Karel Kubat's Blogaria

Who is leeching my Facebook

Wed, 24 Apr 13 21:36:47 +0200

Priceless.

Some time ago I linked a funny message on my Facebook status; concerning a totally useless banana slicer, with the (funny?) remark: Be sure to read the customer reviews, priceless. The first review is right off the start one of the best:

"For decades I have been trying to come up with an ideal way to slice a banana. "Use a knife!" they say. Well...my parole officer won't allow me to be around knives. "Shoot it with a gun!" Background check...HELLO! I had to resort to carefully attempt to slice those bananas with my bare hands. 99.9% of the time, I would get so frustrated that I just ended up squishing the fruit in my hands and throwing it against the wall in anger. Then, after a fit of banana-induced rage, my parole officer introduced me to this kitchen marvel and my life was changed. No longer consumed by seething anger and animosity towards thick-skinned yellow fruit, I was able to concentrate on my love of theatre and am writing a musical play about two lovers from rival gangs that just try to make it in the world. I think I'll call it South Side Story."

Guess what? I received an e-mail...

The list of slicers goes on an on... Has someone been leeching my Facebook posts? Marketing gone haywire? LOL!

Time for a compact Coolpix

Wed, 24 Apr 13 21:36:47 +0200

I just recently got a Nikon Coolpix A compact camera. I have an older Nikon D100 that I really love for the lenses and possibilities, but at times it's just too big to lug around. So, enter the litte compact. Here is my (p)review of it after having played around with it for a few days. Questions/remarks? Feel free to mail me at karel@kubat.nl.

The camera is pretty light and compact, so it does what it should for me.
It has a fixed focus lens, 18.5mm (which compares to 28mm analog) at f=2.8.
The lens operates on autofocus or on manual.
There is no optical viewfinder, just a (pretty large) display on the back.
The controls are comfortingly Nikon-like, with the standard on/off switch and shutter button, presets for automatic or manual modes, ISO selection, what you have.
It features a pretty hefty sensor, especially for a compact camera - the same sensor that's built into the D7000 DSLR that operates at 16 megapixels.

As for first impressions, it's really a compact camera, but it offers a ton of features for fiddling and tuning. One can tell that the purpose of this camera is to provide a small compact for seasoned amateurs. There are two programmable buttons and two programmable exposure modes to suit your needs. One of these programmable buttons is at the front of the camera, and I followed a tip to set it to fixing focus. Works great: you move the camera to focus on what you want, hit the front button, and then move the view finder to fix up the photo composition. Another semi-pro thing is that you can set the file format to RAW and not worry about loads of camera settings - you can do your adjustments later.

For me the boon is that the resolution is great, the quality of the optics is very good given that the lens is a fixed-focus, and the light sensitivity is really OK; 2.8 works for me when you can crank up the ISO value.

Some disadvantages? Of course nothing's perfect. But to be honest, I didn't find any important ones yet. Still, a few remarks. When you set the file format to RAW then you need Nikon's ViewNX2 software to convert the pictures to other formats. On the other hand, if you don't like that, you can always set the file format to lossless JPEG on the camera itself. Another thing is that walking around with only an 18.5mm lens "feels naked" - but that's actually the purpose of it all, to stop lugging around lenses..

Time for a few test shots! Below each picture below is a link "original" that loads a large-format JPEG file.

Here's a shot in a café. It was really pretty dark; I wanted to test the autofocus under bad conditions and colors when on 'auto'. Hence there's no post-processing involved on the computer. It was shot at ISO 2500, f=2.8, 1/30sec. The second picture is a cutout of the bar and the bottles to show how far you can "zoom in" during postprocessing before pixelating the picture.

Original

The following shows how wide-angle the 18.5mm lens is. The top pictures are unaltered; the bottom ones are post-processed for some (mild) perspective correction. (I should've left more space around the objects to allow for recropping... good lesson.)


Original	Original


Original	Original

Finally a contrast test. Here's a see-through with shadows and bright (sunny) daylight. The image was shot at ISO 100. The right picture is post-processed, of course. I could have made the shadows way lighter than here, but that's a matter of taste - I think it would look unnatural.


Original	Original

Selling my Peavey amp

Mon, 15 Apr 13 12:02:50 +0200

I'm getting rid of my Peavey Series 400 "Musician" amp. It's basically a bass amp but if needed you can put other instruments on it too. A guitar will go well, and even vocals.

It consists of two speaker units that you can stack into a tower or use one as monitor, one as PA. Then there's the amp part itself. It's a hefty thing and takes up some space, but hey, there's a bonus. This was actually my first amp that made the drummer cringe and ask me to turn down the volume ;-) Output is some 400W.

I'm asking 150 euro's if you come pick it up, or 175 if you want me to bring it within a reasonable distance. Interested? Drop me a note on karel@kubat.nl.

Here are some pics.

encfs Helper Revisited

Mon, 01 Apr 13 15:21:15 +0200

I wrote previously about encfs. Since I started using it, I became a big fan - I use it for all project-related work. For me, it has the advantage of having project-related stuff in a project-related uniquely encrypted directory. In contrast, most OS-level encryptions, such as File Fault, will encrypt your entire home directory, but won't let you differentiate within that directory. So encfs gives me more flexibility.

Recently, I updated the helper script to use "public" mounting (when root mounts an encrypted filesystem) and to locate the true "encfs" binary, instead of expecting it in /opt/local/bin.

Here's the result. Use it if you like. The instructions are -as before-, copy/paste it to a file /usr/local/bin/encfs or into any other directory in your execution path. Just make sure that it's invoked before the true "encfs" executable that you have lying somewhere.

Feedback als always welcome...

#!/usr/bin/env perl

use strict;
use Cwd 'abs_path';

# [KK 2010-02-16] 1.00, first version
# [KK 2013-03-28] 1.01 --public mounting added. Locating true encfs added.
#			Directory argument may start with a dot.
# [KK 2013-04-01] 1.02 Small bugfix
my $VER = '1.02';

# Find the true encfs.
my $encfs = undef;
my $this_ino = (stat($0))[1]
  or die("encfs: can't even stat myself: $!\n");
for my $p (split(/:/, $ENV{PATH})) {
    my $that_ino = (stat("$p/encfs"))[1];
    if ($that_ino != $this_ino and -x "$p/encfs") {
        $encfs = "$p/encfs";
        last;
    }
}
die("encfs: didn't find a true encfs executable\n")
  unless ($encfs);

if ($#ARGV == -1) {
    print STDERR <<"ENDUSAGE";

This is encfs helper $VER
Copyright (c) Karel Kubat <karel\@kubat.nl>. All rights reserved, GPLV3 applies.

Use as follows:
- Create two directories in the same path, DIR and .DIR (one with a leading
  dot)
- Use "encfs DIR" or "encfs .DIR" to mount DIR,
  encrypted files will go into .DIR, viewable files will be in DIR
- use "umount DIR" to unmount
- If you do this as root, then DIR will be accessible for all users on the
  system, otherwise DIR will be private to one user

The original encfs usage information follows:

ENDUSAGE
    system($encfs);

    exit(1);
}

# If the argument by chance is a directory starting with a dot, then
# remove it - we depend on the non-dot dir present.
if (-d $ARGV[0] and $ARGV[0] =~ /^\..*/) {
    $ARGV[0] =~ s{^\.}{};
}

# Smuggle in the dot-directory of encrypted files if not given.
if (-d $ARGV[0] and $#ARGV == 0) {
    my @parts = split('/', $ARGV[0]);
    $parts[$#parts] = '.' . $parts[$#parts];
    unshift(@ARGV, join('/', @parts));
}

# Convert all args to absolute paths.
my @args = ( $encfs );
if ($ENV{LOGNAME} eq 'root') {
    print("Mounting in public mode (we're root).\n");
    push(@args,'--public');
} else {
    print("Mounting in private mode (non-root user).\n");
}

for my $a (@ARGV) {
    if (-f $a) {
        push(@args, abs_path($a));
    } elsif (-d $a) {
        push(@args, abs_path($a) . '/');
    } else {
        push(@args, $a);
    }
}

# Exec true encfs
print ("Running: @args\n");
exec( {$encfs} @args );
die("Failed to exec $encfs: $!\n");

c conf 1.17

Fri, 15 Mar 13 11:26:59 +0100

I just upped c-conf to version 1.17; the libs for Ubuntu x86/64 are now correctly found. Also my pet network balancer Crossroads went to version 2.80.

Flitsers op de Nederlandse wegen

Mon, 25 Feb 13 17:03:08 +0100

[Dutch] Voor gebruikers van mobieltjes: op http://www.kubat.nl/st vind je een handig lijstje, kort en beknopt, voor als je de auto instapt ;-)

OTG Revisited

Mon, 14 Jan 13 17:24:53 +0100

I received a great report about parallel OTG cracking on a multinode supercomputer. The information is also in the OTG page.

For your convenience, here is a direct link to the PDF report. Licensing information is contained within; basically, you can reproduce or redistribute the work, as long as you credit the authors and don't use it commercially. Enjoy!

Kalk revisited

Fri, 11 Jan 13 09:52:33 +0100

The downloadable archive Kalk is slightly modified. The used library "getline" os now onboard in the archive, so that Kalk should build on all systems (that have g++ installed).

God is coming

Wed, 12 Dec 12 14:15:39 +0100

A few days ago I was derping around on the Cheezburger network when I saw the following picture:

This reminded me of something.. a picture of my own, and yes! After digging around a bit, here's a photo I shot in July 2008 in Scotland:

What are the odds?! This is really the same wall, just look closely at the background. Also the "Cancelled" sticker is on exactly the same spot. At least two people had the same idea of "funny"... I remember that this was very close to a Japanese restaurant where we had dinner. As I enjoyed my soup with noodles I contemplated why God would be coming on CD, vinyl and download, but not iTunes or Spotify.

Strangely disturbing

Thu, 29 Nov 12 12:26:30 +0100

How to sneeze on a motorbike

Tue, 27 Nov 12 16:37:23 +0100

I found that heavy sneezing while riding a motorbike can pose a significant problem. Sneezing with the visor down immediately reduces visibility due to sticky droplets on the inside of the formerly transparent perspex, while opening the visor and then sneezing isn't an option either when traveling at high speed or when it's cold outside. I think that I have now solved the problem using the below illustrated process. I plan to print this diagram, laminate it, and mount it above my handle bars for easy reference.

Feedback as always welcome at karel@kubat.nl.

Een aanslag uit de toekomst

Fri, 23 Nov 12 04:54:06 +0100

[Dutch] Ik heb wel eens van het antedateren van een brief gehoord. Maar postdateren? De Nederlandse Belastingdienst kan het. Ik kreeg een voorlopige aanslag teruggave voor volgend jaar (2013), door de accountant ontvangen op 21 november 2012 (zie stempel), met dagtekening.. jawel... 15 januari 2013. Is toch raar als je zo iets leest.

(Grijze veegsels zijn door mij aangebracht. De rest is ongewijzigd.)

More voluntary layoffs

Thu, 22 Nov 12 06:20:53 +0100

A few months ago I wrote about a voluntary layoff program at Societé Generale going haywire. They're not the only ones. Sharp has made the same mistake; they offered a nice early retirement package to its employees - but too many want it. I guess Sharp's workplace isn't that enticing. More at slashdot.

Browser fingerprint

Wed, 17 Oct 12 16:21:39 +0200

Just playing around. Your browser fingerprint is:

It originates from the following raw input (HTML-escaped and broken up into separate lines for readability):

For more info, visit

Ars Technica's article on browser profiling;
panopticlick.eff.org
.. and countless others.

If you want to play around with this yourself: here's the Javascript code that gets you a browser fingerprint. Google jquery browser fingerprinting to see Carlo Zottmann's original source for this. Other credits go to Joseph Meyr for the Javascript md5 implementation. In order to use this, call fingerprint_md5() to get the fingerprint, or call fingerprint_raw() to get the full data string from which the md5 hash is constructed.

(function() {
    function md5cycle(x, k) {
        var a = x[0], b = x[1], c = x[2], d = x[3];

        a = ff(a, b, c, d, k[0], 7, -680876936);
        d = ff(d, a, b, c, k[1], 12, -389564586);
        c = ff(c, d, a, b, k[2], 17, 606105819);
        b = ff(b, c, d, a, k[3], 22, -1044525330);
        a = ff(a, b, c, d, k[4], 7, -176418897);
        d = ff(d, a, b, c, k[5], 12, 1200080426);
        c = ff(c, d, a, b, k[6], 17, -1473231341);
        b = ff(b, c, d, a, k[7], 22, -45705983);
        a = ff(a, b, c, d, k[8], 7, 1770035416);
        d = ff(d, a, b, c, k[9], 12, -1958414417);
        c = ff(c, d, a, b, k[10], 17, -42063);
        b = ff(b, c, d, a, k[11], 22, -1990404162);
        a = ff(a, b, c, d, k[12], 7, 1804603682);
        d = ff(d, a, b, c, k[13], 12, -40341101);
        c = ff(c, d, a, b, k[14], 17, -1502002290);
        b = ff(b, c, d, a, k[15], 22, 1236535329);

        a = gg(a, b, c, d, k[1], 5, -165796510);
        d = gg(d, a, b, c, k[6], 9, -1069501632);
        c = gg(c, d, a, b, k[11], 14, 643717713);
        b = gg(b, c, d, a, k[0], 20, -373897302);
        a = gg(a, b, c, d, k[5], 5, -701558691);
        d = gg(d, a, b, c, k[10], 9, 38016083);
        c = gg(c, d, a, b, k[15], 14, -660478335);
        b = gg(b, c, d, a, k[4], 20, -405537848);
        a = gg(a, b, c, d, k[9], 5, 568446438);
        d = gg(d, a, b, c, k[14], 9, -1019803690);
        c = gg(c, d, a, b, k[3], 14, -187363961);
        b = gg(b, c, d, a, k[8], 20, 1163531501);
        a = gg(a, b, c, d, k[13], 5, -1444681467);
        d = gg(d, a, b, c, k[2], 9, -51403784);
        c = gg(c, d, a, b, k[7], 14, 1735328473);
        b = gg(b, c, d, a, k[12], 20, -1926607734);

        a = hh(a, b, c, d, k[5], 4, -378558);
        d = hh(d, a, b, c, k[8], 11, -2022574463);
        c = hh(c, d, a, b, k[11], 16, 1839030562);
        b = hh(b, c, d, a, k[14], 23, -35309556);
        a = hh(a, b, c, d, k[1], 4, -1530992060);
        d = hh(d, a, b, c, k[4], 11, 1272893353);
        c = hh(c, d, a, b, k[7], 16, -155497632);
        b = hh(b, c, d, a, k[10], 23, -1094730640);
        a = hh(a, b, c, d, k[13], 4, 681279174);
        d = hh(d, a, b, c, k[0], 11, -358537222);
        c = hh(c, d, a, b, k[3], 16, -722521979);
        b = hh(b, c, d, a, k[6], 23, 76029189);
        a = hh(a, b, c, d, k[9], 4, -640364487);
        d = hh(d, a, b, c, k[12], 11, -421815835);
        c = hh(c, d, a, b, k[15], 16, 530742520);
        b = hh(b, c, d, a, k[2], 23, -995338651);

        a = ii(a, b, c, d, k[0], 6, -198630844);
        d = ii(d, a, b, c, k[7], 10, 1126891415);
        c = ii(c, d, a, b, k[14], 15, -1416354905);
        b = ii(b, c, d, a, k[5], 21, -57434055);
        a = ii(a, b, c, d, k[12], 6, 1700485571);
        d = ii(d, a, b, c, k[3], 10, -1894986606);
        c = ii(c, d, a, b, k[10], 15, -1051523);
        b = ii(b, c, d, a, k[1], 21, -2054922799);
        a = ii(a, b, c, d, k[8], 6, 1873313359);
        d = ii(d, a, b, c, k[15], 10, -30611744);
        c = ii(c, d, a, b, k[6], 15, -1560198380);
        b = ii(b, c, d, a, k[13], 21, 1309151649);
        a = ii(a, b, c, d, k[4], 6, -145523070);
        d = ii(d, a, b, c, k[11], 10, -1120210379);
        c = ii(c, d, a, b, k[2], 15, 718787259);
        b = ii(b, c, d, a, k[9], 21, -343485551);

        x[0] = add32(a, x[0]);
        x[1] = add32(b, x[1]);
        x[2] = add32(c, x[2]);
        x[3] = add32(d, x[3]);
    }

    function cmn(q, a, b, x, s, t) {
        a = add32(add32(a, q), add32(x, t));
        return add32((a << s) | (a >>> (32 - s)), b);
    }

    function ff(a, b, c, d, x, s, t) {
        return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }

    function gg(a, b, c, d, x, s, t) {
        return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }

    function hh(a, b, c, d, x, s, t) {
        return cmn(b ^ c ^ d, a, b, x, s, t);
    }

    function ii(a, b, c, d, x, s, t) {
        return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }

    function md51(s) {
        // Converts the string to UTF-8 "bytes" when necessary
        if (/[\x80-\xFF]/.test(s)) {
            s = unescape(encodeURI(s));
        }
        txt = '';
        var n = s.length, state = [1732584193, -271733879,
                                   -1732584194, 271733878], i;
        for (i = 64; i <= s.length; i += 64) {
            md5cycle(state, md5blk(s.substring(i - 64, i)));
        }
        s = s.substring(i - 64);
        var tail = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
        for (i = 0; i < s.length; i++)
            tail[i >> 2] |= s.charCodeAt(i) << ((i % 4) << 3);
        tail[i >> 2] |= 0x80 << ((i % 4) << 3);
        if (i > 55) {
            md5cycle(state, tail);
            for (i = 0; i < 16; i++) tail[i] = 0;
        }
        tail[14] = n * 8;
        md5cycle(state, tail);
        return state;
    }

    function md5blk(s) {         /* I figured global was faster.   */
        var md5blks = [], i;     /* Andy King said do it this way. */
        for (i = 0; i < 64; i += 4) {
            md5blks[i >> 2] = s.charCodeAt(i) +
                (s.charCodeAt(i + 1) << 8) +
                (s.charCodeAt(i + 2) << 16) +
                (s.charCodeAt(i + 3) << 24);
        }
        return md5blks;
    }

    var hex_chr = '0123456789abcdef'.split('');

    function rhex(n) {
        var s = '', j = 0;
        for (; j < 4; j++)
            s += hex_chr[(n >> (j * 8 + 4)) & 0x0F] +
            hex_chr[(n >> (j * 8)) & 0x0F];
        return s;
    }

    function hex(x) {
        for (var i = 0; i < x.length; i++)
            x[i] = rhex(x[i]);
        return x.join('');
    }

    md5 = function (s) {
        return hex(md51(s));
    }

    /* this function is much faster, so if possible we use it.
     * Some IEs are the only ones I know of that need the idiotic
     * second function, generated by an if clause.  */
    function add32(a, b) {
        return (a + b) & 0xFFFFFFFF;
    }

    if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
        function add32(x, y) {
            var lsw = (x & 0xFFFF) + (y & 0xFFFF),
            msw = (x >> 16) + (y >> 16) + (lsw >> 16);
            return (msw << 16) | (lsw & 0xFFFF);
        }
    }
})();

function fingerprint_raw() {
    return [
        navigator.userAgent,
        [ screen.height, screen.width, screen.colorDepth ].join("x"),
        ( new Date() ).getTimezoneOffset(),
        !!window.sessionStorage,
        !!window.localStorage,
        $.map( navigator.plugins, function(p) {
            return [
                p.name,
                p.description,
                $.map( p, function(mt) {
                    return [ mt.type, mt.suffixes ].join("~");
                }).join(",")
            ].join("::");
        }).join(";")
    ].join("###");
}

function fingerprint_md5() {
    return md5(fingerprint_raw());
}

Site layout revamped

Mon, 15 Oct 12 15:31:34 +0200

Yup, I somewhat revamped the site layout. That's the nice thing about sites that have organically evolved over the years (euphemism for homegrown stuff without a content management framework): you can fiddle endlessly with them.

Anyway, I like it more than the previous style, which looked like the snapshot below.

Crossroads performing well

Sun, 14 Oct 12 13:07:00 +0200

What a nice message in my mailbox this morning.

Hi Karel,

Thought you might be interested in this, we are using XR to serve HTTP and HTTPS to our web farm (two XR instances) and this is the FD use count we are seeing ... sustained peak load of around 800 open sockets for several hours per day, and this would then be multiplied by two - one for each XR instance.

We had to up fs.file-max and net.ipv4.ip_local_port_range in sysctl - and increase ulimit. Other than that system configuration, it's performing brilliantly right out of the box.

