it is a big book, around 790 pages. Also, it's packed with lots of action. The next book, the Order of Phoenix is much slower than this one, for example. So making a film around this fourth book would be a challenge.

How well did they do? Not that well. The entire film feels rushed, some of the acting is really bad, and it feels that everybody is in a hurry to move along.

We can expect that some parts had to be cut to fit in the two hours of movie, but I feel that some of the cuts, like the last three pages of the book where some money changes hands and influences events on the fifth and sixth books, was important and could be done in no more than 2 minutes. You could probably use that instead of the image of the ship submerging in the lake.

Also, if you haven't read the books, you'll be a bit lost. Most of the jokes require some knowledge of the history of previous episodes. The constant reminders of the polyjuice potion is a link to the first book when the three made it to spy the Slytherin house.

One other issue I find interesting is the evolution of the terrain around Hogwarts. It has become much more open than in previous years, the lake seems a lot bigger. One interesting question is that the castle seems to move magically from one side of the lake to the other. I really have to get the four movies on DVD and see them through to compare, but I'm almost sure that the castle was on the other side of the lake in previous episodes.

Last, although rated PG-13, I wondered if that is wise. Most of the movie is ok, nothing serious. But the third challenge, the maze, can get pretty scary. There are one or two scenes where you can be caught off guard and jump from your seats. Maybe I'm getting soft, with my age and my son, but I really recommend the PG part of the rating.

In summary: if you are a Harry Potter fan, you'll go and see it, because you are a fan. Just don't expect much. If you are not a fan, and you are looking to find out what the fuss is all about, take my advice, and buy the book. It's several orders of magnitude better than the movie.

Technorati Tags: , ,

Posted by Pedro Melo at 01:15 AM | | Comments (view)

December 14, 2005

Using Launchd in Mac OS X

In case you where wondering where all your crontabs went after you upgraded to Tiger, check out Mac DevCenter article about launchd.

Good stuff.

Technorati Tags: , ,

Posted by Pedro Melo at 10:28 AM | | Comments (view)

Crypto on Chip

This is not something new but I hope we can see more of this in server-class CPUs in the future: Sun Fire T2000 and Secure Applications.

The basic idea is to have a cryptographic accelerator on chip, to make certain operations, like those required by SSL, much more fast and inexpensive.

Its a big win for a lot of companies who want to offer SSL to his clients but can't due to the cost of scaling up SSL ops.

It's not the first time I heard of this. There where PCI accelerator boards for quite some time, that you can offload most of the crypto tasks to, and even moving it to the CPU has been done before, even in the x86 world. I think I remember the VIA Padlock Initiative included some support for crypto acceleration.

If you want to know more, check the the SSL Acceleration page.

Technorati Tags: , , , , , , ,

Posted by Pedro Melo at 10:20 AM | | Comments (view)

Tunning your broadband connection

Apple recently released a Broadband Tuner application for Mac OS X. Basically it sets some kernel parameters in /etc/sysctl.conf, regarding network buffers.

Well, Aaron Adams (one of the switchers in the Apple campaign, in case you forgotten), has some alternative configurations that you might want to try.

I'm using them with no problems.

Technorati Tags: , , , ,

Posted by Pedro Melo at 01:32 AM | | Comments (view)

Powerbook

You are probably sick of hearing me talk about my powerbook, and how old he is and how much I want to have a new one, specially a dual-core G4 one.

So I'll just say this only one (more): I want a new powerbook.

The "new" ones, although with a nice new display and some bells and whistles, are not enough for me to buy one. So I'm stuck with a first generation x86 powerbook, and that means waiting at least 3 to 4 months after they are announced sometime next year.

I'm stuck with this one for quite some time more. So I did some upgrades. The memory was already fully loaded, with 1Gb RAM. I bought a 80Gb 5200rpm disk and swapped the old 40Gb 4200rpm. I add to. The old one was failing to boot sometimes.

It's much faster, and I can use the free space, but it makes more noise. I've still got 39Gb free.

I did a fresh install, and took the opportunity to move to Tiger. yes, boys and girls, I finally switched to 10.4.3. So far so good. There are some bugs, but none of them are show stoppers.

