Running as Root

Today's weird problem had to do with a browser cookie not keeping the value I gave it. The cookie's value is an encrypted string. I noticed in the debugger that what was written out was not what was read in later. The decryption failed because the encrypted value retrieved from the cookie just didn't make sense. Apparently cookies are sent as HTTP headers and can only use US-ASCII characters minus whatever other special characters don't work (you can wade through several RFCs if you like). In my case it was trailing "="s that were being eaten.

The easiest solution (besides just not using those characters) is to encode the values. Something like base64 or using the URL encode/decode utility classes in Java would easily do the trick.

The more interesting thing is that we use other cookies to store all kinds of strings, sometimes internationalized funky character containing strings. Those Unicode characters also don't get handled very well in cookie values so there is a general need to encode/decode them. Maybe it's just safest to always encode on the way out and decode on the way in.

Chalk up another one for things I probably should have known but didn't. Yay!

I heard on today's Buzz Out Loud that Vimeo will be banning gaming videos that aren't considered "creative expression." One of the reasons cited had to do with the fact that these videos are "significantly larger and longer than any other genre on Vimeo."

I don't really care one way or another. However, the idea of encouraging your users to behave in a way that you want them to behave is on my mind more and more these days. It sounds from the post as if the concern has to do with the "expense" of uploading / transcoding these videos with the implication that they aren't watched and therefore aren't valuable content. If you want to steer your users toward providing valuable content without needlessly draining your resources on crap, why not create and throttle an upload limit based on the views / ratings of their videos? It sounds easy to do and on the surface appears to reward quality participation.

Here's a quick note on migrating data from MS SQL Server to MySQL. I found out in a white paper entitled A Practical Guide to Migrating From Microsoft SQL Server to MySQL (free registration required) that the MySQL install (on Windows at least) includes a tool called the MySQL Migration Toolkit.

It has a simple wizard that steps you through all of the options and you're ready to migrate. You can even choose to migrate "live" or save the scripts to files. One minor annoyance is that you can't pick the name of the target database/schema. When migrating from a SQL Server database named "blahblah" with default schema of "dbo", the migration tool will create "blahblah_dbo" in MySQL. I thought I would just rename it only to find that support for RENAME DATABASE has been dropped.

Instead, I decided to just do a backup and restore said backup to a new schema. I then ran into a problem with one of our badly designed tables that has large (not huge) amounts of BLOB data. The restore died with an error saying "MySQL Server has gone away." I finally tracked down the issue which can be fixed with a small configuration change. Since I was testing this in MySQL for Windows, I just added max_allowed_packet=12M to the my.ini under the server directory and bounced the service. Everything worked nicely after that. Your size on that configuration option may vary, of course.

I've been listening to back episodes of the Agile Toolkit Podcast. One of the things that really caught my attention was the frequent mentioning of something called CodeGreen Labs. From elsewhere on the internet:

We are dedicated to creating a unique training experience that uses real projects with real deliverables. Labs work on projects that make a difference in the world, benefiting organizations that are working to improve the environment, human rights, social justice, health and economic development. By marrying the efforts of dedicated professionals learning Agile Development techniques with not for profit and research communities that need high quality software, we hope to be a small part of a positive change. Each training class will work on a specific software project for a specific cause.

It's volunteering to work on a real software project that is, hopefully, well run so that you can get real world experience. Sure, they get something out of it, but who cares about the other guy? I imagine they get mainly students. A few of the people in my work circles and I have been talking about something exactly like this. The head of my current company has mentioned to me numerous times that he's seeing disturbingly bad candidates coming to him fresh out of college CS programs. I can't comment as to the overall quality of CS programs around the country, but something like CodeGreen Labs seems like a brilliant idea on many levels. Unfortunately, I was a little disappointed at how unfriendly their home page was:

Yesterday at work I got a question from a co-worker about doing something under AIX. I don't really work with AIX, but I managed to answer the question. This is for another project that I don't work on. It got me to wondering if I could run AIX in a VM on PC hardware, probably using a PPC emulator. I'll save you the suspense and tell you that I couldn't find a way to do it. There are a couple of projects that are sort of trying to do it but they haven't done it successfully that I could find. Those would be PearPC and QEMU. I'm sure one of these projects will get it working someday, as soon as some really capable programmer wants it badly enough. I briefly thought about suggesting purchasing an RS6000 from eBay but decided it wasn't a project I needed to poke my nose into.