Don't know if this is a 'large' load, but it's large to us.

Thanks for letting me know, Malcolm V.!

The saddle seat

Wed, 10 Oct 12 11:34:27 +0200

Here's my new office chair. Very comfy and very ergonomic; I don't get a back pain when sitting for a few hours. The biggest bonus of course is that I get to play Cowboy in the office.

Sudo Exploit

Sun, 30 Sep 12 01:56:53 +0200

Oldie but goldie. BTW this is for a really old sudo version. Don't expect it to do you any good.

Technomona is live

Sun, 30 Sep 12 01:55:23 +0200

[Dutch] De site www.technomona.nl is live. Voor al uw vragen; Mona beantwoordt ze graag.

A Perl to HTML Prettyprinter

Thu, 20 Sep 12 09:36:27 +0200

I recently needed a little tool to convert a Perl source to pretty-printed HTML; meaning colorized and entity-escaped. There are some tools out there, but *almost* what I need.. so, here's what I cooked up.

It's called src2html. It can provide line numbering on the output, surround the generated listing with

and

, or surround the generated listing with a full HTML scaffold (for easy viewing). It expands tabs so that the visual layout of e.g. indented comments is preserved. It will quite nicely recognize Perl syntax and follow it, though I didn't implement "here-documents" and POD-surrounded blocks.

Here's the script src2html, for download. Instructions:

Click here to download;
Save the file somewhere on your system, e.g. in /usr/local/bin;
Make the file executable using chmod +x /usr/local/bin/src2html;
Use it as e.g.: src2html myfile.pl > output.html;
If you want to see "usage" information, just enter src2html for an overview of options;
If you want to customize the layout of Perl parts - e.g., if you want to make strings stand out by typesetting them as boldface - then edit the script and change the pre- and post instructions in %tokens at the top of the file.

Here's the listing, of course formatted by itself.

    1  #!/usr/bin/env perl
    2  use strict;
    3  use warnings;
    4  use Getopt::Std;
    5  
    6  # Lexical analyzer returns and their colorings.
    7  # IDENTs are identifiers, such as a12_xyzzy;
    8  # KEYWORDs are Perl keywords such as sub and return,
    9  # OTHERs is a catch-all for operators etc,
   10  # LINENO is a pseudo-token for coloring line numbers (flag -l)
   11  # The pre and post values will surround the tokens.
   12  my %tokens = ( 'NEWLINE' => undef,
   13                 'STRING'  => { pre  =>   '',
   14                                post => '' }, 
   15                 'COMMENT' => { pre  => '',
   16                                post => '' },
   17                 'SPACE'   => undef,
   18                 'IDENT'   => { pre  => '',
   19                                post => '' },
   20                 'KEYWORD' => { pre  => '',
   21                                post => '' },
   22                 'OTHER'   => undef,
   23                 'LINENO'  => { pre  => '',
   24                                post => '' }
   25               );
   26  
   27  # Parse cmd line flags and provide info.
   28  my %opts;
   29  (getopts('phvl', \%opts) and $#ARGV >= 0)
   30    or die <<"ENDUSAGE";
   31  
   32  Usage: src2html [-phvl] file(s)
   33  Flags:
   34    -p    surrounds output with <pre> and pre>
   35    -h    writes HTML scaffolding too (implies -p)
   36    -v    verbose mode, shows lexical keywords on stderr (for debugging)
   37    -l    prefixes output with line numbers
   38  File(s):
   39    Files to process, use - to read from stdin
   40  
   41  The input in file(s) is taken as source and colorprinted to stdout in HTML
   42  syntax.
   43  
   44  ENDUSAGE
   45  
   46  # Perl keywords, taken from http://learn.perl.org/docs/keywords.html
   47  use constant KEYWORDS =>
   48    qw(-A END length setpgrp 
   49       -B endgrent link setpriority 
   50       -b endhostent listen setprotoent 
   51       -C endnetent local setpwent 
   52       -c endprotoent localtime setservent 
   53       -d endpwent log setsockopt 
   54       -e endservent lstat shift 
   55       -f eof map shmctl 
   56       -g eval mkdir shmget 
   57       -k exec msgctl shmread 
   58       -l exists msgget shmwrite 
   59       -M exit msgrcv shutdown 
   60       -O fcntl msgsnd sin 
   61       -o fileno my sleep 
   62       -p flock next socket 
   63       -r fork not socketpair 
   64       -R format oct sort 
   65       -S formline open splice 
   66       -s getc opendir split 
   67       -T getgrent ord sprintf 
   68       -t getgrgid our sqrt 
   69       -u getgrnam pack srand 
   70       -w gethostbyaddr pipe stat 
   71       -W gethostbyname pop state 
   72       -X gethostent pos study 
   73       -x getlogin print substr 
   74       -z getnetbyaddr printf symlink 
   75       abs getnetbyname prototype syscall 
   76       accept getnetent push sysopen 
   77       alarm getpeername quotemeta sysread 
   78       atan2 getpgrp rand sysseek 
   79       AUTOLOAD getppid read system 
   80       BEGIN getpriority readdir syswrite 
   81       bind getprotobyname readline tell 
   82       binmode getprotobynumber readlink telldir 
   83       bless getprotoent readpipe tie 
   84       break getpwent recv tied 
   85       caller getpwnam redo time 
   86       chdir getpwuid ref times 
   87       CHECK getservbyname rename truncate 
   88       chmod getservbyport require uc 
   89       chomp getservent reset ucfirst 
   90       chop getsockname return umask 
   91       chown getsockopt reverse undef 
   92       chr glob rewinddir UNITCHECK 
   93       chroot gmtime rindex unlink 
   94       close goto rmdir unpack 
   95       closedir grep say unshift 
   96       connect hex scalar untie 
   97       cos index seek use 
   98       crypt INIT seekdir utime 
   99       dbmclose int select values 
  100       dbmopen ioctl semctl vec 
  101       defined join semget wait 
  102       delete keys semop waitpid 
  103       DESTROY kill send wantarray 
  104       die last setgrent warn 
  105       dump lc sethostent write 
  106       each lcfirst setnetent  
  107  
  108       __DATA__ else lock qw 
  109       __END__ elsif lt qx 
  110       __FILE__ eq m s 
  111       __LINE__ exp ne sub 
  112       __PACKAGE__ for no tr 
  113       and foreach or unless 
  114       cmp ge package until 
  115       continue gt q while 
  116       CORE if qq xor 
  117       do le qr y
  118       
  119       ARGV STDERR STDOUT 
  120       ARGVOUT STDIN  
  121     );
  122  
  123  # Reverse map of the keywords
  124  my %keywordmap;
  125  for my $key (KEYWORDS) {
  126      $keywordmap{$key} = 1;
  127  }
  128  
  129  # Parse all files and send to stdout.
  130  $opts{p}++ if ($opts{h});
  131  print("\n") if ($opts{h});
  132  print("") if ($opts{p});
  133  for my $f (@ARGV) {
  134      open(my $if, $f) or die("Cannot read $f: $!\n");
  135      process($if);                      
  136  }
  137  print("
") if ($opts{p});
  138  print("") if ($opts{h});
  139  
  140  # Process a file
  141  sub process {
  142      my $if = shift;
  143      my $at_linestart = 1;
  144      my $lineno = 1;
  145  
  146      while (1) {
  147          my ($token, $semantic) = lex($if);
  148          last unless (defined $token and defined $semantic);
  149          my $pre = '';
  150          my $post = '';
  151          if (defined ($tokens{$token})) {
  152              $pre  = $tokens{$token}->{pre};
  153              $post = $tokens{$token}->{post};
  154          }
  155  
  156          if ($opts{v}) {
  157              print STDERR ("Token: $token");
  158              print STDERR (", semantic: $semantic") if ($token ne 'NEWLINE');
  159              print STDERR (", layout: $pre TEXT $post")
  160                if ($pre ne '' or $post ne '');
  161              print STDERR ("\n");
  162          }
  163  
  164          if ($opts{l} and $at_linestart) {
  165              my $lpre  = '';
  166              my $lpost = '';
  167              if (defined($tokens{LINENO})) {
  168                  $lpre  = $tokens{LINENO}->{pre};
  169                  $lpost = $tokens{LINENO}->{post};
  170              }
  171              printf('%s%5d%s  ', $lpre, $lineno++, $lpost);
  172              $at_linestart = undef;
  173          }
  174  
  175          print($pre);
  176          for my $ch (split('', $semantic)) {
  177              if ($ch eq '<') {
  178                  print("<");
  179              } elsif ($ch eq '>') {
  180                  print(">");
  181              } elsif ($ch eq '&') {
  182                  print("&");
  183              } else {
  184                  print($ch);
  185              }
  186          }
  187          print($post);
  188          
  189          $at_linestart = 1 if ($token eq 'NEWLINE');
  190      }
  191  }
  192  
  193  my $col = 0;            # Column in input, updated by getchar() below
  194  
  195  # Lexical analyzer
  196  sub lex {
  197      my $if  = shift;
  198      my $sem = undef;
  199      my $ch;
  200  
  201      while (1) {
  202          $ch = getchar($if);
  203  
  204          # EOF
  205          return (undef, undef) unless (defined($ch));
  206          
  207          # NEWLINE return
  208          return ('NEWLINE', "\n") if ($ch eq "\n");
  209  
  210          # Start the semantic buffer.
  211          $sem .= $ch;    
  212  
  213          # STRING return
  214          if ($ch eq '"' or $ch eq "\'") {
  215              my $startchar = $ch;
  216              do {
  217                  $ch = getchar($if);
  218                  $sem .= $ch;
  219                  if ($ch eq "\\") {
  220                      $ch = getchar($if);
  221                      $sem .= $ch;
  222                  }
  223              } while ($ch ne $startchar);
  224              return ('STRING', $sem);
  225          }
  226  
  227          # COMMENT return
  228          if ($ch eq '#') {
  229              while (1) {
  230                  my $peek = peekchar($if);
  231                  if ($peek ne "\n") {
  232                      $sem .= getchar($if);
  233                  } else {
  234                      last;
  235                  }
  236              }
  237              return ('COMMENT', $sem);
  238          }
  239  
  240          # SPACE return - plain whitespace
  241          if ($ch eq ' ') {
  242              while (1) {
  243                  my $peek = peekchar($if);
  244                  if ($peek eq ' ') {
  245                      $sem .= getchar($if);
  246                  } else {
  247                      last;
  248                  }
  249              }
  250              return ('SPACE', $sem);
  251          }
  252  
  253          # SPACE return - detabbed \t
  254          if ($ch eq "\t") {
  255              $sem = '';
  256              # ++$col unless ($col % 8);
  257              while ($col % 8) {
  258                  $sem .= ' ';
  259                  ++$col;
  260              }
  261              $sem .= ' ';
  262              return ('SPACE', $sem);
  263          }
  264  
  265          # IDENT return
  266          if ($ch =~ /[_a-z\%\$\&\@]/i) {
  267              while (1) {
  268                  my $peek = peekchar($if);
  269                  if ($peek =~ /[_a-z0-9\%\$\&\@]/i) {
  270                      $sem .= getchar($if);
  271                  } else {
  272                      last;
  273                  }
  274              }
  275              # Identifiers that are keywords become a.. umm keyword
  276              return ('KEYWORD', $sem) if ($keywordmap{$sem});
  277              return ('IDENT', $sem)   if ($sem =~ /^[a-z0-9_]+$/i);
  278              return ('OTHER', $sem);
  279          }
  280  
  281          # OTHER return catch-all
  282          return ('OTHER', $sem);
  283      }
  284  }
  285  
  286  # Get a character from the input stream, with capability of 1 peek-ahead
  287  my $peekchar = undef;
  288  sub peekchar {
  289      my $if = shift;
  290      
  291      $peekchar = undef if (read($if, $peekchar, 1) < 1);
  292      return $peekchar;
  293  }
  294  sub getchar {
  295      my $if = shift;
  296      my $ret;
  297      
  298      if (defined($peekchar)) {
  299          $ret = $peekchar;
  300          $peekchar = undef;
  301      } else {
  302          $ret = undef if (read($if, $ret, 1) < 1);       
  303      }
  304      if (defined($ret) and $ret eq "\n") {
  305          $col = 0;
  306      } else {
  307          ++$col;
  308      }
  309      return $ret;
  310  }

Playing with Moose

Thu, 20 Sep 12 09:36:27 +0200

I've been playing around with Catalyst, the MVC framework for Perl app servers. All tutorials and the book The Definitive Guide to Catalyst work with Moose - so as I'm trying out Catalyst, I decided to dig deeper into Moose. Here's a tiny introduction.

So what is Moose?

Moose is basically a framework, or scaffold, to ease the pain of retyping accessors of Perl classes. Typically, if you have say a class called "Person", you'll have an accessor "firstname" that is both a getter and a setter:

  sub firstname {
      my ($self, $firstname) = @_;
      $self->{firstname} = $firstname
	if (defined $firstname);
      return $self->{firstname};
  }

Of course you'll have tons of such accessors, for a last name, a middle name, sex, color of hair, shoe size... Retyping this gets really bothersome after a while. Perl already has some nice "gadgets" to simplify this - e.g., AUTOLOAD-ing (see my blog post on this subject). But still, Moose is really nicer.

Then, in standard Perl object lingo, you'll have the preamble of the class, starting with "use strict / use warnings", and then going into "use Exporter" and defining all methods that you would like to export. Moose makes all this really superfluous, just one statement "use Moose" is all it takes.

All this, and much more, is greatly simplified when you use Moose. In addition, Moose offers out of the box roles of your classes, hooks for pre- and post-modification of object fields, coercion of values (e.g., string to date), and loads more. Moose really is complete. But, unfortunately, at a performance cost. Here's an evaluation.

For example.. invoices

I'll illustrate Moose with a tiny program that displays an invoice, such as illustrated below. There are the following parts to the invoice:

An invoice has an ID.
An invoice also has a customer.
The customer has a name and an address.
Furthermore, the invoice has a number of invoice lines.
Each invoice line has a description, a unit price, and a quantity.
The invoice therefore has a total price.

Here's a sample. The invoice ID is 2012-09-17785, the customer is Charlie's Cheeses in Alexandria. There are three invoice lines, concerning Cheddar, Roquefort and Emmentaler. Finally there's the total:

                                   I N V O I C E
     
     2012-09-17785
     Charlie's Cheeses
     1415 River Rd., Alexandria, 34557 MN
     
     Description                       Qty    Unit    Subtotal
       Cheddar, 1kg                      2   12.50       25.00
       Roquefort, 100gr                  1    2.35        2.35
       Emmenthaler, 5kg                  3   49.90      149.70
     
     Total:                                             177.05

A Customer

Let's dive right into the code. Here's a Perl module to handle a Customer, having a name and an address. The Customer may be constructed having the name and address right in the call to "new", as in:

  my $c = Customer->new(name    => 'Customer name',
                        address => 'Some address');
  print "Customer is called ", $c->name, "\n",
        "and has the address", $c->address, "\n";

Alternatively, the fields can be set separately:

  my $c = Customer->new;
  $c->name('Customer name');
  $c->address('Some address');
  print "Customer is called ", $c->name, "\n",
        "and has the address", $c->address, "\n";

On the left side is a listing with the "standard" Perl class code, a-la Tom's Object Oriented Tutorial (try perldoc perltoot to see it). On the right side is the Moose equivalent.

package Customer;
use strict;
use warnings;

use Carp;
use Exporter;

our @ISA    = qw(Exporter);
our @EXPORT = qw(new name address);

sub new {
    my $class = shift;

    my $self = {};
    bless $self, $class;

    my %opt = @_;
    for my $key qw(name address) {
	$self->{$key} = $opt{$key} if (defined $opt{$key});
    }

    $self;
}

sub name {
    my ($self, $name) = @_;
    $self->{name} = $name if (defined $name);
    $self->{name};
}

sub address {
    my ($self, $address) = @_;
    $self->{address} = $address if (defined $address);
    $self->{address};
}

1;

package Customer;
use Moose;

has 'name'    => (is => 'rw', isa => 'Str');
has 'address' => (is => 'rw', isa => 'Str');

no Moose;
__PACKAGE__->meta->make_immutable;
1;

Pretty impressive huh? Don't mind the last two lines ("no Moose" etc.). They clean up the scaffolding. Details are in the docs ;-)

Moose's "has" method basically sets up the internal data fields and the accessor methods. In this example it's instructed to set up an accessor "name", which is read/write (i.e., may be used in the "new" constructor, or in separate methods that override previous values). The type is a "Str", which is of course a string.

Next, an invoice line

The next class represents one invoice line, having an item description, a quantity, and a unit price. Pretty simple. Besides these accessors, there's also the method "total" that checks that the necessary fields are there, and then returns the total of the invoice line.

Again, left is the Moose-free code, right is the Moose-scaffolded Perl.

package Invoiceline;
use strict;
use warnings;

use Carp;
use Exporter;

our @ISA    = qw(Exporter);
our @EXPORT = qw(new description qty unitprice);

sub new {
    my $class = shift;

    my $self = {};
    bless $self, $class;

    my %opt = @_;
    for my $key qw(description qty unitprice) {
	$self->{$key} = $opt{$key} if (defined $opt{$key});
    }
      
    $self;
}

sub description {
    my ($self, $description) = @_;
    $self->{description} = $description if (defined $description);
    $self->{description};
}

sub qty {
    my ($self, $qty) = @_;
    $self->{qty} = $qty if (defined $qty);
    $self->{qty};
}

sub unitprice {
    my ($self, $unitprice) = @_;
    $self->{unitprice} = $unitprice if (defined $unitprice);
    $self->{unitprice};
}

sub total {
    my $self = shift;
    croak 'No unitprice' unless ($self->unitprice);
    croak 'No qty'       unless ($self->qty);
    return $self->unitprice * $self->qty;
}

1;

package Invoiceline;
use Moose;
use Carp;

has 'description' => (is => 'rw', isa => 'Str');
has 'qty'         => (is => 'rw', isa => 'Int');
has 'unitprice'   => (is => 'rw', isa => 'Num');

sub total {
    my $self = shift;
    croak 'No unitprice' unless ($self->unitprice);
    croak 'No qty'       unless ($self->qty);
    return $self->unitprice * $self->qty;
}

no Moose;
__PACKAGE__->meta->make_immutable;
1;

Again, the Moose scaffolding really helps shortening the code. The accessors for "description", "qty" and "unitprice" are instantiated using just three "has" statements. This really makes the code cleaner and saves typing. Regardless of whether Moose is used, the Perl package can be extended with any other methods you'd like, even coded in the standard "old-fashioned" way. That's why the method "total" is identical in both listings. The call to the Moose method "has" can have many more options, such as a default value, a function that's executed after the value changes (e.g., for range checks), how a value can be coerced from a different type, etc. Moose furthermore supports roles. See the docs for more.

The Invoice

Having done the prework, here's what an invoice is. It must have an ID, a customer, and invoice lines. I've chosen to implement the invoice lines as an array of refs to "Invoiceline" objects. There's a method "invoiceline" that adds one "Invoiceline" object to the array. Finally there's a method "display" to show the invoice on screen.