So for now, I'm done. This powerbook will last a couple of months more, until I can get my hands on a new one, x86 powerbook.

One thing I know: I'll buy the 17" model next time.

I was in London recently and took the opportunity to visit the Regent St Apple Store to see the new powerbooks displays. I wanted to see if the 15" was too small for my eyes.

It wasn't, but the extra space available in the 17" is awesome, so that's my path next year.

Technorati Tags: , ,

Posted by Pedro Melo at 01:21 AM | | Comments (view)

Tip: change some key combinations in Mac OS X

There are some key combinations that drive me nuts in Mac OS X.

For example, Cmd-Q and Cmd-W. The first quits the application and the second one closes the window. They are too freaking close of each other, and its very easy to trigger the wrong one. After quitting Safari with N tabs open, you either buy Saft and activate session history, or read below. Or both as I did.

To solve this, just open System Preferences, and select Keyboard & Mouse preference pane. Then select the Keyboard shortcuts tab.

To remap the Quit Safari command, click the + button, choose Safari from the Application drop-down, type Quit Safari as the Menu Title, and then choose the new keyboard shortcut (I choose Cmd-Opt-Ctrl-Q, all three modifiers and Q). Click Add to finish.

After this, relaunch Safari. You should now have your new shortcut in place. No more premature quittings.

By the way, the other two shortcuts I always change is the Reply and Reply All in Mail.app. I switch those two, giving Cmd-R to Reply All and Shift-Cmd-R to Reply. I usually use Reply All much more than Reply.

Technorati Tags: , , , , , ,

Posted by Pedro Melo at 01:11 AM | | Comments (view)

Link dump

Not something that I usually do, but I wanted to clear some links from my Safari toolbar:

Posted by Pedro Melo at 12:53 AM | | Comments (view)

Ruby on Rails 1.0

Ruby on Rails hits 1.0. Congratulations to all in the core team.

Since discovering Catalyst, I've left Ruby on Rails behind me, but it was RoR that got me hooked in Ruby, and for that I thank them. Ruby really is a lovely and clean language.

I can only hope that Perl6 cleans some of the "issues" with Perl5. And from what I can see from the presentations I've seen in the last year, it will :).

Technorati Tags: , , , ,

Posted by Pedro Melo at 12:39 AM | | Comments (view)

PSP rockz

I bought^H^H^H^H^H^Hreceived as a present a PSP last October, and to be brief, it's been great.

For quite some time now, I couldn't get myself in front of a TV, plug all the PS2 stuff, and play. Sitting there in front of that brain-sucking-device seemed a waste of time. And it's a pity, because although not a hard-core gamer, I like to play video games a lot.

The PSP changed all that. Given that I can be almost any place I want and just play it, I got myself playing a lot more than I usually did.

My initial game was Ridge Racer. Lots of fun but right now, I've ended all the World Tour races in the first three levels, and two of the last level Max. To complete the entire game, I need to finish the last 4 or 5 races in the last level.

But Ridge Racer is now my second choice. For the last two weeks, I've been playing GTA Liberty City Stories. I loved playing GTA on the PS2, and being able to play it whenever you feel like it, it's awesome.

In the meantime, the usual suspects have also bought a PSP, so we can trade games and tips. And if you speak portuguese and want to participate, join us on our PSP mailing list.

To subscribe, send an empty email to psp-subscribe@lists.simplicidade.org. You'll get an email back to confirm your address and you're in.

So, if you want to give yourself a present this christmas, I recommend a PSP. Just rocks.

Useful links:

Update: fixed email address to subscribe the PSP mailing list. Sorry bout that. Kudos to Hugo Carvalho for the heads up.

Technorati Tags: , ,

Posted by Pedro Melo at 12:31 AM | | Comments (view)

Back

After a small break, I'm back. I had some problems with MT, a trip to london perl workshop and some powerbook updates.

Also PSP stuff and perl mongers stories.

All of this and much more, right after the break.

Posted by Pedro Melo at 12:03 AM | | Comments (view)