This is not a rant against AIX, although in a world gone mad with a billion distros of Linux, OpenSolaris, and PC hardware that is criminally cheap and available I don't feel the need to brush up on that incredibly rusty skill set. No, this is more about that fact that I don't think I would ever choose to work with any operating system and/or software product that I can't run in a VM on PC hardware–it's just too damn handy these days, especially when it comes to QA. That of course includes any non-hacked up version of MacOS, not that they'll miss my business. Also, sadly, I don't always get to pick what I want to work with. Still, it's definitely something to consider when picking your stack and deployment/hosting environment.

A few years back when I was looking for anti-virus software, I read a review that put Trend Micro's PC-cillin as the best available. I bought it and have used it on all of my ever dwindling number of Windows computers ever since. When I got computers for my parents, I put PC-cillin on them. I've always found it to be a good, non-intrusive, non-resource hungry Windows anti-virus product. My last purchase was a three license package that had a rebate that never came. Whatever.

However, their recent shenanigans have me insanely pissed off. I get a particularly spammy looking piece of e-mail on Monday with the subject of "Your Subscription will be renewed in 2 days." The email explains that my 1 year subscription is going to expire but that it'll auto-renew 7 days before expiration at a 10% discount. Yay! While the email does include my name it lacks any other identifying information. As I mouse over one of the links I see that it's pointed to dr.bluehornet.com. In fact, the email has no links pointing to any Trend Micro site. The email even came from trendmicro.cs@digitalriver.com. Surely this is spam so I ignore it.

On Wednesday I get an email saying I've been billed for the renewal. This time the email actually has more personal (and accurate) information, including a serial number. It's still from digitalriver.com but at least it has one link that points to the Trend Micro site. I begin to get very unhappy. Since when is billing my credit card for software an opt out situation? I follow the link (to digitalriver.com) to cancel the order to find that the order number isn't in that system yet. I cancel it using the email and am told that although they managed to bill me very quickly, it may take up to a week to cancel the order. I also use the original email to go to the same site to opt out of the auto-renewal program. Of course, I make sure that I don't have to provide any additional personal information on any of these sites since I'm still somewhat suspicious of things. We'll see if this manages to actually cancel the order. If not I'll take it up with the credit card company.

A wee bit of research shows that this is not a new situation. I'm still pretty pissed not only about the opt out notion of charging me for shit I didn't request but also by the fact that my information has been shared/sold/whatever to a third party. I'm pissed that an email sent on behalf of an anti-virus, anti-phishing, anti-bullshit software company is made to look so goddamn spammy that I don't want to acknowledge it.

Fuck Trend Micro. I won't buy their products any more. I won't recommend their products. I will, as much as I can, campaign against the use of their products. I'll use an inferior product from another company just out of spite. We are no longer happy customer and vendor. Fuck you, your questionable business practices, your sharing of my information, your opt out auto-renewal program, your inability to instantly cancel my unsolicited order, and your choice of partners. Did I mention fuck Trend Micro and PC-cillin? Eat shit, go fuck yourself, rot in hell. There's no fixing the situation, I will not be "talked down", I cannot be recovered as a customer. Good job, assholes.

I ran across a post in my RSS feeds today that referenced a paper on Bypassing Web Authentication and Authorization with HTTP Verb Tampering. What an awesome title. I'm immediately adding "verb tampering" to the list of things I randomly exclaim in meetings. The short version of the paper (that's represented pretty well by the other blog post) is:

• some developers secure URLs in their web application by URL and method (POST, GET, etc). Everything else is allowed (for some strange reason)
• some servers when they receive an invalid HTTP method or often HEAD will perform a GET and then just discard the body of the response. This is fine and is part of the RFC apparently, since the headers have to match between the two. I just wasn't aware of the fact
• there are still programmers that have non-idempotent GETs in their applications

The scenario is you find these applications / servers and do something like send a HEAD to the URL "deleteUser?userId=27" and then the server does it, despite the fact that you're not logged in.

I'm amazed that this is a problem, for multiple reasons. Who are these people that still don't understand that you don't use GET to do things like delete records from your system? I'd hate to see what one of those crazy internet spiders could do to these guys.

This is also a reason why I'm a big advocate of pushing your security checks as close to the data as you can comfortably stand. Certainly you should have protection at a service or DAO layer to prevent users with inadequate permissions (unauthenticated users fall into this category) from performing most operations in your system. This is also a good practice to ensure that different types of potential front ends don't accidentally grant access to the wrong users. The URL level of security is just icing and fluffery to make the application a little more user friendly.

Of course, that being said I work on an application that relies on mostly on URL level restrictions (I didn't do it and I'm working on changing it) and, if I remember correctly, so does my favorite Java web stack. I should point out that neither of these suffer from the problem described in the paper.