Again, left side is standard code, right side is Moose. The method "display" is identical in the two versions. Just for the fun of it, the fields for the customer and the invoice ID may only be set during construction ("Invoice->new"), but not using the method calls. This is implemented in the non-Moose code by inspecting the parameters to "new" and requiring the tags "id" and "customer". In Moose-talk this is simply done by flagging these accessors as "ro", which is of course read/only - meaning that the values can be set only during initialization (object construction).

package Invoice;
use strict;
use warnings;

use Carp;
use Exporter;

our @ISA    = qw(Exporter);
our @EXPORT = qw(new id customer invoicelines invoiceline display);

sub new {
    my $class = shift;

    my $self = {};
    bless $self, $class;

    my %opt = @_;
    for my $key qw(id customer) {
	if (defined $opt{$key}) {
	    $self->{$key} = $opt{$key};
	} else {
	    croak 'No $key option in construction';
	}
    }
    $self->{invoicelines} = $opt{invoicelines}
      if (defined $opt{invoicelines});
      
    $self;
}

sub id {
    my ($self, $id) = @_;
    $self->{id} = $id if (defined $id);
    $self->{id};
}

sub customer {
    my ($self, $customer) = @_;
    $self->{customer} = $customer if (defined $customer);
    $self->{customer};
}

sub invoicelines {
    my ($self, $invoicelines) = @_;
    $self->{invoicelines} = $invoicelines if (defined $invoicelines);
    $self->{invoicelines};
}

sub invoiceline {
    my ($self, $invoiceline) = @_;
    if (not defined $self->{invoicelines}) {
	$self->{invoicelines} = [ $invoiceline ];
    } else {
	push @{ $self->{invoicelines} }, $invoiceline;
    }
    $self;
}

sub display {
    my $self = shift;

    print
      "\n",
      "                              I N V O I C E\n",
      "\n",
      $self->id, "\n",
      $self->customer->name, "\n",
      $self->customer->address, "\n",
      "\n",
      "Description                       Qty    Unit    Subtotal\n";
    my $overall_total = 0;
    for my $l (@{ $self->invoicelines}) {
	printf "  %-28s %6d   %5.2f  %10.2f\n",
	  $l->description, $l->qty, $l->unitprice, $l->total;
	$overall_total += $l->total;
    }
    printf "\nTotal: %50.2f\n\n", $overall_total;

    $self;
}    

1;

package Invoice;
use Moose;
use Customer;
use Invoiceline;

has 'id'	      => (is  => 'ro', isa => 'Str');
has 'customer'        => (is  => 'ro', isa => 'Customer');
has 'invoicelines'    => (is  => 'rw', isa => 'ArrayRef[Invoiceline]');

sub invoiceline {
    my ($self, $line) = @_;
    
    if (not $self->invoicelines) {
	$self->invoicelines( [$line] );
    } else {
	push @{ $self->invoicelines }, $line;
    }
    $self;
}

sub display {
    my $self = shift;

    print
      "\n",
      "                              I N V O I C E\n",
      "\n",
      $self->id, "\n",
      $self->customer->name, "\n",
      $self->customer->address, "\n",
      "\n",
      "Description                       Qty    Unit    Subtotal\n";
    my $overall_total = 0;
    for my $l (@{ $self->invoicelines}) {
	printf "  %-28s %6d   %5.2f  %10.2f\n",
	  $l->description, $l->qty, $l->unitprice, $l->total;
	$overall_total += $l->total;
    }
    printf "\nTotal: %50.2f\n\n", $overall_total;

    $self;
}    

no Moose;
__PACKAGE__->meta->make_immutable;
1;

The Test Script

Finally there'a a test script that instantiates two invoices and displays them. The script of course works with both Moose and non-Moose package implementations, since the accessors are identical. Just as an illustration, the second invoice construction is "chained" in the calls; as in Invoice->new(...)->invoiceline(...)->invoiceline(...)->display.

#!/usr/bin/env perl

use strict;
use warnings;

use Customer;
use Invoiceline;
use Invoice;

my $i =
  Invoice->new(id       => '2012-09-17784',
	       customer => Customer->new(name    => 'Bits and Stuff',
					 address => '1200 Main St., '.
					             'Wright, 77145 TX'));

$i->invoiceline(Invoiceline->new(description => 'Nibble',
				 qty         => 4,
				 unitprice   => 0.12));
$i->invoiceline(Invoiceline->new(description => 'High bit',
				 qty         => 3,
				 unitprice   => 0.03));
$i->invoiceline(Invoiceline->new(description => 'Low bit',
				 qty         => 1,
				 unitprice   => 0.01));
$i->invoiceline(Invoiceline->new(description => 'Byte',
				 qty         => 65536,
				 unitprice   => 0.18));
$i->display;


Invoice
  ->new(id => '2012-09-17785',
	customer => Customer->new(name => 'Charlie\'s Cheeses',
				  address => '1415 River Rd., Alexandria, '.
				             '34557 MN'))
  ->invoiceline(Invoiceline->new(description => 'Cheddar, 1kg',
				 qty => 2,
				 unitprice => 12.50))
  ->invoiceline(Invoiceline->new(description => 'Roquefort, 100gr',
				 qty => 1,
				 unitprice => 2.35))
  ->invoiceline(Invoiceline->new(description => 'Emmenthaler, 5kg',
				 qty => 3,
				 unitprice => 49.90))
  ->display;

Evaluation

So far so good. But how fast is Moose? Unfortunately.. using Moose has a great impact. Running the non-Moose version a hundred times took me 1.6 seconds on my laptop. the Moose version ran for 27.5 seconds, so that's 17 times slower.

Here's my take on it: As a programmer, you do get a lot more when using Moose. But the performance is a serious drawback when using it for small command-line tools. However, in a once-loaded app server environment, such as in Catalyst, it's really worth while. The load time is used up just once, and the code becomes much cleaner and "safer". So, yeah, I plan on using Moose for bigger projects that run in a load-once web container; but not for the daily scripts that glue together a Unix system.

Comments or remarks as ever to karel@kubat.nl. Happy Perl coding!

Update

Just a day later I received a remark and a question from Eddie:
Nice post mate. I've never heard of Moose before.
Did you benchmark Moose code inside an app-server? I'm curious if the tremendous overhead is caused by the loading part only or is it (partly) a runtime penalty?
If it is loading-overhead only it is a viable option. Otherwise I would hack a little code-generator to generate the boilerplate stuff and hand-code the functional parts. Maybe do the functional parts in another file and the generator constructs the final class. That way you can overload the boilerplate methods if so desired...

Well let's see. I took one of the above shown Invoice generation blocks and ran the following test:

I measured the load time
I measured the excution time of running the Invoice->new(...) call 100.000 times
I did this with the Moose-scaffolded version and with the plain Perl-OO version.

And the results are...

The script load time is was 50 times longer when using Moose in this example;
Instantiating a Moose-enhanced class was 2 times longer when using Moose.

So the penalty is mainly in the load time, which would mean that Moose is prefectly suitable for an app-server context. The execution which is 100% slower is I think acceptable; because:

Normally Perl code won't be only Moose-instantiation, there will be lots of other tasks (which diminishes the Moose-induced performance hit);
Usually an application will spend most of its time waiting for I/O anyway (such as a database or a webservice call), which will further mean that the Moose-hit is relatively much smaller;
Hardware gets faster by the day, so who cares.

How do you export photos from Adobe Photoshop Elements

Tue, 28 Aug 12 11:30:55 +0200

Figure 1: Elements Organizer "File" dialog

Figure 2: Copy/Move files: Dialog 1

Figure 3: Copy/Move files: Dialog 2

Figure 4: Disk Utility: New Image dialog

Adobe Photoshop has a workflow-ish organizer called Organizer. This is available on both Windows and Mac.

The Problem

However, exporting from the Mac version is a bit of a hassle. Quite a few forums are dedicated to this question - e.g., the Adobe forum, which e.g. states:

The question:
How to export photos from Elements Organizer on Mac?
I saw someone asked the same question and it seemed not to be possible with the Mac version. Surely this can't be possible as this must be one of the single most important functions in an Archving system.

And the responses:
- The export option from Organizer is only available on Windows. On the Mac you will need to use “Save As” from the Editor or for batch processing File >> Process Multiple Files.
- Well so long as the function exists in Mac. But I can't see a "process multiple files" option under "File"?
- There is no way to export from organizer on a mac. Adobe's suggestion is to open photos in editor and do a save as.
- That's totally mad. Save as? What one by one? Surely this is one of the most fundamental functions in a photo archiving system? And why in windows but not in mac? My standard workflow is import from camera to an archive (eg Organizer or Lightroom), edit, export to folder, ftp to client. If you can't export from Organizer, it means I can't use it. Crazy.
- Wow, right. I think that's where my experiment with Elements Organizer stops. Back to Lightroom! Thanks a million!

Is it really the case that it's impossible to export from the Elements Organizer? Nah... there must be a way.

The Solution

Elements Organizer doesn't have an export function in the file menu, but it does have an option copy/move to removable drive. This option in fact does exactly what export should do:

From stacks it will copy the topmost picture,
When pictures are edited then it will copy the modified version.

This option can be used without any problems to export images. The obvious steps are:

Pop a USB drive into your Mac;
Select the images to export;
Hit File >> copy/move to removable drive (see Figure 1);
In the next dialog, make sure that the option Move files is unchecked (see Figure 2);
In the next dialog select the USB drive as destination (see Figure 3);
Click done and presto.

After that, Elements Organizer will happily fill up your USB drive with the photo's that you selected.

What if you don't have a USB drive handy?

It's a weird thing that this exporter only works on external drives, such as USB's, simply refuses to export to a folder on your main (root) drive. Well, nothing's impossible on Unix, right? If you don't have a USB drive handy, you can always create an image, mount it, and export there. Here's how.

Start up the Disk Utility (under Applications / Utilities).
Click the New Image icon at the top (see Figure 4).
Select a size that you expect not to exceed, say 500Mb, which should be enough for most exports.
Hit Create. After this step, the disk will appear as the typical image icon on your desktop, and it will be mounted (i.e., usable).

Once you have this image, you can use Elements Organizer to export your files into this location; he dialog Destination Settings will show it. You don't have to create this image drive for every export. Just create it once, and re-use it every time you need to export your photos.

That's all!

If you have questions / remarks, don't hesitate to mail me at karel@kubat.nl. Happy exporting!

Security hole at the Empire State Building

Tue, 21 Aug 12 20:59:28 +0200

This year's holiday included a visit to New York City. The kids were there for the first time, so hey, what can you do. You visit all the tourist stuff, including the Empire State Building. This story is about a little oopsie I had there by bringing a knife - and a big oopsie the security implementation has.

Once you enter the Empire State Building, you pass through security; similar to musea and the airport. You have to remove your belt (which I dutifully did), put your mobile phone and wallet into a basket (which I dutifully did), put your bag and basket on the conveyor belt for the X-ray machine (which I dutifully did), and pass through the metal detector gate (which I dutifully did). Lo and behold, no beeps, I am metal-free. On the other side of the gate I picked up the stuff from my basket, put on my shoes, and stuck the belt in my pants. Then I proceeded to wait for my bag.

Security at the Empire State Building checks for the same stuff that the TSA dislikes: weapons, guns, what you have, and even tripods. They don't allow photographers to bring their tripod along. Maybe they think that photographers are prone to threatening airplane crews. Maybe they're afraid that someone will try to crash the Empire State Building into the White House. Anyway, I didn't have a tripod with me, so who cares?

(Deep voice) Sir, is this your bag?
(Me) Yes, it is.
(Deep voice) Sir, it appears you have a knife in your bag.

At this point I thought, oh crap. I had my camping knife with me, because it doubles as sandwich-maker. I'd forgotten to take it out of my bag. Fortunately, since the Empire State Building isn't an airport, I could leave the knife downstairs to be picked up later. Whee! Saved. I'd have hated to loose the knife, it's a really fine piece of equipment. So I proceeded to put the knife in a numbered plastic bag, which was then dutifully sealed by the security personnel. The top of the bag, which had the same number stencilled on it, was ripped off and given to me, by way of receipt. Great! The entire family filed towards the elevators to enjoy the view. It was a particularly clear day.

On the way back we filed into the lobby to exit to the street. I however still had to pick up my knife, so I re-entered the line towards security. I didn't want to wait that long, so as soon as I saw a security guy, I showed my receipt. "Right this way" he said, and I bypassed the line. I was instructed to "talk to that guy over there, behind the metal detectors". So, still waving my receipt, I went towards the detector gates, and I was let through - without removing my shoes or belt, and while holding my bag. The detector gate went berserk, it beeped like crazy and flashed all colors. The security people however didn't mind, because I was just picking up stuff. So they let me through. I then talked to the person who was pointed out to me, who took my receipt and handed over my knife. I put the knife in my bag and looked around for the exit (remember, I was now again in the line towards the ascending escalators). The security guy noticed that I was looking for the way out, so in a helpful mood he informed me: "You can exit over there, through those double doors". I thanked him and went towards the exit.

I had to wiggle through 3 lines towards the ascending elevators to get to the exit doors, then I was at the exit towards the lobby. But before leaving the security area, I decided to talk to the guy who had given me the knife. So I went back (wiggling through 3 lines of people again), and said, "Hey, just one more thing. I got here through a beeping metal detector, I could have loads of stuff in my bag, you just handed me my knife, and I could just as well go to the ascending escalators, instead of towards the exit. Isn't that weird?" He looked at me for about 30 seconds, and the said, "Yeah, well, we're just following the rules here." I politely thanked him and headed towards the exit doors, and proceeded to the lobby and the street.

The moral of the story?

A real attacker would have a mate standing in the lobby with guns, bombs and what you have, just waiting.
He'd then go through security and would make sure that he'd have a knife or a pair of scissors or a tripod, which would be left in a sealed bag in the security area.
After some time the attacker would exit to the lobby, get his mate's bag of tricks, and proceed to the security area, while waving his receipt.
In the security area he'd pick up his tripod or whatever, and go to the ascending escalators.
Voila.

So much for following procedures without ever thinking....

Matrix Sunglasses

Sun, 15 Jul 12 19:34:55 +0200

Some time ago I ordered sunglasses from matrix2sunglasses.com. My son had a pair and of course I had to follow suit. They are the "Morpheus" ones, those that sit on your nose. From the description: "Over the years there have been many attempts at recreating the original Blinde design, but most were of poor quality. The M.2. Morpheus however is simply outstanding. High quality 10 base polycarbonate lenses provide optical clarity and the finish is superb whilst we upgraded the Pince-Nez device along with silicone nosepads. All of Morpheus sunglasses offer UV400 protection."

I received them a few days ago. Beautiful weather outside, time for a ride and a roadtest.

The good thing about the Pince-Nez construction is that the glasses fit wonderfully inside a motorcycle helmet. I've tried to wear my standard ones under the helmet, but after about half an hour the pressure of the ear pieces gets really annoying. I guess that my helmet just fits too well around my head ;-) These sunglasses solve the problem.

Test Results:

The sunglasses sit pretty solidly on your nose, they don't wiggle or fall off. I had the visor open, and at a speed of say 80kmh there were no problems at all.
The wear is very comfy. The silicone pads are big enough to prevent pinching, and the shades are really very light.
The optics are pretty good, there is absolutely no distortion of the image, not even near the sides of the shades. The color is good (green with a hint of brown). I'd prefer polarized shades, but I guess that the necessity of this lightweight model doesn't allow for real glass. Plus I might not want real glass inside my helmet anyway, incase of crashes.
A real bonus is that you can remove or put on these shades without removing your helmet. Just open the visor, and they're accessible.
All in all? Very comfy and handy for a helmet situation.
They probably won't work if you have a crooked nose 'cause it's been broken.

Two Morgans

Thu, 12 Jul 12 20:20:07 +0200

Today, while on the bike near Schiphol Airport, I encountered two British Morgan-8 cars. Real fun to see in their natural habitat. Here are some pics.

The logo..

Front view

Front and Side

The black one

Luggage wrapped in a Union Jack, lol!

Review of the BMW R1200RT Motorbike

Thu, 12 Jul 12 20:20:07 +0200

My own BMW K1200GT is in the shop, and since yesterday I'm riding a R1200RT - kindly provided by the garage. It's fun to ride a different bike, to get a feel for it. But the R series is so radically different, that I decided to write up what I think are striking differences between otherwise comparable tour bikes.

Similarities
First of all, why are the R1200RT and the K1200GT somewhat similar?

Both are built for longer distances on the road; real "tour bikes".
Both are pretty heavy, well over 250kg, but capable of supporting the driver, a passenger and luggage.
Both have a top speed of well over 200kmh.
Both are built to minimize maintenance and maximize safety; e.g., both have a cardan shaft that drives the wheel, both have ABS.

The red R1200RT. Good looking though.

First impressions
The biggest difference is that the K series has four cylinders, while the R series has two, in a boxer-configuration. The volume on both bikes is 1200cc, so that's pretty comparable. The boxer engine looks kinda sexier though, a bit meaner and tougher. The gasoline tank is a bit wider, there's a neat aluminium rail over it with clamps for a bag. The dash is very similar to my K1200GT; same board computer and stuff (though this R didn't have cruise control and seat heating, which are extra's). I was happy to see the switches for the turn indicators at the "right" places where I expect them: thumb paddles left and right, instead of the Japanese-inspired one-switch on the left handle bar. Newer BMW's have the one-switch approach though, which I think is not that great. Sad.

Mean-looking gas tank.

Standard BMW dash with turn indicator switches left AND right,
handle bar heater switch on the right side,
electrical windscreen switch also right.

Windscreen
Another interesting fact is that the windscreen of the K1200 absorbs and deflects much more rain. On the K1200 you feel as if you're in an air bubble and the droplets pass by. The R1200 has a different configuration of rearview mirrors (under the handle bars) and when the windscreen is tilted upward, there's a fairly large gap where the rain hits your gloves, sleeves and jacket. You really get more wet.

With the windscreen tilted upwards, you get wet.

Performance
The K1200 spits out a neat 160hp, divided over normally up to 10.000rpm (10.000 to 12.000 being "in the red"). The R stops at 110hp, at up to 8.000rpm (8.000 - 10.000 is "red"). All in all, the K is way more sporty, and yes, handles much better. It's a great sprinter, it keeps you on your toes, and gives a ton of fun while riding it. This R1200 feels sluggish, the steering seems more difficult (despite the fact that it's 20kg lighter!), it doesn't rev.

Summary
I remember driving a VW Golf Diesel for the first time, must be 20 years ago or more. I was overwhelmed by the same emotion when riding the R1200RT. Sluggish, slow, you open up the gas and it goes "prrrrrrrrrrrrrr" instead of making you go "Whoa! Jeez!". Basically riding the R1200RT is like driving a truck.

Subject	R1200RT	K1200GT
Built for?	Touring bike, for long distances on the road	Same here
cc's?	1200cc	1200cc
Engine?	Two cylinders in a boxer configuration	Four cylinders in line
Hp?	110hp	160hp
Looks?	Looks like a bad mofo	Looks like it's built for speed
Wind while driving?	Windscreen tilts up, great for avoiding wind	Same here
How about rain?	Windscreen deflects some rain but you still get wet	Windscreen creates a cool bubble to keep you dry
Style?	Easy going carefree riding	Keeps you on your toes
When you open up the throttle?	Engine goes prrrrrrrrr	You go prrrrrrrr as you shit your pants
Audience?	Suggested for leisure and for the elderly	Suggested for bikers

I remember someone saying once that BMW bikers are basically in one of two camps, the K riders and the R riders. Guess I'm a K guy.

Passwords: maak het hackers moeilijk

Wed, 13 Jun 12 19:40:12 +0200

Wil je 't weten? Lees Annemieke's blog op vrouwen-ondernemen.nl. Het origineel staat op annemoves.com met meer 'stuff' van Annemieke.

Mijndomein foutje

Wed, 13 Jun 12 19:35:21 +0200

[Dutch entry] Laatst claimde ik een domeinnaam bij mijndomein.nl. Na registratie kreeg ik een bevestigingsmail. Tot zover niks mis mee. 't Mailtje is hieronder weergegeven. Ra ra wat is er mis mee? (Sommige namen en termen zijn in het plaatje overschreven door XXXXX).

Weet je 't al? Het wachtwoord wordt in de mail genoemd. Grote no-no! Dit is fout om twee redenenen:

Het wachtwoord staat in een e-mail bericht. Iedereen die mijn mail ziet, ziet dus mijn wachtwoord bij mijndomein.nl.
Mijndomein.nl heeft mijn wachtwoord in plain text. Anders zouden ze het immers niet in de mail kunnen plakken! Is niet goed. Ze zouden 't wachtwoord in moeten omrekenen naar een "salted hash" en dat opslaan, en 't plain-text wachtwoord moeten vergeten. Want, wat je niet hebt, kan ook niet gejat worden.

Kortom, in 't mailtje zou hooguit moeten staan: "Wachtwoord vergeten? Klik hier voor support."

YOLNT

Thu, 07 Jun 12 20:27:34 +0200

YOLO: slang phrase used by morons right before doing
something dumb that will probably kill them or
give them herpes

Human Origins

Wed, 06 Jun 12 20:35:39 +0200

Seen today:

46% of USA citizens think that God created humans in the last 10.000 years or so;
32% think that humans evolved with God's help;
15% think that humans evolved without divine intervention.

And that was what, err, a developed country? For completeness, here is the source. According to the description, "results for this USA Today/Gallup poll are based on telephone interviews conducted May 10-13, 2012, with a random sample of 1,012 adults, aged 18 and older, living in all 50 U.S. states and the District of Columbia. For results based on the total sample of national adults, one can say with 95% confidence that the maximum margin of sampling error is ±4 percentage points."

Purely coincidentally, USA Today reports on the fact that historically the average USA student was always mediocre at best when compared to other countries. Nevertheless, the USA has a long tradition of innovation - so obviously there's quite a gap between the average and the top. Interesting.

Me on Facebook

Wed, 30 May 12 15:55:18 +0200

Oh wonder, Facebook feeds me personal ads. So this is me:

I play simplistic games,
I am a sucker for overprized designer stuff,
I am on the lookout for females,
My prostate needs an overhaul.

Thanks, Facebook.

Voluntary Layoffs

Thu, 17 May 12 01:25:58 +0200

Here's a good laugh. Societé Generale has offered a voluntary layoff programme to its employees. Now they had to limit the programme - because too many people want to leave.

More lols at hereisthecity.com. Thanks, HvE, for showing this to me :)

RBS Bike Tour

Mon, 07 May 12 20:41:54 +0200

For all RBS colleagues who have a bike and want to go for a ride: please visit the tour page!

Room with a view

Fri, 27 Apr 12 21:41:00 +0200

Yup, I have a new Wacom Intuos tablet ;-)

Browser cookies and Javascript revisited

Fri, 27 Apr 12 21:41:00 +0200

I wrote before about cookies and Javascript. Recently I had to improve the Javascript library, I needed to "auto-guess" cookie domains and I had to supply a meaningful value for the cookie path. So here's a newer and better version:

The domain is defined as the last two "words" of the domain that the browser is accessing. So if the browser is pointing at say my.secure.website.org, then the domain .website.org is used.
The cookie path is set to / for all operations.

The entire interface as described in my previous post still holds. But I updated the file cookies.js. As ever, if you have remarks, let me know at karel@kubat.nl.

Schrodingers Cat

Fri, 17 Feb 12 09:29:26 +0100

By Michelle Marie, on Google+:

KPN heeft problemen

Fri, 17 Feb 12 09:58:53 +0100

[2012-02-17] Update
KPN heeft de mailgebruikers post gestuurd. Gebruikersnaam en wachtwoord in dezelfde brief. Pffff... Lees meer op nu.nl.

Met dank aan #Annemieke on Twitter: KPN heeft echt wel problemen. Ze zijn gehackt, de hackers verschaften zich toegang tot data, die hebben ze misschien gekopieerd, da's dus misschien allemaal openbaar, balen.

Fout 1: Ze hadden gebruikersnamen en plain text passwords op hun systeem staan. Dat is nalatig, als je qua security jezelf serieus neemt, dan doe je zo iets niet. Wachtwoorden moet je altijd hashen en dan opslaan, en dan nog, moet je een "salt" gebruiken zodat dezelfde wachtwoorden altijd een andere hash opleveren. Dit wisten we al rond 1970 toen Unix werd ontworpen. Stom stom stom!

Maar ja, dus, hoe nu verder. Je gebruikers zullen toch een keer hun password moeten wijzigen om misbruik te voorkomen. Snap ik. Bovendien, de oude wachtwoorden kun je niet meer vertrouwen, dus bij de password-reset heeft het geen zin om naar het oude wachtwoord te vragen. Snap ik. Dus moet je een andere methode verzinnen. Snap ik ook.

Dus wat heeft KPN verzonnen? Vanaf het IP adres dat bij je Internet abonnement hoort, kun je makkelijk je wachtwoord wijzigen. Dan weet de KPN namelijk dat je 't echt bent en niet iemand die je username/password combinatie kent en in China zit. Snap ik. Dit is op zich een goed idee, behalve dat alleen je IP adres onvoldoende is om je te identificeren. Dus wat willen ze nog meer weten om er zeker van te zijn dat jij 't bent? De laatste 3 cijfers van je rekeningnummer waarmee je je KPN abonnement betaalt. Niet verkeerd bedacht, snap ik. Maar nou komt 't:

Je mag (vanaf je IP adres) net zovaak de laatste 3 cijfers van je bankrekeningnummer intikken als je wilt; totdat je 't invoerscherm krijgt voor een nieuw wachtwoord.
Er wordt verder niks gevraagd (niet "de meisjesnaam van mijn moeder", of "mijn favoriete kleur", "hoeveel neuzen heb ik", etc.

Fout 2: De password-reset applicatie van KPN is lek. Door een heel simpele brute force attack ben je zo binnen. Je hoeft alleen maar "op het IP adres" te zitten van een KPN klant, en binnen een paar minuten heb je toegang tot zijn/haar e-mail account. Je hoeft alleen maar als laatste cijfers 000 tot en met 999 proberen.

Kortom, hier is niet goed over nagedacht. Ik kan me best voorstellen hoe dat ging. De Customer Intimacy & Service Delivery Manager (Voorman Klantenbalie) uitte de zorg dat al die bellende KPN klanten die per telefoon hun wachtwoord gereset willen hebben, het hele callcenter zullen platleggen. Zijn direct leidinggevende, nl. de Customer Services Portfolio Manager (Chef Klantenbalie), zou wellicht zijn bonus mislopen als de gemiddelde wachttijd zou toenemen. Hij heeft daarom contact opgenomen met de Technology Services Portfolio Manager (Chef Technisch Beheer) en het probleem voorgelegd - er moest snel iets komen dat zo "foolproof" was dat zelfs z'n eigen oma ermee uit de voeten kon. "Ja maar security dan?", vroeg een onschuldige voorbijgaande ontwerper. "Niks ervan, we gaan voor full customer satisfaction en empowerment!", zei 't baasje, en dacht, ook voor m'n bonus. Et voila!

En er hoefde maar een kleinigheid bij om 't geheel wel veilig te maken. Na drie keer verkeerde invoer lock out....

(En ja, ik heb dumps van de HTTP requests, naar welke URL de POST moet om een reset te proberen met drie cijfertjes, wat de server terugstuurt als 't niet lukt, wat de server terugstuurt als 't wel lukt, en een scriptje dat dat doet. Maar die post ik maar niet. Voor je 't weet komen mensen op 't idee om te gaan wardriven om iemands mail te hacken.)

Memebase forever

Thu, 12 Jan 12 23:11:49 +0100

If you like memebase, here's a cool loop. Brilliantly done!

Strange squares

Wed, 11 Jan 12 15:59:24 +0100

Did you know that in the range 1..100 the numbers 41, 42, 43, 44, 45, 46, 54, 55, 56, 57, 58 and have the following in common:

When you subtract 25 from the number, you get two digits. We'll consider those as the first half of a number.
When you subtract the number from 50, and square that, you also get two digits. We'll consider those as the second half of a number.
The new number (with the left 2 digits and the right 2 digits) is the square of what we started with, so the square of 41, 42, 43, and so on.

For example try 44.

44 - 25 = 19
50 - 44 = 6, and 6 x 6 = 36
1936 = 44 x 44

This can of course be easily deduced. First, for every x we require that

100(x - 25) + (50 - x)² = x²

This isn't very helpful, it holds true for every imaginable number of x ;-)
But second, we also want that (x - 25) has two digits, and that (50 - x)² has two digits, so:

(a) 10 ≤ (x - 25) ≤ 99
(b) 10 ≤ (50 - x)² ≤ 99

From (a) it follows that 35 ≤ x ≤ 99; from (b) it follows that:

(b1) x² - 100x + 2500 ≥ 10
x² - 100x + 2490 ≥ 0
x ≤ 46.83 or x ≥ 53.16

(b2) x² - 100x + 2500 ≤ 99
x² - 100x + 2401 ≤ 0
x ≥ 40.05 and x ≤ 59.94

So overall, 40.05 ≤ x ≤ 46.83 or 53.16 ≤ x ≤ 59.94 or with integers 41 ≤ x ≤ 46 or 54 ≤ x ≤ 59

Still, nice doodling on a rainy morning. Oh, and of course the checker:

use strict;

for my $n (1..100) {
    my $sq = $n * $n;
    next if (length($sq) != 4);

    my $left  = $n - 25;
    my $right = (50 - $n) * (50 - $n);

    print("$n -> $sq\n") if ("$left$right" == $sq);
}

TVV Ondernemingsportaalnl.com zuigt ezel

Thu, 22 Dec 11 18:46:05 +0100

[Dutch] Tsja, het jaar is alweer bijna om. Je krijgt zo nog 'es wat in de bus. Deze keer onder andere een indrukwekkende envelop, belangrijk, indien onbestelbaar terug afzender. Wat zit er in? Mijn onderneming zou zich bekend moeten maken met het BTW nummer, ter identificatie, voor een ondernemingsportaal. Kijk, dat ziet er toch vertrouwenwekkend uit? En via www.ondernemingsportaal-nl.com kun je kostenloos je gegevens actualiseren. Fijn!

En dan de rest natuurlijk. Onvermijdelijk:

Ja hoor, jaarlijks wordt 975 euro in rekening gebracht voor die vermelding. Ik ga 't formulier niet terugsturen. Maar ik heb wel een antwoord: ondernemingsportaal-nl.com, geregistreerd door TVV Tele Verzeichnis Verlag GmbH, Borsteler Chaussee 85-99a, te 22453 Hamburg DE, geregistreerd door Wulf Lohmeyer, tel. +49405148490, bereikbaar als admin@tvv-verlag.com: Jullie zijn een stel ranzige colporteurs en oplichters. Jullie zuigen ezel.

Dilbert vs Skype

Thu, 08 Dec 11 13:24:29 +0100

Why do I feel this way each day when commuting?
(See more at dilbert.com)

The uncanny resilience of bulshytt

Tue, 29 Nov 11 12:23:18 +0100

"It is inherent in the mentality of bulshytt-talkers they are more prone than anyone else to taking offense (or pretending to) when their bulshytt is pointed out to them. This places the observer in a nearly impossible position. One is forced either to use this "offensive" word and be deemed a disagreeable person and as such excluded from polite discourse, or to say the same thing in a different way, which means becoming a purveyor of bulshytt oneself and thereby lending strength to what one is trying to attack. The latter quality probably explains the uncanny stability and resiliency of bulshytt."

(From Neil Stephenons's Anathem. One of my favorite quotes in the book.)

Another silly Trojan attempt

Wed, 23 Nov 11 13:29:30 +0100

Apparently it makes sense to send Dutch e-mails now that entice you to run an executable on your system. Received today:

Guess what you get when you download the zip. Here's the listing:

LOL! Update.pdf___________.exe. Who still falls for that? Are those people even too lame to craft a malicious PDF?

ACTA is coming our way

Sun, 13 Nov 11 13:33:05 +0100

Read more about ACTA at http://lqdn.fr/ACTA.

Burgernet in the Netherlands

Sun, 13 Nov 11 13:33:05 +0100

I received a weird letter from the the mayor. He wants me to become member of Burgernet, a civilian watch program. Basically you sign up, and you then at times receive an SMS message to be on the lookout for a lost child, someone who's wanted, and what not. Oh and golly, in case you know of other people who might want to join, you're invited to register them too.

This just smells bad. For one, if you get amateur security personnel, you'll get amateur security (I didn't think of this, Bruce Schneier did).

Then there's also that I lived in society where individuals where encouraged to report on others. And many did, because it got them small favors. All this reminds me of Eastern Germany... according to wikipedia: Between 1950 and 1989, the Stasi employed a total of 274,000 people [...] In 1989, the Stasi employed 91,015 persons full time, [...] along with 173,081 unofficial informants inside GDR and 1,553 informants in West Germany. In terms of the identity of inoffizielle Mitarbeiter (IMs) Stasi informants, by 1995, 174,000 had been identified, which approximated 2.5% of East Germany's population between the ages of 18 and 60. 10,000 IMs were under 18 years of age. [...] Informants were made to feel important, given material or social incentives, and were imbued with a sense of adventure, and only around 7.7%, according to official figures, were coerced into cooperating. [...] A large number of Stasi informants were trolley conductors, janitors, doctors, nurses and teachers.

Guess I'm not joining Burgernet.

Facepalm art

Sun, 13 Nov 11 13:33:05 +0100

. . . . . .. . . . . . . . . . . ,.-‘”. . . . . . . . . .``~.,
. . . . . . . .. . . . . .,.-”. . . . . . . . . . . . . . . . . .“-.,
. . . . .. . . . . . ..,/. . . . . . . . . . . . . . . . . . . . . . . ”:
, . . . . . . . .. .,?. . . . . . . . . . . . . . . . . . . . . . . . . . .\,
. . . . . . . . . /. . . . . . . . . . . . . . . . . . . . . . . . . . . . ,}
. . . . . . . . ./. . . . . . . . . . . . . . . . . . . . . . . . . . ,:`^}
. . . . . . . ./. . . . . . . . . . . . . . . . . . . . . . . . . ,:”. . . ./
. . . . . . .?. . . __. . . . . . . . . . . . . . . . . . . . :`. . . . ./
. . . . . . . /__.(. . .“~-,_. . . . . . . . . . . . . . ,:`. . . .. ./
. . . . . . /(_. . ”~,_. . . ..“~,_. . . . . . . . . .,:`. . . . _/
. . . .. .{.._$;_. . .”=,_. . . .“-,_. . . ,.-~-,}, .~”; /. . .}
. . .. . .((. . .*~_. . . .”=-._. . .“;,,./`. . /” . . . ./. .. ../
. . . .. . .\`~,. . ..“~.,. . . . . . . . . ..`. . .}. . . . . . ../
. . . . . .(. ..`=-,,. . . .`. . . . . . . . . . . ..(. . . ;_,,-”
. . . . . ../.`~,. . ..`-.. . . . . . . . . . . . . . ..\. . /\
. . . . . . \`~.*-,. . . . . . . . . . . . . . . . . ..|,./.....\,__
,,_. . . . . }.>-._\. . . . . . . . . . . . . . . . . .|. . . . . . ..`=~-,
. .. `=~-,_\_. . . `\,. . . . . . . . . . . . . . . . .\
. . . . . . . . . .`=~-,,.\,. . . . . . . . . . . . . . . .\
. . . . . . . . . . . . . . . . `:,, . . . . . . . . . . . . . `\. . . . . . ..__
. . . . . . . . . . . . . . . . . . .`=-,. . . . . . . . . .,%`>--==``
. . . . . . . . . . . . . . . . . . . . _\. . . . . ._,-%. . . ..

Ascii art lives!

Do not drag this image

Sun, 13 Nov 11 13:33:05 +0100

Cute.

Off The Grid Challenge

Sun, 13 Nov 11 13:33:05 +0100

This used to be the blog entry for Off The Grid. I've moved the information to its separate page page.

PI like a boss

Sun, 13 Nov 11 13:33:05 +0100

Seeing the numbers. Like a boss.

Once upon a time

Sun, 13 Nov 11 13:33:05 +0100

Dutch eticket system for trains

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I bought an e-ticket for a trip by train. What struck me as odd, is that when buying the ticket, you have to fill in your name. Then as you get the PDF with your e-ticket, your name is on the PDF too. There's a disclaimer stating that the owner of the e-ticket must identify themselves. Which actually is required; my ID was checked in the train.

What bothers me, is that for something as simple as a train trip, my ID needs to get recorded and checked. This is weird, because when I buy a ticket with cash, I travel totally anonymously. Sharing my identity isn't something I am keen on, especially because the Dutch railroad company (NS) isn't an official governmental body, like the police, who are entitled to ask for one's ID. What gives?

So today I looked up the conditions for the use of an e-ticket. See http://www.ns.nl/media/e-ticket/pdf/e-ticket-voorwaarden.pdf for yourself. Apparently;

The ticket is personal and not transferable.
The ticket is only valid with a legal ID that shows the photo of the bearer.
The ticket is only valid on the date for which it intended.

There's furthermore a bunch of other conditions, regarding the printing, paper size etc.. Also, if you look closely, the e-ticket has a number of security precautions. It looks pretty official! There is in fact a number of precautions against fraud:

There's a photo on it. Not me, but hey, it's a photo.
My name is on it, and also it's woven into the photo background.
There's some sort of code on it, looks like a qr code, but it isn't.
Plus there is the aforementioned ticket number.

So again, what gives. Is all this necessary just to prevent forgery of e-tickets? And how effective is this? When train conductors check e-tickets, they only look at the name, the date, and the provided ID. That's it. With a PDF editor, tweaking the provided PDF is trivial (you could change the name, date, whatever). Or any image edting program can do it. So, in theory, I could buy one e-ticket and travel for free for the rest of my days. So what is this security worth? Isn't there another way?

Of course there is. That's what started me thinking. Here goes, a high-level design of the NS e-ticket system. Feel free to blow holes in it ;-) E-tickets should be anonymous; without needing the bearer's identification. Also it should be possible to get an e-ticket without a date restriction - just as a regular ticket. This can be done easily, here's how.

First of all, when generating an e-ticket, a ticket number is generated and put in encrypted form on the PDF, inside a qr code. At the same time the ticket number is stored centrally, with a status: unused. Then the PDF is given to the buyer.

Then, when the train conductor checks the ticket, s/he scans the qr code, and reads the embedded encrypted ticket number. The scanning application decrypts the number, and then connects to the central system that stored the number when generating the e-ticket.

If the ticket number doesn't occur on the central system, then the PDF is a blatant forgery. This situation should not happen at all, given the fact that the number on the PDF is encrypted. I'm assuming that potential hackers can't get at the encrypted data - there is however a precaution, just in case, described below.
If the central status is unused then all's well, and the status is kicked into in use. Or, if the destination is almost reached, then the conductor can kick the status into used.
If the status is in use then the conductor assesses that the bearer is on a leg of their journey where a previous conductor already checked the ticket. If the traveller is nearing their destination, then the conductor can change the status into used.
If the conductor finds that the status is used then someone is trying to re-use a previously issued ticket, without paying the fare for this trip. (That's of course assuming that the same conductor won't check the same e-ticket twice, and bump it into the used status.)
For verification purposes, the conductor can always see who changed the previous status, and when. E.g., when a given conductor sees that the state of an e-ticket is in use, s/he can see when the ticket was last checked, and by which colleague.
Periodically all ticket numbers that have been in use for more than 24 hours, are set to used. This is a central batch job that regularly checks the states. It's intended to clean up old mush.

But but.. What if the conductor fails to establish the connection to the central server? Or what if the connection suddenly dies? This is what the local app does; it will dutifully do what it's supposed to do, and will re-sync later once a connection is established. Without a connection the traveller gets the benefit of the doubt; i.e., when there's no connection to the central system then the status of an e-ticket is always assumed to be unused.

But but.. What if a conductor looses their smartphone, which is found by a hacker. They could extract the encryption key, and could generate the encrpyted ticket numbers in qr codes? This in fact won't help them. The forged ticket number will be either unknown, or it will may tagged as used in the central system. This is not a valid attack vector. To top it off, the encryption key can be changed monthly; so that the duration of this attack would be limited. Synchronizing a new key with all conductors would of course be the responsibility of the local app. (In this I'm assuming that the encryption will be symmetric, e.g., using AES. In the case of asymmetrical encryption this problem doesn't occur.)

The ingredients? A smartphone for each conductor, an app for it, a central database, and a bit of smart coding. The result? Anonymous e-tickets, not bound to a given date. And an improvement in the privacy.

Is Hell exothermic or endothermic

Sun, 13 Nov 11 13:33:05 +0100

I saw this on Akamat's Wordpress blog at akamat.wordpress.com. Totally brilliant. We should all be thankful to Teresa for clearing up this issue.

The answer by one student was so 'profound' that the professor shared it with colleagues, via the Internet, which is, of course, why we now have the pleasure of enjoying it as well:

Bonus Question: Is Hell exothermic (gives off heat) or endothermic (absorbs heat)?

Most of the students wrote proofs of their beliefs using Boyle's Law (gas cools when it expands and heats when it is compressed) or some variant.

One student, however, wrote the following:

"First, we need to know how the mass of Hell is changing in time. So we need to know the rate at which souls are moving into Hell and the rate at which they are leaving, which is unlikely. I think that we can safely assume that once a soul gets to Hell, it will not leave. There fore, no souls are leaving. As for how many souls are entering Hell, let's look at the different religions that exist in the world today.

Most of these religions state that if you are not a member of their religion, you will go to Hell. Since there is more than one of these religions and since people do not belong to more than one religion, we can project that all souls go to Hell. With birth and death rates as they are, we can expect the number of souls in Hell to increase exponentially. Now, we look at the rate of change of the volume in Hell because Boyle's Law states that in order for the temperature and pressure in Hell to stay the same, the volume of Hell has to expand proportionately.. as souls are added.

This gives two possibilities:

If Hell is expanding at a slower rate than the rate at which souls enter Hell, then the temperature and pressure in Hell will increase until all Hell breaks loose.

If Hell is expanding at a rate faster than the increase of souls in Hell, then the temperature and pressure will drop until Hell freezes over.

So which is it?

If we accept the postulate given to me by Teresa during my Freshman year that, 'It will be a cold day in Hell before I sleep with you,' and take into account the fact that I slept with her last night, then number two must be true, and thus I am sure that Hell is exothermic and has already frozen over. The corollary of this theory is that since Hell has frozen over, it follows that it is not accepting any more souls and is therefore, extinct... leaving only Heaven, thereby proving the existence of a divine being which explains why, last night, Teresa kept shouting 'Oh my God.'