As I mentioned in another post, I'm giving Twitter a retry. I must say I'm enjoying it a lot more now that I'm not trying to treat it like other mediums of communication both in terms of what I follow and in how I use it to communicate. I'm definitely more willing to tweet things that don't warrant a blog post or an email.

A great example of this is when I was able to find out that a former co-worker had left their previous job. While that might be email or blog worthy, most people wouldn't bother putting that kind of information out there, but he tweeted it. As such, I didn't have to wait for that information to make it through the traditional grapevine. For once, I even knew about the news before some of the other people I know.

While I'm using it to keep in more constant contact with friends and former co-workers, some people are using it for a lot more. This post as a few recommendations for using Twitter that I found interesting. I'm not sold on a few of them, such as event updates. I realize that quite a few events are using Twitter to update attendees on things. This just seems like an alternative to email lists and RSS feeds. Does Twitter have better penetration than email or RSS? Is it just that I have more noise in my RSS reader? Won't Twitter suffer from that eventually? I don't know. It just seems like using an alternative form of communication just for the novelty of it.

Another use I've seen is people soliciting feedback or getting votes on an issue via Twitter. I think that's a great use, but I don't think I'll ever have enough followers to do it effectively. There's a big difference between asking your 1-10k followers for feedback and asking 20 people. Maybe I'm wrong. Maybe I should tweet the question (and get feedback from 1 or 2 people).

The idea of using Twitter to create and track ToDo lists intrigues me, but again, I just can't get my mind around the advantages. While Remember the Milk seems interesting I haven't gotten off my ass long enough to try it. I hear good things though.

Foamee is another one that I like. You can let someone know that you owe them a drink for something. I haven't used it yet. Maybe I'm too stingy with my kudos. Maybe I'm just an asshole. Who could say? Is my reluctance to use these and many, many other services that integrate with Twitter another example of me being too set in my ways to "get it"? Maybe in another few months I'll be writing posts about how I've come around to using them.

I switched jobs recently and although the current company used to do daily stand up status meetings ala Scrum/XP/Agile/Wagilefall, they had stopped at some point. As near as I can tell, they stopped because they couldn't keep the meetings short and on track. I expressed to my manager(s) that I thought it'd be great to start doing them again and lo and behold we had one on Monday.

Of course, the first issue that came up was the notion of the correct time. Inevitably when you try to start a meeting "on time" you get bogged down with the fact that no one thinks they're late because their clock says they're not. In the past I've used web based atomic clocks, but I'm now convinced that anyone planning to start meetings on time has to invest in a digital clock that synchronizes with the official time. I further suspect that anyone thinking that the people they work with are too mature to have this "argument" is probably wrong. We also haven't settled on the "punishment" for being late. I'm a big fan of cash fines though.

I'm enamored with the idea of Google Android. I briefly looked at the development kit and was very impressed by it. And then I did nothing with it. Part of the problem is that there is no Android capable phone at the moment. That takes some of the sex appeal out of developing for it. More than that is the fact that I don't have any ideas for applications that I'm all that passionate about.

This weekend I heard that Google acquired Grand Central. They're a company I've never heard of but they've got an impressive list of features. Grand Central is a "web-based voice communications platform". It'll let you do all sorts of cool things with your phones via a single number.

This got me to thinking about cool things you could do with Grand Central and Android. Where I work, we use a product called Contactual to route calls for our support number to any other phone number. You can also use their web interface to place an outgoing call and have the resulting call sent to your phone. This is in place so support technicians don't inadvertently give their personal phone number to a customer via caller ID. Once a customer gets a personal number they think that they have a buddy in technical support that can't help them out whenever they run into a snag, rather than going through the proper channels.

What would be interesting would be to see an Android/Grand Central application that would make a similar scenario as easy as dialing an ordinary number. Perhaps allowing you to select any of your phone numbers from a drop down when making the call.

Many of the other features listed on Grand Central's page also look like they'd be an excellent fit with an Android phone.

• Call Record – Use the phone to signal to the server that you want to record your current call
• Block Callers – Why not use Android to let you mark an incoming call's number (or current call) as a blocked number?
• Call Switch – Use your phone to transfer your current call to any of your other numbers.

All of these things are possible with Grand Central and become that much cooler if you can use your phone to do them more directly. It seems like a great tie in for an upcoming product and a recent acquisition all in the same related problem space. Of course, I'm far too lazy and stupid to code any of it, but it still sounds cool.