Optical Illusions

Sun, 13 Nov 11 13:33:05 +0100

Recently I saw two geometrical optical illusions on www.moillusions.com. Neat, and not just for the kids.

Odd lyrics

Sun, 13 Nov 11 13:33:05 +0100

Another one off the Cheezburger Network. Pretty funny imho.

Band Revival at MON

Sun, 13 Nov 11 13:33:05 +0100

Years ago, whilst studying in Groningen, I used to play in some bands. The drummer, Ruud de Vries, whom I hadn't seen in years, followed his dream and started his own music centre - Muziek Organisatie Noord, or MON for short. To celebrate his third year in business he organized a band revival party; I got to play the base again and meet all the musicians that I hadn't seen for so long. I was surprised that the old reflexes came back so fast... I actually managed to play something.

The weekend was a blast. Here are three pics.

Sax rocks.

Guitar focus.

Female base players, they exist.

(Creative Commons License - ©Karel Kubat. You may copy & distribute, but must attribute by stating my name, e-mail address and copyright stake.)

Protests in the Middle East and you

Sun, 13 Nov 11 13:33:05 +0100

Seen on the Cheeseburger Network, one of the serious subjects. No words necessary...

Mac OSX Hotkey for locking your system

Sun, 13 Nov 11 13:33:05 +0100

Finally. I found a way to lock my Mac with just a simple keystroke. Been searching for that for ages now; because I'm not the mousey type and hence, I don't like clicking around.

First of all, make sure that your system requires a password when waking up. I have a delay of 5 seconds after which a password is required (so that when the screensaver kicks in, I can move the mouse and don't have to type the password right away):
Now you're all set. Anytime you want to lock your system, hit the magic keys Ctrl-Shift-Eject.

dnspb 0.06 is out

Sun, 13 Nov 11 13:33:05 +0100

I just uploaded dnspb version 0.06. Not many changes, just packaging, and there's now a clean build on Linux. I'm using dnspb, and testing-wise, it still works, so I consider it "beta". Have fun with it ;-)

Would I buy this fridge

Sun, 13 Nov 11 13:33:05 +0100

Color's ok tho... but it brings back haunting memories of The Young Ones..

InstaYouth

Sun, 13 Nov 11 13:33:05 +0100

Instant youth.. at the power of your fingertips ;-)

(Ok so with portraits of guys it's not that impressive. Agreed.)

The Thinker is back

Sun, 13 Nov 11 13:33:05 +0100

A few years ago, Rodin's statue The Thinker was stolen - in a flurry of unprecendented criminal ineptitude, which I commented on before. Just a few days ago I saw in the paper that The Thinker's back.. it's a reassuring thought that the Bad Guys didn't leave a permanent mark. Welcome back, Thinker.

Math challenge

Sun, 13 Nov 11 13:33:05 +0100

My 15 year old son brought the following assignment to me, and asked how it's done. Very good question! For the first time with his math work, I had to think really hard, but alas, in the end: in vain. So here it is, a little challenge. Be sure to let me know at karel@kubat.nl. Good solutions will be rewarded with a honorary mention and of course eternal fame.

Given: f(x) = -¹/₆x³ + ¹/₂x² + 4x + 1

Assignment a: f(x) has a tangent at x=2. What is the formula for this tangent?
Assignment b: f(x) has a tangent parallel to the one from assignment a. What is the formula for this tangent?

The first assignment is pretty easy. You obviously infer the derivative function of f(x), which is the "a" value ("slope") of the tangent line y = ax + b. We know x, it's given as 2, so we can compute y from f(2). So we can compute b.

But the second assignment really confused me. I stared at it for half an hour and then gave up. Let me know!

Update: And the prize for Eternal Fame goes to... Jos Visser. In Dutch: "Kun je niet gewoon de eerste afgeleide oplossen voor de coëfficient (a in y=ax+b) van de raaklijn in opgave a? De eerste afgeleide is f'(x) = -0.5x^2 + x +4. Die afgeleide geeft de coëfficient van de raaklijn op de originele curve. Voor x=2 is de coëfficient 4. Nu kun je je f'(x)=4 oplossen. Dat geeft 2 oplossingen, de ene is 2, de andere is 0. Het is al even geleden, maar zo moet het dacht ik."

Yep, absolutely right. The derivative function ("slope") of f(x) is:
f'(x) = -¹/₂x² + x + 4

The slope at x=2 is f'(2) which evaluates to 4. So, the parallel tangent will also have the same slope. The question therefore is: at which values of x is f'(x) equal to 4? One of the points should of course come back as x=2, and the other one is what we need.

So, to solve:
f'(x) = 4, hence
-¹/₂x² + x + 4 = 4, hence
-¹/₂x² + x = 0

Now it only takes the unforgettable a/b/c formula x = (-b ± V(b² - 4ac)) / 2a, using the values a=¹/₂, b=1, c=0. This solves to 0 and 2. Value 2 suggests that this looks right, so x=0 is the value we are looking for.

The tangent line we're looking for is given by y = ax + b. Slope a is 4, x is 0, so b can be computed. Good, I can rest peacefully now. It's so simple, once you see the light.

Zero tolerance and zero intelligence

Sun, 13 Nov 11 13:33:05 +0100

There was an odd newsbit today in the papers, which also appeared on webregio.nl, one of the Dutch web based newspapers. The original article appeared on telegraaf.nl.

The jest is, that a blind street musician who never bothered anyone got picked up by four cops. Reason? He didn't have a permit. He was detained at the police station for 2 hours, was stripped and searched, and interrogated. According to Bennie, the street musician, he was never warned before, and he thinks it's odd that four cops would pick him up, while they're supposedly so busy crime fighting. The good man isn't planning to pay the fine, but wants to hear what a judge has to say about the matter.

The interesting part in this, was I found, the reaction by the police: "We are here to upkeep the law and this man had no permit. Period." Wait.. What?

The law is not an end by itself. It's a means to safeguard society. When the police say they serve and protect.. they surely mean society, not the lawbooks, right? At least I should hope so!
This looks to me like a fine case of zero tolerance. And I think, the problem with zero tolerance is, that it means zero flexibility. Law officers are bound to apply the rules, without any regard to the particular situation. The problem with zero flexibility is that it favors zero inventivity, zero regard for the social aspects, and in the end, zero regard for society's needs. Or for anyone's needs.

Zero tolerance breeds zero intelligence.

My interest income in 1991

Sun, 13 Nov 11 13:33:05 +0100

Whilst cleaning up old stuff, I found out that in the year 1991, I received an interest benefit of - drumroll - 0.27 guilders, yes those were still the days when the Kingdom of the Netherlands counted its cash in guilders and not euro's. My account balance hence increased to a staggering 9.32 guilders. The bank quite correctly informed me that they had to inform the IRS of this fact. I wonder how many civil servants poured over this information.

I wasn't particularly rich that year, hehehe...

Your horoscope by Eddie

Sun, 13 Nov 11 13:33:05 +0100

This year good friend Eddie picked up his habit again of providing us a valuable insight in what this year will bring us. A true must read! Don't delay, visit eddie.niese.net (it's in Dutch).

New York City Tours might be half price for you

Sun, 13 Nov 11 13:33:05 +0100

As Christmas is approaching, here's maybe some cool news for you. You might be entitled to a 50% discount on CitySights tours in NY! Maybe you are among the 110.000 people to enjoy a bus tour in the Great Apple while paying only half of the regular price!

The reason? On September 26th the CitySights website was attacked. Using SQL injection, 110.000 credit card records were stolen, including names, e-mail addresses, credit card numbers, their expiry dates, and cvv codes. The attack was discovered on October 25th. As a gesture to their customers, CitySights is offering the discount - to make things right, so to speak.

So, if you're among those 110.000, be sure to use the 50% discount coupon code! (Oh and to top it off, the Dept. of Justice published the coupon code too, so.. even if you're not among the fraud victims, you can use try the coupon code 012345... Original article is in dutch at at security.nl.)

Weather Forecast

Sun, 13 Nov 11 13:33:05 +0100

Today's weather forecast:

Air quality: fairly good
Hay fever: won't bother me
I won't get a sunburn
My rheumatic arthrosis won't bother me at all
Asthma-wise: not bad, not great
I'll have some problems sleeping
I might be bothered by some migraine

Isn't science wonderful?
(Seen in today's morning papers. Where do they get that stuff?)

World Economy Collapse explained in 3 minutes

Sun, 13 Nov 11 13:33:05 +0100

I was pointed to this video yesterday evening. Pretty hilarious...

The Salvation Army and its choice of toys

Sun, 13 Nov 11 13:33:05 +0100

I saw this weird newsbit yesterday at cnews.canoe.ca. The Canadian Salvation Army has an odd choice for childrens' toys:

The Salvation Army says it refuses to distribute Harry Potter and Twilight toys collected for needy children because they're incompatible with the charity's Christian beliefs. [The organization] refuses to distribute the Twilight and Harry Potter toys because of their wizardry, vampire and werewolf content, said Capt. Pam Goodyear. "The Salvation Army is based on Christian principles, so these things are not in line with those," said Goodyear.

However, plastic M16's are ok. They are for the 10-year olds.
Is there anything wrong with this picture? No wait let me rephrase. Is there anything right with this picture?

Elizabeth thinks highly of me

Sun, 13 Nov 11 13:33:05 +0100

Oh the joy! Elizabeth must think very highly of me. She's just written me a mail, asking for my assistance. Yes! She chose me, out of the undoubtedly hundreds of people she knows! True, she didn't inform me about her trip to the UK, bummer. But she did apologize for it in her mail. It was some kind of business trip thing, so yes, of course I understand, Elizabeth!

But then.. disaster struck and she got attacked. All her stuff got stolen! Oh the horror!! The poor thing! Now she can't even pay for a coffee. Can you imagine how awful she must feel? Now she doesn't want to worry her family and friends, they might think that she got hurt. Oh the dear girl, she's being so considerate to her loved ones!

She needs a mere 1600 quid to sort it out. And she's asking me for assistance! In return she'll pay me back, with interest, and I'm sure I'll earn her eternal gratitude for reaching out in such an unselfish and helpful manner. Don't despair, Ellie! Help is on its way, I'm transferring this cash right now! And of course, as you're asking, I'll send you my phone number right away. I'm eargerly awaiting your call, wanna meet a bit later on? Why yes, of course I'll come to Edinburgh to meet you!

Should I trust my government with my data

Sun, 13 Nov 11 13:33:05 +0100

Seen today in the papers at De Telegraaf (translation attempt by yours truly):

"AMSTERDAM - Criminal gangs can more and more easily access sensitive information at the IRS. Sometimes with cooperation of employees of the IRS.
It's every tax payer's mightmare: an unknown individual steals your fiscal identity and in your name files false statements or cashes money. The tax returns disappear into an unknown account, where the criminals quickly withdraw the cash. The victim of the data abuse usually discovers this too late, the embezzled money is gone. Incase false statements have been filed, the victim has a lot of explaining to do to the IRS. This fraude is lucrative and fairly simple."

So, should I trust my government with my data? No way. They have bad track records. Should I trust large-scale data collections, initiated by the government (which are of course aimed at the war on terrorism and child porn) and "guaranteed safe"? Hell no. To make matters worse, my passport is almost up for renewal, and I'll have to leave 'em my fingerprint. Shit.

Announcing dnspb

Sun, 13 Nov 11 13:33:05 +0100

     _                 _ 
  __| |_ __  ___ _ __ | |__    This is dnspb, the smart proxy/balancer
 / _` | '_ \/ __| '_ \| '_ \   for DNS over UDP or TCP.
| (_| | | | \__ \ |_) | |_) |
 \__,_|_| |_|___/ .__/|_.__/ 
                |_|

Bye bye dns-balance, my prototype of a DNS balancer for UDP.
Announcing dnspb, a DNS proxy/balancer for UDP and TCP, that knows about back end states, supports weights, and much more.

Currently alpha-quality - but check it out if you like.

Realistic piechart

Sun, 13 Nov 11 13:33:05 +0100

The only realistic pie chart ever.
(Via http://graphjam.memebase.com/)

Crossroads 2.71 is out

Sun, 13 Nov 11 13:33:05 +0100

I've battled a few nasty bugs in Crossroads (my pet load balancer). There've been some nasty 32-bit issues that didn't occur on 64-bit systems. Way down in the bowels of g++ code generation.

It took me really a long time to find and fix this, sorry y'all 32-bit users. But finally after 2 days I had it. If you're geeky enough, here's a short write-up. In Crossroads I'm converting a pointer (address) to an unsigned value in the range 0..99. The pointer value is downsized to a bucket number where mutex locks are kept. So, what I did was something similar to:

  unsigned get_bucket_nr(void *ptr) {
    unsigned bucket = (long)ptr % (long)100;
    return bucket;
  }

This will work like a charm on 64-bit systems, where pointers are long values. But behold - on 32-bit systems this will sometimes go abysmally wrong. The return value can be suddenly way outside the 0..99 range. Odd! And of course, as is the case with the really nasty bugs, this error will not occur all of the time, it won't occur most of the time, no, it'll occur just ever-so-sparingly to make it hard to track.

Well, it's fixed now; I replaced the modulo-operation with a "real" hash function (based on hashpjw()). If you are a Crossroads user on a 32-bit system, then please forget about versions 2.69 to 2.70. Get 2.71 or better.

Update: Good buddy Eddie sent me the following information. I should've known... "I've just read your blog on Crossroads 2.71 and the overflow bug on 32-bit systems.. but, it isn't that odd. Unfortunately you aren't using 'unsigned' longs (and in the end, pointers are unsigned). If you'd done that, you wouldn't have had the problem.
The problem is that you're taking a "negative" number (2's complement of a pointer beyond the 2Gb address) and applying modulo-100. The C++ specs say that the result is implementation-dependent. Your neat x86 processor has different 'div' instructions (div computes both division and modulo) which have different behavior with negative numbers.
To be more precise, there are no negative numbers, they may be interpreted as negative. There are several instructions for a 2's complement operation, div and idiv. With signed operands your compiler uses idiv, and with unsigned operands, div. The result that you're seeing is that you get a negative number. The result is not "way outside the 0..99 range", it's in the range -99..0.
You can read it up in the C++ spec, ANSI ISO IEC 14882 §5.6 sub 4: "The binary / operator yields the quotient, and the binary % operator yields the remainder from the division of the first expression by the second. If the second operand of / or % is zero the behavior is undefined; otherwise (a/b)*b + a % b is equal to a. If both operands are nonnegative then the remainder is nonnegative; if not, the sign of the remainder is implementation-defined."
Your hash function of course solves the problem, but for other pointer operations I'd make sure that you are using unsigneds. Even intermediate results must be unsigned.. so cast the crap if necessary.

The fact that this works on 64-bit systems is of course that you only run into trouble when you need more than 63 bits for addressing. When you approach that value, then it'll also explode. It's OS-dependent which virtual address space is used in you rprocesses. I think you can tweak a Linux kernel into mapping the heap nearby the 64-bit border.. then you would see your code toppling too."

Thanks Ed, I've taken this to heart. Fortunately I don't have other pointer arithmetic that involves ints in there, so that's OK. Also, I'm leaving the hash function in, because it gives less hash-collisions... Chalk up another one for being precise, and /faceroll for sloppiness..

8 bit Starwars

Sun, 13 Nov 11 13:33:05 +0100

I saw this today on roflrazzi.com (apparently originally from reddit.com): the eight-bit version of Starwars. Brilliant!

Six to eight black men

Sun, 13 Nov 11 13:33:05 +0100

This was forwarded to me by buddy Beerholder/BOFH. 't Is the season, so here's a short narrative in 3 parts about some of the weird customs in the Netherlands. (If the below links no longer work, just go to youtube and search for "six to eight black men".)

Canada wants backdoors and data and everything

Sun, 13 Nov 11 13:33:05 +0100

A few weeks ago I wrote about the fact that the USA wants backdoors to everything. The oil spill is spreading.

There's an interesting read on Dr. M. Geist's website, at http://www.michaelgeist.ca/content/view/5451/135/. Dr. Michael Geist is a law proffessor with a strong interest in copyright law, net neutrality, privacy and the such - you might've heard of him if you are into these subjects and if you know what the EFF does.

Anyway, Michael Geist describes a new proposed bill, which would radically reshape the Canadian Internet:

Internet providers would be mandated to disclose information about their subscribers without intervening court oversight;
Internet providers would need to implement measures to make it possible to isolate communications from particular subscribers and and intercept these;
Law enforcement agencies would get new powers to get access to these new possibilities.

And here's the kicker: While Internet providers would actively work with law enforcement in collecting and disclosing the subscriber information, they could also be prohibited from disclosing the disclosures as court may bar them from informing subscribers that they have been subject to surveillance or information disclosures. This means that it would be possible to collect data about subscribers and to monitor them, while keeping absolutely silent about it. All fine 'n' legal.

Let's just hope that this proposal is shot down real fast. It might have a very nasty effect of being predecessor to other countries and/or other measures.

(Picture comes from http://www.michaelgeist.ca. Above text in italics is quoted.)

Autumn storm over the Netherlands

Sun, 13 Nov 11 13:33:05 +0100

Oh the joy, autumn's really here. Today's winds reached 100 km/h and more is expected. Traffic jams have gone through the roof of course.

(larger version)

USA wants backdoors to everything

Sun, 13 Nov 11 13:33:05 +0100

There is a very interesting - and scary - article on the Electronic Frontier Foundation's site (EFF). You should really read it. Apparently, USA's legislators are pushing for backdoors in all encryption-related software, so that their surveillance tasks aren't hindered by the fact that The Bad Guys can engage in private conversation. The Federal goverment's plan is that suppliers of communication software (or of communcation channels/methods) must be able to provide to the FBI a means to listen in on electronic conversations. This was reported by the New York Times: "... the Obama administration is drafting a law that would impose a new "mandate" that all communications services be "able to intercept and unscramble encrypted messages" — including ordering "[d]evelopers of software that enables peer-to-peer communication [to] redesign their service to allow interception".

Let me guess - this is a response to (a) terrorism and (b) child porn, so it must be good? This push is a revival of previous efforts, and of course (and rightly so, I think!) the EFF opposes.

But just imagine, what if the legislators got their way. I just can't figure out how that would work.

We have a myriad of programs that engage in point-to-point connections, and that encrypt traffic. Skype is a great example. You get your list of who's online from the Skype servers, but when you start a conversation, you directly connect with your counterparty. So how would that listening-in functionality get integrated into Skype? I only see one viable option: (a) All traffic would need to be routed over Skype's servers, instead of point-to-point traffic. (b) At the Skype servers, the encryption keys would be known, so that the Feds could tap in when they wanted to do so. Net effect? This blows Skype out of the water. When I talk to my neighbour via Skype and this traffic is routed through the USA, then the product becomes virtually useless.
The more back doors you build in, the higher the chances that their existence will leak, and that such back doors will be misused by The Bad Guys. Who's going to put measures into place against such misuse? The same Federal government? I don't think so. Their track record isn't that hot.
How about existing free (or public domain) applications? For example, how about ssh? Is Obama going to stand up and ask, "Say, who's behind this ssh thing. I need you to get up here and rewrite it for us"? Ssh isn't "owned" by one party. There is no-one to address. Are they going to make ssh illegal in the USA?
Strong encryption is also just such a thing. It's out there, the cat's out, can't put it back again. Cryptographers have given the world methods to secure data transmission so that really no-one can listen in, in all practiality. So now what, are they going to make Rijndael, Blowfish, Twofish and whatnot illegal in the USA? Are they going to make crypto illegal?
How will they know what programs people are running to communicate? On a TCP stream level, encrypted data looks like rubbish, like random data. How will they know what back door to open? They'd need to identify one stream of random data as a Skype conversation, or another stream as a https connection, and so on. How do they think they'll be able to do that?
Then there's the issue with national borders. Obviously the sane remainder of the world will switch to a non-crippled Skype-lookalike. But then, when I'm in the USA, and I want to talk to my neighbour, will using my Skype-lookalike be outlawed? Do they have the right to do that?
This is going to turn into another cat-and-mouse game. That's pretty obvious. End result - the Bad Guys will of course use new technologies to protect their privacy, the Federal government will be chasing such products to get back doors in, the rest of us will be hindered by all the hassle, and all this is going to eat up vast amounts of money.
Last but not least - this is a huge breach of personal privacy. It's a great way of paving the road for a police state.

The whole plan is not well thought of, dangerous, and just plain stupid. Putting dangerous tools into the hands of stupid people never helped anyone. The plan is just bad.

Sudoku solver in Perl

Sun, 13 Nov 11 13:33:05 +0100

While cleaning up an old backup disk, I came across this Sudoku solver. It would be shame to just delete it.. so I might just as well park it here. I still remember its origins: Some years ago I was working with a couple of co-geeks at a bank. Each month we'd take a look at the corporate newsletter, which had a Sudoku puzzle on the last page. Solving the puzzle and sending in the solution could win you a small prize, a free lunch or something.

No better challenge than this, of course. I wrote the solver, used it for fun to solve the monthly puzzle, and I kept e-mailing back the solutions. I'd make it a sport to send back the solution within seconds of receiving the newsletter. Actually, I never won that free lunch, I think they figured out that I wasn't cracking numbers in my mind.

Here's the principle. You get a 9x9 matrix where each cell is allowed to hold one digit, 1 through 9. On each row of the matrix and on each column the digits 1 through 9 must occur just once. For example, below is a puzzle. The question is how to fill in the blanks:

	7			3				8
		2					1	4
1		8			4	7
	8				5
		7	8	1	2	9
				4			8
		5	6			3		9
7	2					6
6				4			7

And here's how to operate the solver.

First, write down the puzzle in the following format: per line, put in a hyphen for a blank spot, or a digit for a digit. The above puzzle is therefore:
```
-7--3---8
--2----14
1-8--47--
-8---5---
--78129--
---4---8-
--56--3-9
72----6--
6---4--7-
```
Save this in a file, e.g. /tmp/puzzle
Now run: sudoku silent < /tmp/puzzle Or if you want a lot of output, run sudoku trace < /tmp/puzzle

Enough explanation. Here's the solver, have fun with it.

#!/usr/bin/perl

use strict;
my @table;
my $verbose = 0;

if ($#ARGV != 0 or ($ARGV[0] ne 'trace' and $ARGV[0] ne 'silent')) {
    die <<"ENDUSAGE";

Usage: sudoku trace
   or: sudoku silent

Expects input table on stdin, where each line contains hyphens or
numbers. E.g. the following is a valid table. There are 9 characters
in each row, and 9 rows:  

-7--3---8
--2----14
1-8--47--
-8---5---
--78129--
---4---8-
--56--3-9
72----6--
6---4--7-

You can also use dots instead of hyphens to indicate empty spaces.
The solution (if any) is shown.

Argument 'trace' shows what's going on. Argument 'silent' produces
way less output.
  
ENDUSAGE
}
$verbose++ if ($ARGV[0] eq 'trace');

# Read table.
for my $y (0..8) {
    my $line = ;
    chomp ($line);
    my @chars = split ('', $line);
    for my $x (0..8) {
	settable ($x, $y, $chars[$x]);
    }
}
showtable("Starting with table:\n", 0, 0);
print ("Working..\n");

if (solve (0, 0)) {    
    showtable("Solved:\n", 0, 0);
} else {
    print ("No solution found.\n");
}

#########################################################################

sub solve ($$) {
    my ($x, $y) = @_;

    return (1) if ($x < 0 or $x > 8 or $y < 0 or $y > 8);
    
    if (gettable ($x, $y)) {
	msg ($x, $y, "Table at already occupied by ", gettable($x, $y),
	     ", trying next\n");
	my $ret = solve (nextcoord ($x, $y));
	return ($ret);
    }

    for my $n (1..9) {
	if (tablefree ($x, $y, $n)) {
	    msg ($x, $y, "Trying $n\n");
	    settable ($x, $y, $n);
	    msgtable ("Trying:\n", $x, $y);
	    if ( ($x == 8 and $y == 8) or (solve (nextcoord ($x, $y))) ) {
		msg ($x, $y, "Leaving $n\n");
		return (1);
	    }
	    settable ($x, $y, 0);
	}
    }
    msg ($x, $y, "Resetting\n");
    settable ($x, $y, 0);
    return (undef);
}

sub msg {
    my $x = shift;
    my $y = shift;

    return unless ($verbose);

    for my $i (0..( $x + 8 * $y)) {
	print (' ');
    }
    print ("[$x,$y]: ", @_);
}

sub nextcoord ($$) {
    my ($x, $y) = @_;
    if ($x < 8) {
	return ($x + 1, $y);
    } else {
	return (0, $y + 1);
    }
}

sub tablefree ($$$) {
    my ($x, $y, $n) = @_;

    for my $i (0..8) {
	if ($i != $y and gettable ($x, $i) == $n) {
	    msg ($x, $y, "$n not possible, already on y=$i\n");
	    return (undef)
	}
	if ($i != $x and gettable ($i, $y) == $n) {
	    msg ($x, $y, "$n not possible, already on x=$i\n");
	    return (undef);
	}
    }

    my ($startx, $starty, $endx, $endy);
    if ($x > 5) {
	$startx = 6; $endx = 8;
    } elsif ($x > 2) {
	$startx = 3; $endx = 5;
    } else {
	$startx = 0; $endx = 2;
    }
    if ($y > 5) {
	$starty = 6; $endy = 8;
    } elsif ($y > 2) {
	$starty = 3; $endy = 5;
    } else {
	$starty = 0; $endy = 2;
    }
    for my $xx ($startx..$endx) {
	for my $yy ($starty..$endy) {
	    if ($x != $xx and $y != $yy and gettable ($xx, $yy) == $n)  {
		msg ($x, $y, "$n not possible, already on x=$xx, y=$yy\n");
		return (undef);
	    }
	}
    }

    msg ($x, $y, "$n is allowed here\n");
    return (1);
}

sub settable ($$$) {
    my ($x, $y, $ch) = @_;
    die ("Bad table input '$ch'\n")
      if ($ch ne '-' and $ch ne '.' and
	  ($ch lt '0' or $ch gt '9'));
    return if ($ch eq '-' or $ch eq '.');

    $table[$y] = [ 0,0,0, 0,0,0, 0,0,0, 0,0,0 ]
      unless (defined ($table[$y]));

    my @row = @{ $table[$y] };
    $row[$x] = $ch;
    $table[$y] = \@row;
}

sub msgtable ($$$) {
    return unless ($verbose);
    showtable (@_);
}

sub showtable ($$$) {
    my ($title, $xx, $yy) = @_;
    
    for my $i (0..( $xx + 8 * $yy)) {
	print (' ');
    }
    print ($title);
    for my $y (0..8) {
	for my $i (0..( $xx + 8 * $yy)) {
	    print (' ');
	}
	print ("    |");
	for my $x (0..8) {
	    my $ch = gettable ($x, $y);
	    if ($ch > 0) {
		print ($ch);
	    } else {
		print (' ');
	    }
	    print ('|');
	}
	print ("\n");
    }
    print ("\n");
}

sub gettable ($$) {
    my ($x, $y) = @_;
    return (0) unless (defined ($table[$y]));
    my @row = @{ $table[$y] };
    return ($row[$x]);
}

Finally wrote up a Syscheck page

Sun, 13 Nov 11 13:33:05 +0100

I finally wrote up a page on syscheck, a neat little homegrown tool that I use for self-monitoring and self-healing of Unix boxes. Hope you like it too. The documentation shows what it does, how the configuration file is structured, lists some examples, and so on.

Neon sign fail

Sun, 13 Nov 11 13:33:05 +0100

[Dutch entry.. this is too language-specific.]

Gisteravond, op bezoek bij mijn schoonbroer in Vianen:

Als je goed kijkt had er Brouwers moeten staan ;-) Toch bijzonder als neonletters zo specifiek uitvallen!

The Renault Eco Team

Sun, 13 Nov 11 13:33:05 +0100

This got me a chuckle. Some time ago I saw a Renault Eco Team car. Except they were driving a Dacia Duster... Maybe they couldn't get a good deal at the Renault shop?

Crossroads 2.68 is out

Sun, 13 Nov 11 13:33:05 +0100

I just put out version 2.68 of my pet loadbalancer Crossroads; check out the primary site crossroads.e-tunity.com, or sign up at the forum xrforum.org. This version has some important fixes in HTTP header rewrites, in mutex handling, and in verbose/debug messaging. Worth a spin.

Regarding mutex handling, I think I got a neat speedup. For the techies: Mutexes are contained in nodes that can be locked or unlocked. The nodes are kept in binary trees for faster access. Finally, for even faster access, I have a hashtable of 50 trees so that unbalanced or overfull trees are avoided. Basically I described this previously, except that in the Crossroads version of this code, I added the hash table. I also extended the mutex nodes with a method trylock(), which obviously gets a lock, or fails - but doesn't block. I'm using this in the messaging which generates the tons of debug info: when debugging is on, then instead of blocking Crossroads due to a mutex lock, I rather drop a debug line. Works quite well.

How to suppress Flash cookies

Sun, 13 Nov 11 13:33:05 +0100

It's quite public knowledge that Adobe's Local Shared Objects (LSO's) are used to track browsing habits - they're more often called Flash Cookies (since Flash is usually the one who creates them). This means, that even if you instruct your browser to clear regular cookies at startup (or if you treat persistent cookies as transient), you can be still pretty sure that your browsing behavior is being tracked. Flash cookies are "the next thing" to track your browsing habits, since regular third-party cookies are nowadays so often blocked by browsers, or automatically deleted.

Flash cookies work just like ordinary third-party cookies. When you visit a site, there's a good chance that you will be confronted with a Flash ad. Such an ad is typically not served from the site itself, but from a third-party ad server. This Flash-based ad will now happily leave a Flash cookie on your system. When you visit another site that also serves a Flash ad that's pulled in from the same ad server, then the connection is made, and there you already have a browsing history spanning two sites. And so on. Current estimates are that about 50% of all sites leave Flash cookies on your system, which is a pretty valuable resource for measuring your browsing habits.

The problem with suppressing flash cookies is that they are outside of the browser's control. A different piece of software (Flash) creates and reads such cookies; without knowledge or consent of the browser. Typical browser addons therefore won't be able to help out; the standard privacy controls are useless here. Adobe does offer some settings - you can "opt out" of LSO generation on a per-domain basis, or even globally. However even after opting out, Flash cookies seem to be reappearing.

So as a suggestion, here's a more radical way of dealing with Flash cookies: simply forbid them on a operating system level. OS-level? Yes! That's why we have an operating system - to force ill-behaving software into submission ;-) Here is where LSO's are stored under Mac OSX:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/
~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/

Adobe LSO's will occur under these directories (maybe under subdirectories under them). So what's easier than to (a) empty out those directories, (b) to make then non-readable?

I've tried this out and it works like a charm. The Flash-based sites that I visit still work just fine, but Flash cookies are gone. The only drawback is that one day Adobe might decide to make a cookie-directory writable, when it sees that the file permissions are too strict. But hey, that'll be another day. So far so good!

For your enjoyment: below is a script that does just this, for Mac OSX. A very similar script could be devised for Linux, or even maybe something for Windows. If you want to know where Flash cookies are stored on Windows or Linux, read http://en.wikipedia.org/wiki/Local_Shared_Object.

Right, so here's the little script. Tested and found working - at least, for me - but use it at your own risk.

#!/bin/sh

case $(uname) in
    Darwin)
	echo 'About to suppress Flash cookies for this user.'
	;;
    *)
	echo 'Sorry, this OS is not supported by this script.'
	exit 1
	;;
esac

cd "$HOME/Library/Preferences/Macromedia/Flash Player" || exit 1
rm -rf '#SharedObjects' || exit 1
mkdir '#SharedObjects' || exit 1
chmod a-w '#SharedObjects' || exit 1
echo "$(pwd)/#SharedObjects dir cleaned and made non-writable."

cd "$HOME/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer" || exit 1
rm -rf 'sys' || exit 1
mkdir 'sys' || exit 1
chmod a-w 'sys' || exit 1
echo "$(pwd)/sys dir cleaned and made non-writable."

echo '** All done! **'

Meanwhile on Facebook

Sun, 13 Nov 11 13:33:05 +0100

Lol! I particlarly like the "Copernicus likes this" touch.
(Seen on failbook.failblog.org)

The Yes Men Fix The World

Sun, 13 Nov 11 13:33:05 +0100

just yesterday I watched "The Yes Men Fix the World" - a real must-see if you're into that kind of thing. This is the story of two guys who pretend to be spokesmen of corporations, or the government, or whatever - but, what they say is what they think that should've been said or done in the first place, instead of chasing profit, or voters. Eventually of course the truth comes out, that they are not speaking on behalf of the organizations they're pretending to represent. By then it's called a hoax - but the movie nicely shows how idealistic such a hoax can be. And what effects it can have.

This movie has been gagged from appearing in certain settings, and these guys themselves have made it available via bittorrent. So, just go to isohunt.com, or thepiratebay.org, or any other bittorrent tracker, and download it. It's great for two hours of semi-serious fun.

Update: I should also mention The Yes Men's site - which is http://theyesmen.org. Very much worth a visit.

ed is not dead

Sun, 13 Nov 11 13:33:05 +0100

Some dinosaurs just refuse to go extinct. From a very long time ago I still remember ed, the "standard" Unix line-oriented editor. It eventuall evolved into vi, a fullscreen visual variant. Good ol' vi still bears the the scars of its heritage - such as a separate command mode and a separate insert mode. For me, the good days only started with emacs, the first beast that really made sense - and was totally programmable, something that every editor should have. And still, the old dino won't roll over and die. Seen today on freshmeat:

I know I'm going to have nightmares tonight.

Installing Perl modules in a non root environment

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I had to install a few Perl modules as non-root. It took me a while to ~~Google this~~ figure this out, so here's a synopsis.

When starting cpan for the first time, you're presented with a number of options - such as, where are the nearest mirrors. There's also an option to specify the PREFIX under which all stuff is supposedly installed. One would think that that's enough, but alas: apparently, older Perl modules don't obey the PREFIX and require additional work. Here's how.

Step 1: Choose a location

First of all, decide where the non-root-owned Perl modules will go. For example, this might be ~/localperl. In that case, create the directories, including subdirs man1 and man3:

mkdir -p ~/localperl/man1 ~/localperl/man3

Step 2: Patch up the CPAN configuration

Next, start cpan and define a few build parameters. In the cpan shell, enter:

o conf makepl_arg "LIB=~/localperl PREFIX=~/localperl INSTALLSITEMAN1DIR=~/localperl/man/man1 INSTALLSITEMAN3DIR=~/localperl/man/man3"
o conf make_install_arg UNINST=0
o conf commit

After this, you can exit cpan.

Step 3: Install any modules you need

Next, install anything you want. E.g., inside the cpan shell, type install XML::Simple. This module (and all dependencies) will appear under ~/localperl.

Step 4: How to use the modules

Adding the diretory ~/localperl to the Perl search path is standard:

Add ~/localperl to the environment variable LIB. E.g., in your profile, add:
```
export LIB=$LIB:~/localperl
```
Alternatively, fix up Perl scripts to look in ~/localperl as follows:
```
BEGIN { push(@INC, '/home/username/localperl'); }
use XML::Simple;
```

Magic self leviation

Sun, 13 Nov 11 13:33:05 +0100

This was shown to me today.

Gravity is not just a good idea. It's the law.

Google Chrome does not support offline Gmail

Sun, 13 Nov 11 13:33:05 +0100

Attempts to support your own software can go haywire and apparently have their own sense of irony. The way I access my Gmail account doesn't support offline mail - because I use Google Chrome to access it...

Hmmm... Ok, but why? Offline storage uses Google Gears.. So do I have that installed at all? Yeah, unsupported. That's so me.

The number 48

Sun, 13 Nov 11 13:33:05 +0100

Well, it's August 19th again. Happens every year, but as a compensation I get presents! On the upside, in a base24 numeric system I'm only 20 years old. On the downside, octally speaking I'm 60. Here's how you write 48 in different numeric bases. There's a little generator too if you're interested.

Base	Representation
2	110000
3	1210
4	300
5	143
6	120
7	66
8	60
9	53
10	48
11	44
12	40
13	39
14	36
15	33
16	30
17	2e
18	2c
19	2a
20	28
21	26
22	24
23	22
24	20
25	1n
26	1m
27	1l
28	1k
29	1j
30	1i
31	1h
32	1g
33	1f
34	1e
35	1d
36	1c
37	1b
38	1a
39	19
40	18
41	17
42	16
43	15
44	14
45	13
46	12
47	11
48	10

use strict;

# Shamelessly ripped from http://www.perlmonks.org/?node_id=27148
# Orignal code by ikegami

my @nums = (0..9,'a'..'z','A'..'Z');
my %nums = map { $nums[$_] => $_ } 0..$#nums;

sub to_base ($$) {
    my $base   = shift;
    my $number = shift;
    return $nums[0] if $number == 0;
    my $rep = "";
    while ($number > 0) {
	$rep = $nums[$number % $base] . $rep;
	$number = int($number / $base);
    }
    return $rep;
}

for my $base (2..48) {
    print("Base: $base -- ", to_base($base, 48), "\n");
}

Welsh trout mini HOWTO

Sun, 13 Nov 11 13:33:05 +0100

During our week off in Wales we had a great time one afternoon getting some rainbow trout for dinner. Here's some pics.

Step 1: Get the fish

Find a lake.

Start fishing.

Got one!

One more!

Step 2: Preparation

Six trouts all cleaned out

Looking just fine.

Step 3: Cooking

Barbecue time

Lovely pink meat

Step 4: Dinner time!

Dinner time

Step 5: Cleanup

No photos there. I just did
su kids -c "make clean || receive punishment"
Worked like a charm.

Fooling a NetCache proxy into fetching forbidden files

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I had an interesting hacking session regarding proxies and the such. We were trying to get Maven (a Java build tool) to get to work in a corporate environment where the outgoing proxy is a NetCache appliance - in our case NetApp/5.6.2R1. When we fired up Maven, and the process tried to fetch extra modules from the Internet. And failed. Oh of course! We'd forgotten to tell Maven to talk to the Internet via an outgoing proxy...

Ok, step 1. We configured Maven to use an external proxy for Internet contact, with the right proxy credentials. Then we retried. Still no luck. The outgoing proxy would block .jar files with a "403 forbidden" error. I've seen this behavior before, outgoing proxies will try to protect unsuspecting users from fetching e.g. .exe files - which will typically be a Trojan trying to infect the corporate network environment. But I'd never seen the blocking of jars yet. We could reproduce this fairly easily with a wget, as follows:

prompt: export http_proxy=http://proxyuser:proxypass@proxyhost:8080
prompt: wget -SO- http://where.ever.org/some/place/somefile.jar
Proxy request sent, awaiting response... 
  HTTP/1.0 403 Forbidden
  Date: Wed, 03 Aug 2010 10:23:02 GMT
  Content-Length: 257
  Content-Type: text/html
  Server: NetCache appliance (NetApp/5.6.2R1)
2010-08-04 12:23:00 ERROR 403: Forbidden.
prompt:

Ah well.

Now in a browser or at the command line, that's pretty trivial to circumvent. The NetCache can be easily fooled by specifying the final dot in the filename as "%2e", which is the hexadecimal notation for the dot. So, the following command would succeed:

prompt: wget 'http://where.ever.org/some/place/somefile%2ejar'

But but but.. you can't get an existing system like Maven to recode dots into %2e. Now what?

Right, on to step 2. More hacking and drilling holes. Perl's HTTP::Proxy to the rescue! I wrote up a small intermediate Perl proxy to recode dots into %2e, and forward the request onto the outgoing NetCache proxy. Without ado - here's the code. In order to make this work, you'll probably first need to install HTTP::Proxy using Perl's cpan.

#!/usr/bin/env perl

use strict;
use HTTP::Proxy qw(:log);
use HTTP::Proxy::HeaderFilter;

# Configuration section. Edit only this part.
# -------------------------------------------
my $configuration =  
  {
   # The downstream proxy
   proxyserver => 'the-proxy-hostname',
   proxyport   => 8080,
   proxyuser   => 'the-proxy-username',
   proxypass   => 'the-proxy-password',

   # Hosts to exclude from going to the external proxy
   noproxy     => '127.0.0.1, 10.1.1.1, 10.1.1.2', 

   # Log level of this proxy. Set to NONE to get errors only.
   loglevel    => NONE,
   # loglevel  => PROXY | STATUS | HEADERS,

   # Extensions to fix up (e.g. ".exe" to "%2eexe" to fool the
   # downstream proxies)
   extensions  => [ qw(zip exe jar) ],

   # Who are we.
   version     => '1.00',
  };

# Configuration ends. Do not edit below.
# --------------------------------------

# Reset any external proxy settings.
my $downstream_proxy = 'http://';
$downstream_proxy .=
  $configuration->{proxyuser} . ':' . $configuration->{proxypass} . '@'
  if ($configuration->{proxypass} ne '' and 
      $configuration->{proxyuser} ne '');
$downstream_proxy .= $configuration->{proxyserver};
$downstream_proxy .= ':' . $configuration->{proxyport}
  if ($configuration->{proxyport} ne '');
print("Downstream proxy: $downstream_proxy\n");
for my $e qw(http_proxy https_proxy ftp_proxy) {
    $ENV{$e} = $downstream_proxy;
}
$ENV{no_proxy} = $configuration->{noproxy};

# Package the request header filter.
{
    package MyFilter;
    use base qw(HTTP::Proxy::HeaderFilter);

    sub filter {
	my ($self, $headers, $message) = @_;
	$message->headers->header(User_Agent =>
				  "pproxy/$configuration->{version}");
	my $olduri = $message->uri();
	my $uri = $olduri;
	for my $e (@{ $configuration->{extensions} }) {
	    $uri =~ s{\.$e([^/]*)}{%2e$e$1}g;
	}
	# print("Old uri [$olduri] changed to [$uri]\n");
	$message->uri($uri);
    }
    1;
}

# Set up the logger
my $of;
if (-x '/usr/bin/logger') {
    open($of, '|/usr/bin/logger -t pproxy')
      or die("Cannot start logger pipe: $!\n");
    print("Logging to activity to the system log.\n");
} else {
    open($of, '>>/tmp/pproxy.log')
      or die("Cannot write /tmp/pproxy.log: $!\n");
    print("Logging activity to /tmp/proxy.log.\n");
}

# Instantiate and initialize proxy
my $proxy = HTTP::Proxy->new(port => 3128);
$proxy->push_filter(request => MyFilter->new());
$proxy->logfh($of);
$proxy->logmask($configuration->{loglevel});

# Run tha proxy!
$SIG{PIPE} = 'IGNORE';
print("Contact the proxy on http://localhost:3128.\n");
$proxy->start();

Instructions, incase you like this:

Copy the listing above and save it to e.g. /usr/local/bin/pproxy.
Make the file executable using chmod +x /usr/local/bin/pproxy
Edit the file and fix up the configurations at the top. You will need to change the settings for the downstream proxy (proxy user, proxy password, proxy server and proxy port), and probably you'll want to extend the noproxy list with a few internal hostnames in your network.
Next, fire up the proxy using the command pproxy &
Your new proxy is listening to port 3128.
Configure your programs to use the proxy http://localhost:3128. The pproxy process will either log to /var/log/messages or to /tmp/pproxy.log (depending on the availablility of the program /usr/bin/logger), so check there for errors or other output.

Next up, step 3. We reconfigured Maven to talk to http://localhost:3128 as its outgoing proxy, without supplying proxy credentials ('cuz the above pproxy does that). We fired up the build process using Maven and - success. Maven fetched all that it needed (.jar files, .jar.sha1 files and what not) and got busy.

We also put the following in the system-wide profile, so that any wget will work:

export http_proxy=http://localhost:3128

That's all! Happy hacking & if you have suggestions - as ever, drop me a note.

August 23rd, update:

The above shown proxy binds only to the IP address of 'localhost' and hence can't be accessed from other machines. If you want to use the proxy from other IP addresses than the local machine, change the HTTP::Proxy constructor to pass a configuration variable host, with value undef. In that case, the proxy will bind to all IP addresses that are available. (The value can also be a specific IP address if you prefer that.) The constructor then becomes:
```
my $proxy = HTTP::Proxy->new(port => 3128, host => undef);
```
In order to allow the proxy to serve more than just a few requests at a time, the max_clients() setting can be increased:
```
my $proxy = HTTP::Proxy->new(port => 3128, host => undef);
$proxy->max_clients(1024);
```
Similarly, the downstream timeout (to the NetCache proxy further on) is by default 60 seconds. If you want to shorten it to say 10 seconds, add:
```
$proxy->timeout(10);
```

The world will end on May 21, 2011

Sun, 13 Nov 11 13:33:05 +0100

I recently visited http://www.wecanknow.com/ -- by accident, I swear -- and guess what, on May 21st 2011, Judgement Day will occur (or should've occurred, depending on when you are reading this). That's all fine and well, but what time? What time will the Supreme Being descend onto earth to nuke the shit out of us? Such time resolution of one day just won't do in our modern times. I would prefer the exact time, up to a second precision.

Maybe I can make an educated guess.

Will the Supreme Being have his morning coffee (or if he's British, tea toast and marmelade) and then go about his business, as in, "Another boring day at the office ahead, but let's get on with it"? In that case I'd expect armageddon 'round ninish.
Alternatively, he might take care of his e-mails first, do some administration, have tea and lunch, and have a nice armageddon around half past one. Early-ish in the afternoon, so to speak.
But what if he's from one of the South European countries, or from the Carribean, or generally a hot place? Then he'd probably prefer to have a siesta first, between say midday and four pm. Armageddon would then be rather late in the afternoon.
Or, after leaving the office, he'll pop into his favorite pub, have a steak and fries with a couple of pints, get moderately pissed, and nuke us. "Rwrright.. lezzhave some armrrag.. amragged.. nukage." ZAP!
Or maybe even later than that? Just as he's put on his jammies and brushes his teeth? "Oh right, almost forgot that there's an armageddon scheduled for today. Lucky that I remembered just in time!" ZAP.

But wait, that's not all. Which timezone is his watch set to? Just a date simply won't do. The duration of "May 21st" is 48 hours depending on your location! He might nuke the earth while I'm still on May 20th, still happily frolicking around and thinking that I have time to spare. Or he might nuke me while I'm on May 22nd and just having a beer thinking that all this was just yet another foolish doomday prediction. Too many open ends.

Quite arbitrarily I've decided to take my local timezone as reference. I reckon the Supreme Being will have the decency to respect my clock. This might not be quite right, but hey, I need to make an assumption here. In order to help us all estimating how much time we have left, I have put below a small second-resolution timer. Incase the Great Zap won't occur, the clock should count up again ;-)

(The clock actually takes the browser's timezone as reference, so depending on your location, you should hope that the Supreme Being respects your local clock.)

Hiding or showing a textbox with image animation using JQuery

Sun, 13 Nov 11 13:33:05 +0100

More eye candy in the browser!

Here's a very quick description how you can hide or show a text box in a browser, with image animation in a title bar that suggests that the box can be opened or closed.

Here are some concepts:

Internally we'll use JQuery to show or hide page content.
We'll need an outer div which will be always visible. In this, there will be...
A title div, also always visible. Clicking an image in the title div toggles the visibility of...
A content div, which is either visible or not.

Typical usage

Here is a small example. For visibility, the outer div has a border around it. There's a small arrow in the title to toggle the visibility of the contents. The shown arrow is the file /img/arrow-down.png, it's a transparent arrow that will look right on any background. Once the content hides, the image changes to /img/arrow-right.png (If you want, get the images from my site. I made them, and they are not copyrighted. Use them however you like.) Try it out, click on the arrow below.

Click the arrow to hide or show contents.

Lorem ipsum dolor sit amet, aliquam dolor, viverra et in, amet lacus. Felis elit ligula integer, dolor lacus, tellus integer duis ut amet, metus et aenean. Iaculis mollis vestibulum odio amet duis quis, sodales nulla tellus enim proin, scelerisque praesent erat integer felis dictum et, nam vestibulum dui eros, ut adipiscing porttitor in. Nunc nibh malesuada ut aliquam cursus, enim fermentum cursus aliquam pretium lorem, consequat interdum dictumst placerat pellentesque, vel volutpat eget eu, tortor quis lacus metus. Donec cras aliquam nulla dictumst magna, vulputate lacus erat, augue orci ut sit pellentesque condimentum aliquet, amet sodales sit egestas praesent. Fringilla ultricies consectetuer felis, turpis nulla blandit cursus eros purus velit, metus nec urna, diam mi esse consectetuer duis sem morbi. Eros semper in eu, mauris magna vitae sed mi vitae, sed non porta wisi, nam habitant, vivamus fermentum sodales enim nam. Vestibulum id risus duis omnis sed pellentesque, cursus magna egestas nunc in, pulvinar sed sit ante luctus ut, rutrum placerat malesuada purus lacus erat, nam nulla porttitor vel nibh. Massa sit sem elementum pretium. Nulla sed pede a, leo eu libero nam tellus aenean, mus lobortis semper leo arcu massa sed, non vero.

Right. Onward to the code. First of all, you will need JQuery, a JavaScript library, which is included in the head section of the page. You can get your copy of jquery.js at jquery.com. (The downloaded copy might have a filename like jquery-1.4.2.min.js, i.e., with a version ID etc. in it. For practical purposes, I'm just referring to it as jquery.js.)

Next, you'll need a text box. Here's what comes in the body.

  


    
  
    
    Click the arrow to hide or show the contents.
  

  
  
    Lorem ipsum dolor sit amet, ..... non vero.

Right. The only thing that remains is the Javascript function togglebox(). It works as follows:

It expects two arguments: the ID of the image of a box, and the ID of the content div of a box.
When the content div is visible, then the image is swapped to /img/arrow-right.png and the content is hidden.
When the content div is hidden, then the image is swapped to /img/arrow-down.png and the content is shown.

Here it is.

An initially hidden textbox

The text box can be initially made hidden, so that it "unfolds" when a user clicks the arrow. The easiest way to do that, is to draw the box as shown above, but to run togglebox() just once to hide it. From then on the user can take over to show it. The following box should be initially hidden, but you can click on the arrow to show its contents:

Click the arrow to hide or show contents.

Here's how this looks in the code:

Playing around with a floating box

Same thing, but a floating box.

The same concept can be re-used on the same page, as long as the image id and content div id are unique per textbox. As with any div, the textbox can be placed inline with text, just by adding a style, as in:

There are lots of possibilities to play around with.

Have fun! And as ever, if you have neat additions - drop me a note.

Manipulating browser cookies using Javascript

Fri, 27 Apr 12 21:41:00 +0200

I've had to manipulate cookies in Javascript a number of times now. I've had so much code distributed over so many separate projects, that I've decided to collect it into one sort-of comprehensive set of functions. Here's the outcome.

If you're interested, the file cookies.js can be downloaded here.
As with most things on this site: you're free to use it as you see fit. And if you have nice and useful additions - let me know!
Here's a short synopsis (from the top of the source file):
If you want to see a quick test with some explanation, which runs the test in your browser: there is a short test below. You can also get a stand-alone test file which does the same as test.html.

Initializing

The code is contained in a file cookies.js which must be sourced:


  
    JavaScript Cookie Functions Test

Setting Cookies

For example: This sets cookies named test0 through test9 having values value_of_test_0 and so on.

for (var i = 0; i < 10; i++)
    cookie_set('test' + i, 'value_of_test_' + i, 1, '/');

Getting the value of a given cookie

This returns the value of a given cookie, e.g. test4:

document.write('The value of cookie test4 is: ' +
               cookie_get('test4'));

Listing all cookies

Function cookie_names() returns an array of the names of all cookies:

document.write(''); 
var cookies = cookie_names();
for (var i = 0; i < cookies.length; i++)
    document.write('Cookie ' + cookies[i] + '' +
	           ' has value ' + cookie_get(cookies[i]));
document.write('');

Deleting one cookie

Function cookie_delete() removes a given cookie. It is exactly the same as calling cookie_set() with value '' (empty string). For example, this kills cookie test1:

cookie_delete('test1');      
document.write(''); 
var cookies = cookie_names();
for (var i = 0; i < cookies.length; i++)
    document.write('Cookie ' + cookies[i] + '' +
	           ' has value ' + cookie_get(cookies[i]));
document.write('');

Deleting a number of cookies

Function cookies_delete() (mind the s) deletes a "blacklist" of cookies. E.g., the following kills cookies test7 and test9:

cookies_delete(new Array('test7', 'test9')); 
document.write(''); 
var cookies = cookie_names();
for (var i = 0; i < cookies.length; i++)
    document.write('Cookie ' + cookies[i] + '' +
	           ' has value ' + cookie_get(cookies[i]));
document.write('');

Deleting all cookies but a few

Function cookies_delete_except() (mind the s) deletes cookies except when they are in a "whitelist". E.g., the following kills all cookies but test5 and test6:

cookies_delete_except(new Array('test5', 'test6'));  
document.write(''); 
var cookies = cookie_names();
for (var i = 0; i < cookies.length; i++)
    document.write('Cookie ' + cookies[i] + '' +
	           ' has value ' + cookie_get(cookies[i]));
document.write('');

Survival of the fittest book

Sun, 13 Nov 11 13:33:05 +0100

On my holiday I read (no, I devoured) "The Greatest Show on Earth" by Richard Dawkins. A really marvellous book which tells evolutionary stories of nature all over the world, digs into some aspects of geology and fossiles, and of course: explains how silly the Creationinst views are, when you regard all the evidence. Dawkins' main point is that "the theory of evolution" isn't a theory in the sense that it might or might not be true: it's a theory in the sense that it's accepted and true, and the "theoretical" part is the scientific explanation, as in "theory of gravity". Not many people will dispute the existence of gravity, because there's the word "theory" attached to it.

I can highly recommend this book. Many of the concepts might be already known to you (especially if you're a Pastafarian), and Dawkins is a great storyteller who talks about the genious of Darwin and who brilliantly makes his point.

There's just one thing about this book. My soft cover copy didn't survive the beach life, so it didn't do too well on spreading its ideas beyond just one individual. I suspect that a hard cover copy would be more fit in projecting its content into the world... might there be a pseudo-evolutionary pressure on books that favors hard covers? Or, might there be a "ideological" evolutionary pressure that disfavors ideas expressed in soft covers? Hmmm... I wonder what the creationist viewpoint is on this matter!

Pastafarians in Spain

Sun, 13 Nov 11 13:33:05 +0100

During my last week's holiday in Spain, I saw this sign in Llança (which is north of Barcelona and very close to the French border:):

I find it very comforting that there's a strong chapter of Pastafarians in this part of spain.

You have two sheep

Sun, 13 Nov 11 13:33:05 +0100

This was forwarded to me by my bro' in law. Another one of those lists, but quite good tbh. LOL!

SOCIALISM: You have 2 sheep, and you give one to your neighbour.
COMMUNISM: You have 2 sheep. The State takes both and gives you some wool.
FASCISM: You have 2 sheep. The State takes both and sells you some wool.
NAZISM: You have 2 sheep. The State takes both and shoots you.
BUREAUCRATISM: You have 2 sheep. The State takes both, shoots one, shears the other, then throws the wool away...
TRADITIONAL CAPITALISM: You have two sheep. You sell one and buy a ram. Your herd multiplies, and the economy grows. You sell them and retire on the income.
SURREALISM: You have two giraffes. The government requires you to take harmonica lessons.
AN AMERICAN CORPORATION: You have two sheep. You sell one, and force the other to produce the wool of four sheep. Later, you hire a consultant to analyse why the sheep has dropped dead.
ENRON VENTURE CAPITALISM: You have two sheep. You sell three of them to your publicly listed company, using letters of credit opened by your brother-in-law at the bank, then execute a debt/equity swap with an associated general offer so that you get all four sheep back, with a tax exemption for five sheep. The wool rights of the six sheep are transferred via an intermediary to a Cayman Island Company secretly owned by the majority shareholder who sells the rights to all seven sheep back to your listed company. The annual report says the company owns eight sheep, with an option on one more. Sell one sheep to buy a new president of the United States, leaving you with nine sheep. No balance sheet provided with the release. The public buys your ram.
THE ANDERSEN MODEL: You have two sheep. You shred them.
A FRENCH CORPORATION: You have two sheep. You go on strike, organise a riot, and block the roads, because you want three sheep.
A JAPANESE CORPORATION: You have two sheep. You redesign them so they are one-tenth the size of an ordinary sheep and produce twenty times the wool. You then create a clever sheep cartoon image called 'baakimon' and market it worldwide.
A GERMAN CORPORATION: You have two sheep. You re-engineer them so they live for 100 years, eat once a month, and shear themselves.
AN ITALIAN CORPORATION: You have two sheep, but you don't know where they are. You decide to have lunch.
A RUSSIAN CORPORATION: You have two sheep. You count them and learn you have five sheep. You count them again and learn you have 42 sheep. You count them again and learn you have 2 sheep. You stop counting sheep and open another bottle of vodka.
A SWISS CORPORATION: You have 5000 sheep. None of them belong to you. You charge the owners for storing them.
A CHINESE CORPORATION: You have two sheep. You have 300 people shearing them. You claim that you have full employment, and high sheep productivity, and arrest the newsman who reported the real situation.
AN INDIAN CORPORATION: You have two sheep. You worship them.
IRAQI CORPORATION: Everyone thinks you have lots of sheep. You tell them that you have none. No-one believes you, so they bomb the **** out of you and invade your country. You still have no sheep, but at least now you are part of a Democracy....
WELSH CORPORATION: You have two sheep. The one on the left looks very attractive.
AUSTRALIAN CORPORATION: You have two sheep. Business seems pretty good. You close the office and go for a few beers to celebrate.

(I have no idea who originally wrote this. But I've a feeling that the author was a non-Welsh traditional capitalist.)

Highway bank fire

Sun, 13 Nov 11 13:33:05 +0100

Suddenly all motion stopped. Apparently there was a highway bank fire ahead, just some grass that had caught on fire and needed extinguishing. We stood there for hours, no movement in either direction. And, no softdrinks truck in sight that an angry mob might raid.

After a while some people just gave up and took a nap.

Finally the police actually had all cars turn around and drive off into the wrong direction, so all could get off the highway at the next ramp. This was the longest jam ever. Honest. It took sooooo long I even had to write it up. I might have to discuss this with my therapist.

Setting up a remote git repository

Sun, 13 Nov 11 13:33:05 +0100

I always forget how to set up remote git repositories.. So here's a memo to self.

Local machine (developer)	Remote server (git server)
Setting up the local git # Set up new repository git init # Add all files git add -A # Commit to the local repository git commit -a -m 'initial git commit'
	Setting up the remote git # Go to remote server ssh gituser@remote_server cd /home/of/repositories mkdir project cd project # Initialize a bare repository git init --bare
Hooking up the remote git git remote add remote_server ssh://gituser@remote_server/home/of/repositories/project
Syncing local git to remote git push remote_server master Repeat as often as you feel like..
Syncing remote git to local # Clean start mkdir /tmp/project cd /tmp/project # Git initializers git init git remote add remote_server ssh://gituser@remote_server/home/of/repositories/project # Pull from remote git pull remote_server master

Bye bye trusted old Macbook

Sun, 13 Nov 11 13:33:05 +0100

A few days ago my trusted ol' 17" Macbook Pro broke. It broke good. The vido card went berserk, showed some weird patterns and then just went dead. No more output. So now what? After staring at the screen for a few seconds, I first of all composed a poem.

Blackness engulfs the tiny spots
Where pixels would shine
They sparkle no more.
You are toast.

The Macbook was beyond reasonable repair. Well, you can repair anything of course, but replacing the video card would mean replacing the entire motherboard, which doesn't really make sense doing to a laptop that's been heavily used for years, day in day out. Ah the sadness. But alas, it was time to say farewell to my trusted lappie... Yep, it was time to authanise it. But first, some salvage work for the hard disk. For this I needed a small Phillips screwdriver (which most of us have), and a tiny Torque-6 screwdriver (which I had to go buy, well actually I got a precision screwdriver set). I also got a casing for a 2.5" SATA disk, so I could make a nice external USB disk out of the old laptop disk.

Thus equipped, I unscrewed the body and could lift the keyboard. There are loads of screws that hold the body together, and all must go!

Necessary equipment. Note the T6 torque, the case can't be disassembled without it.	Once the screws are out, the keyboard can be lifted. The hard disk is at the left lower corner just under my hand.
The hard disk is removed. An empty SATA socket proves it..	Whee! The old disk in its new habitat.

It left me with a few spare parts (battery and 4Gb of RAM) and basically a broken motherboard, used-up aluminium casing, but a good screen. Anyone interested? But, end of the day.. a new 17" Macbook Pro was happily restoring files from the old disk. It's my new development machine now and the external USB disk has found a new home as one of my TimeMachine backup media.

On the upside:

Got to buy a new precision screwdriver set.
New Macbook Pro really does look sexier.
Got a new USB hard disk.
170fps in Stormwind....

John Cleese on Football

Sun, 13 Nov 11 13:33:05 +0100

There's a very important game coming up this afternoon - Netherlands vs. Slovakia. I'm talking football of course.

This brings John Cleese to mind and his famous rant on "football vs. soccer". The man is the personification of sarcasm. John Cleese always deserves re-blogging...

ABN Amro and the Pathetic Customer Service Dept.

Sun, 13 Nov 11 13:33:05 +0100

"I'll be good for you. Trust me."

My mum and dad had a shared account at the Dutch ABN-Amro Bank. They'd have some savings in that account, my dad's pension would arrive here, and they'd pay some bills from this account.

Then, six months ago, my mum suddenly passed away. For all the obvious reasons it took a while before our family got around to sorting out the less important administrative issues, such as this bank account. But eventually my sister and my dad decided that it was about time to get this over with. So she called ABN-Amro, and was told that my dad would have to show up in person to change the account ownership to only one person - to him. And would they bring ID's and the death certificate for my mum?

So, being a good citizen, my sister took all the necessary paperwork and my 86 year old dad to the ABN-Amro building in The Hague. At the general information desk she told her story - that my mum had passed away, and that therefore they wanted to change the account ownership. She was promptly told that this was only possible at another ABN-Amro building in The Hague.

Still being a good citizen, my sis stuffed my dad into a taxi and together they went off to that other building. Here, again at the information desk, she repeated everything. And was told that she would have to arrange this at a given bank desk, amidst other desks with other customers who were withdrawing cash or doing whatever they did. Mind, these are the teller-like desks where you stand around explaining your question to a bank employee. These are not the old-fashioned large-space desks of old times where one would sit down and talk.

Now, standing around for some time in front of a desk in a bank hall with my 86 year old dad was not an option at that time, and I'm dead sure that my sis' middle finger was just itching. She took my dad, turned around, and left the building.

Here's my conclusion: ABN-Amro's customer service sucks donkey. Bigtime.

I've got a few tips for ABN-Amro personnel. Just have a look at the below questions when a customer is talking to you, and answer them with a yes or no:

Have the customers come to your bank voluntarily, while they actually weren't obliged to do so?
Does their story involve the death of a loved one?
Is there a person present who's obviously aged and not very agile?

If the answer to any of the above is yes, then proceed as follows.

Get the customers into one of the private rooms and sit them down. Yes, you have those rooms, you use them when people open accounts or sign contracts. You can use them for these occasions too.
Get them a cup of coffee. Make them comfortable. Show some interest.
Sort out their problem, or their question, or whatever they came with. If this involves transferring information to another building, then handle it. You can get the necessary information to a different bank location much easier than your customers can. You've got internal mail, your customers don't.
Behave as if they were paying your salary. Hey, actually.. they are paying your salary.

I'm fairly sure that this account will pretty soon cease to exist. Suddenly ABN-Amro will receive an order to transfer all funds to an account owned by my dad with an other bank, and to leave zero euro's in this ABN-Amro account. After that they can stick this account wherever they please. Wanna bet?

Wally does not like criticism

Sun, 13 Nov 11 13:33:05 +0100

Wally doesn't like criticism.

If Wally were a gamer, he'd add "p0wn3d".

Soccermatch Netherlands vs Denmark

Sun, 13 Nov 11 13:33:05 +0100

Today at 13:30h was the soccer match between the Netherlands and Denmark. The first match of the Dutch team, so of course - everyone was excited! Unfortunately there was the daily drag of work. But, at my customer's location, a big screen was put up, where all who were interested, could watch. It was a really nice experience - and the Dutch team wan two-nil which makes it even better. The pictures don't convey the volume of the cheers that went up during each goal, but trust me, it was deafening...

Lazy Cat

Sun, 13 Nov 11 13:33:05 +0100

Some have work. Some have worries. Some have responsibilities. Others don't. They're just lazing on a sunday afternoon. And waiting 'till I bring the next bowl of noms.

Reading public Buzz using the Google API

Sun, 13 Nov 11 13:33:05 +0100

Here's a neat little thing that I've been playing around with this weekend. Google offers an API for its Buzz social network, and it's really very easy to use it - all you need is web access, an HTTP client, and you need to know how to parse the API results.

Here's now to get the most recent public Buzz entries for a given user. Google offers the list at http://www.googleapis.com/buzz/v1/activities/USERNAME/@public, where of course the USERNAME must be changed into something meaningful. The default format is XML (yech), but adding alt=json fixes that. The default number of returned entries is 20, but that can be limited by e.g. max-results=5. Here's an example of my latest one Buzz (the listing gets kind of long when you fetch more, and I replaced some too long URL's with ... and inserted arbitrary newlines):

  bash$ curl 'www.googleapis.com/buzz/v1/activities/kkubat/@public?alt=json&max-results=1'

  {"data":{"kind":"buzz#activityFeed","links":{"next":[{"href":
  "https://www.googleapis.com/buzz/v1/activities/108588487512525984185/@public?..."}],
  "self":[{"href":"https://www.googleapis.com/buzz/v1/activities/108588487512525984185/@public?alt\u003djson",
  "type":"application/json"}],"hub":[{"href":"http://pubsubhubbub.appspot.com/"}]},
  "title":"Google Buzz Public Feed","updated":"2010-06-08T10:50:01.127Z",
  "id":"tag:google.com,2010:buzz-feed:public:posted:108588487512525984185","items":[{"kind":
  "buzz#activity","title":"Sushi Saturday - great fun for all, pics at
  http://www.kubat.nl/pages/blogaria/185#185. Plus,
  Ste...","published":"2010-06-07T09:35:17.000Z","updated":
  "2010-06-07T09:35:17.782Z","id":"tag:google.com,2010:buzz:z12lhzwoyvz5z1qfl23rx1vztyrdzdyue",
  "links":{"liked":[{"href":
  "https://www.googleapis.com/buzz/v1/activities/108588487512525984185/@self/tag:...",
  "type":"application/json","count":0}],"alternate":[{"href":
  "http://www.google.com/buzz/108588487512525984185/L247NmucVAq",
  "type":"text/html"}],"replies":[{"href":
  "https://www.googleapis.com/buzz/v1/activities/108588487512525984185/@self/tag:...",
  "type":"application/json","count":0,"updated":"2010-06-07T09:35:17.782Z"}],"self":[{"href":
  "https://www.googleapis.com/buzz/v1/activities/108588487512525984185/@self/tag:..."}
  ]},"actor":{"id":"108588487512525984185","name":"Karel
  Kubat",
  "profileUrl":"http://www.google.com/profiles/kkubat","thumbnailUrl":
  "http://www.google.com/s2/photos/public/AIbEiAIAAABDCLmj9e-4_JuYdyILdmNhcmRfcGhv..."},
  "verbs":["post"],"object":{"type":"note","content":"Sushi
  Saturday - great fun for all, pics at \u003ca
  href\u003d\"http://www.kubat.nl/pages/blogaria/185#185\"
  \u003ehttp://www.kubat.nl/pages/blogaria/185#185\u003c/a\u003e.
  Plus, Steve Martin is a champ at sending personal letters - ghe ghe
  - at \u003ca
  href\u003d\"http://www.kubat.nl/pages/blogaria/186#186\"
  \u003ehttp://www.kubat.nl/pages/blogaria/186#186\u003c/a\u003e","links":{"alternate":
  [{"href":"http://www.google.com/buzz/108588487512525984185/L247NmucVAq","type":"text/html"}]},
  "attachments":[{"type":"photo","links":{"preview":[{"href":
  "http://images0-focus-opensocial.googleusercontent.com/gadgets/proxy?container..",
  "type":"image/jpeg"}],"enclosure":[{"href":"http://www.kubat.nl/bld/SushiSaturday/imag0057.jpg",
  "type":"image/jpeg"}]}}]},"source":{"title":"Buzz"},"visibility":{"entries":[{"id":
  "tag:google.com,2010:buzz-group:@me:@public","title":"Public"}]}}]}}

Which is of course totally unreadable. Fortunately, there's a parameter prettyprint=true which makes this a lot better. Here's an example:

curl 'www.googleapis.com/buzz/v1/activities/kkubat/@public?alt=json&max-results=1&prettyprint=true'

{
 "data": {
  "kind": "buzz#activityFeed",
  "links": {
   "next": [
    {
     "href": "https://www.googleapis.com/buzz/v1/activities/108588487512...",
    }
   ],
   "self": [
    {
     "href": "https://www.googleapis.com/buzz/v1/activities/108588487512...",
     "type": "application/json"
    }
   ],
   "hub": [
    {
     "href": "http://pubsubhubbub.appspot.com/"
    }
   ]
  },
  "title": "Google Buzz Public Feed",
  "updated": "2010-06-08T11:09:13.237Z",
  "id": "tag:google.com,2010:buzz-feed:public:posted:108588487512525984...",
  "items": [
   {
    "kind": "buzz#activity",
    "title": "Sushi Saturday - great fun for all, pics at http://www.ku...",
    "published": "2010-06-07T09:35:17.000Z",
    "updated": "2010-06-07T09:35:17.782Z",
    "id": "tag:google.com,2010:buzz:z12lhzwoyvz5z1qfl23rx1vztyrdzdyue",
    "links": {
     "liked": [
      {
       "href": "https://www.googleapis.com/buzz/v1/activities/108588487...",
       "type": "application/json",
       "count": 0
      }
     ],
     "alternate": [
      {
       "href": "http://www.google.com/buzz/108588487512525984185/L247Nm...",
       "type": "text/html"
      }
     ],
     "replies": [
      {
       "href": "https://www.googleapis.com/buzz/v1/activities/108588487...",
       "type": "application/json",
       "count": 0,
       "updated": "2010-06-07T09:35:17.782Z"
      }
     ],
     "self": [
      {
       "href": "https://www.googleapis.com/buzz/v1/activities/108588487...",
       "type": "application/json"
      }
     ]
    },
    "actor": {
     "id": "108588487512525984185",
     "name": "Karel Kubat",
     "profileUrl": "http://www.google.com/profiles/kkubat",
     "thumbnailUrl": "http://www.google.com/s2/photos/public/AIbEiAIAAA...",
    },
    "verbs": [
     "post"
    ],
    "object": {
     "type": "note",
     "content": "Sushi Saturday - great fun for all, pics at \u003ca hr...",
     "links": {
      "alternate": [
       {
        "href": "http://www.google.com/buzz/108588487512525984185/L247N...",
        "type": "text/html"
       }
      ]
     },
     "attachments": [
      {
       "type": "photo",
       "links": {
        "preview": [
         {
          "href": "http://images0-focus-opensocial.googleusercontent.co...",
          "type": "image/jpeg"
         }
        ],
        "enclosure": [
         {
          "href": "http://www.kubat.nl/bld/SushiSaturday/imag0057.jpg",
          "type": "image/jpeg"
         }
        ]
       }
      }
     ]
    },
    "source": {
     "title": "Buzz"
    },
    "visibility": {
     "entries": [
      {
       "id": "tag:google.com,2010:buzz-group:@me:@public",
       "title": "Public"
      }
     ]
    }
   }
  ]
 }
}

(Yep, this is readable, but for this page, I shortended the long url's with ...)

Right, this is better. The return value has the following structure:

data is the main hash we're interetested in when we want to get at Buzzed items;
items is the next one, which is an array;
Each array element has an object;
Each object has content which is the Buzzed text, and published is the publishing date;
Also there is also a hash links with an array alternate, pointing to the buzz entries;
There we are. In this example we won't fetch replies, or attachments, or whether someone liked the Buzz or not.

Time for some action! Here's a Perl script that fetches the Buzzes and uses the JSON module to convert the above structure to internal Perly data. It then prints the Buzz text, publishing date, and URL(s) where the Buzz can be found. Et voila! A 20-25 liner can do the job.

#!/usr/bin/perl

use strict;
use LWP::UserAgent;
use JSON;

my $public_url = 'http://www.googleapis.com/buzz/v1/activities/'.
  'kkubat/@public?alt=json&max-results=5&prettyprint=true';

# Get the latest 5 buzzes
my $ua = LWP::UserAgent->new();
my $res = $ua->get($public_url);
die("Failed to get buzz: ", $res->status_line(), "\n")
  unless ($res->is_success());

my $buzz;
eval { $buzz = from_json($res->content()); };
die("Bad JSON return: ", $res->content(), "\n") if ($@);

for my $item (@{ $buzz->{data}->{items} }) {
    print("Buzz: ", $item->{object}->{content}, "\n",
	  "Published on: ", $item->{published}, "\n");
    for my $alt (@{ $item->{object}->{links}->{alternate} }) {
	print("URL: ", $alt->{href}, "\n");
    }
    print("\n");
}

And of course, here is some sample output. Oh look, it's found a Buzz about itself, how cute.

Buzz: You can read public Buzzes without any hassle - using Perl and
  JSON, what else - read more at
  http://www.kubat.nl/pages/blogaria/187#187
Published on: 2010-06-08T11:58:10.000Z
URL: http://www.google.com/buzz/108588487512525984185/gkDfAzUGmbz

Buzz: Sushi Saturday - great fun for all, pics at
  http://www.kubat.nl/pages/blogaria/185#185. Plus, Steve
  Martin is a champ at sending personal letters - ghe ghe - at
  http://www.kubat.nl/pages/blogaria/186#186
Published on: 2010-06-07T09:35:17.000Z
URL: http://www.google.com/buzz/108588487512525984185/L247NmucVAq

Buzz: Quick note on suppressing auto-submit when someone hits the
  Enter key in an HTML form - at
  http://www.kubat.nl/pages/blogaria/184#184
Published on: 2010-06-04T12:51:19.000Z
URL: http://www.google.com/buzz/108588487512525984185/eDkoRALSw3K

Buzz: Wormholes on the Dutch highways? I found evidence of that - at
  http://www.kubat.nl/pages/blogaria/183#183
Published on: 2010-05-31T21:05:02.000Z
URL: http://www.google.com/buzz/108588487512525984185/8Npxwe7EXuf

Buzz: Dutch hosting provider Greenhost has stated not to log user
  traffic
More at
  http://www.kubat.nl/pages/blogaria/182#182
Published on: 2010-05-25T06:54:03.000Z
URL: http://www.google.com/buzz/108588487512525984185/4ZvjNeWm6m1

A Personal Letter from Steve Martin

Sun, 13 Nov 11 13:33:05 +0100

This Jenny must've been extatic when she receieved a truly personal letter from Steve Martin. Now that's funny imo. "Although my schedule is very busy, I decided to take the time out to write you a personal reply." Priceless.

Sushi Saturday

Sun, 13 Nov 11 13:33:05 +0100

Sticky Sushi rice	Fried seaweed

Veggies	Some salmon and shrimps, Wasabi and Kikkoman

Sliced up the veggies	Rolled up

Chilled for 20 minutes	Finished product

Looking good	...

Nothing's wasted	and the dog's happy too

Suppressing the Enter key with Javascript

Sun, 13 Nov 11 13:33:05 +0100

Memo to myself.

Here's a simple HTML form that will try to submit when the cursor is in an input field, and the user hits the Enter key:

In order to avoid this:

Create a small Javascript function to catch onkeypress events.
Inside the function, get the code of the key. If the function "eats up" the key (as is the case with code 13, Enter), return "false".
Else, return "true" and let the browser handle it.
Hook up the event handler in the relevant input fields.

For example:

  
  .
  .
  .

Temporal spacial anomaly on the Dutch highway

Sun, 13 Nov 11 13:33:05 +0100

According to the highway signs, I'm doing fifty...

But my speedometer is stuck at zero...

Speed equals distance divided by time, and the two observations report different values. Must be a temporal/spacial anomaly on the Dutch highway. In the future I'll be on the lookout for wormholes between my car and the Dutch highway signalling system.

Greenhost will not log your traffic

Sun, 13 Nov 11 13:33:05 +0100

Dutch hosting provider Greenhost stated on May 20th on their blog (Dutch text) that they will not log their user's traffic.

A short translation: "Greenhost thinks that traffic logging is unnecessary, uncalled for, and unjust. Monitoring e-mail traffic makes suspects out of citizens and restricts freedom and privacy." As of May 19th, Greenhost has an opt-in policy, where custumers can decide for themselves whether their traffic should be logged. Sacha van Geffen of Greenhost: "People can choose to be treated as a citizen or as a suspect."

Greenhost states that they are not required to keep traffic logs. The argument is that if such logs are not necessary for commercial purposes (i.e., if no logging occurs in the first place) then they don't need to be kept for any purpose. (I'd love to get legal confirmation of this from someone.. any experts out there?)

In any case, kudos to Greenhost!

Jarlsberg Webapp Exploits

Sun, 13 Nov 11 13:33:05 +0100

The Google Code University released a wonderful exploitable web application at http://jarlsberg.appspot.com/. It's a must-see for everyone who is interested in attacks on web applications, and how to defend against them. There are black box or white box attacks, and examples of cross-site scripting (XSS) and cross-site request forgery (XSRF), leakage, directory traversal, and what not. All this is sandboxed so that if every student starts with a fresh 'hackable' application and proceeds to first compromise it, then to fix the flaws. Highly recommended!

A Thought Experiment

Sun, 13 Nov 11 13:33:05 +0100

Bear with me. Just a little thought experiment, a blast from the past (hey, May 4th is Commemoration Day, so it is fitting in a weird way).

Step 1: Observe the following video. Go ahead and play it.

Step 2: Now instead of that lead singer, in his tight pants, package and all, imagine Kylie Minogue.

Step 3: Now be honest. What's better, Grand Funk Railroad or Kylie Minogue? (And please guys control your hormones. I'm doing an *originality* comparison here. You don't have to imagine Kylie with her shirt off, just so that it matches the lead singer of GFR.)

Yeah, it kinda pays off to be original. Well that's my take at least. Kylie, you're not even toting a reflecting guitar in your video's of Locomotion so hey.

SafeEdit information updated

Sun, 13 Nov 11 13:33:05 +0100

Just updated the information on SafeEdit. There's a much better description now of what SafeEdit can do for you...

Microproxy now supports ftp

Sun, 13 Nov 11 13:33:05 +0100

My microproxy of which I wrote earlier, now supports the FTP protocol. Stil small and fast, but now defitely more usable - for those situations where you need to download a file and the server offers it via ftp. I think that browsing an FTP site isn't too hot yet but I'll work on it when I find the time. Downloading works well though. Hope you find it useful!

What could get Data angry

Sun, 13 Nov 11 13:33:05 +0100

I'm sure that Commander Data ranks pretty high in the top of Persons Admired by Nerds. Probably because he's the ubergeek, gadgetman and just simply cool - all in one. And nothing gets him angry. Well.. almost nothing..

Lego Mindstorm solving the Rubik Cube

Sun, 13 Nov 11 13:33:05 +0100

I came across this today on Slashdot. A Lego Mindstorm robot that solves Rubik's Cubes. Way cool!

Crossroads 2.65 is out

Sun, 13 Nov 11 13:33:05 +0100

Crossroads 2.65 is out, after a long time of no changes or releases. This is a bugfix for a fairly rare situation where XR would think a back end is down, and would not close the associated network socket - which could ultimately lead to file descriptor exhaustion. Well, here it is. Crossroads is nicely stable nowadays.. good thing.

Goggomobil in its natural habitat

Sun, 13 Nov 11 13:33:05 +0100

Recently I saw a fantastic car - on a normal parking lot, not in a museum or something. It's an authenthic Goggomobil; an ancient two-stroke post war German vehicle. I couldn't resist.. here are some shots (click for original size, the photos are unaltered, except that I've removed the letters on the registration plate).

After I shot the pics I got to talk to the owners, an elderly man and lady. The man was kind of grumpy; I assume that he's hearing comments about his great car all day and that he's fed up with them. But the lady was absolutely radiant as I said that this is one of the finest cars I'd ever seen.

Bacon Time

Sun, 13 Nov 11 13:33:05 +0100

This is just too good to let go unnoticed. The only downside is that it smells like bacon according to the description. If not I'd order one right away. How cool would that be, walking into the office on monday morning looking like bacon?

But wait, there's more! If you want to check out the original vendor, just go to McPhee.com.

104 More friends to connect with

Sun, 13 Nov 11 13:33:05 +0100

I just got a "weekly status report" from Plaxo. It seems I need to connect to 104 more people.

Coincidentally, Wikipedia states that yesterday the world population was at a staggering 6,813,800.000:

Wow! And I have only 104 to go! Which means that I have already connected to 6,813,799,896 people! Those guys at Plaxo must have huge databases and lightning-fast queries to tell whom I'm still missing...

Bacteria infested radio reporter

Sun, 13 Nov 11 13:33:05 +0100

Overheard today on the radio, spoken by an economy reporter: "I am very septic that the economic crisis will be overcome this year." (This was actually Dutch: "Ik ben zeer septisch dat..."). I wonder where he got the infection which spread to his bloodstream. Or did he mean sceptic? Well, I had to laugh a bit...

The Kubat STAR

Sun, 13 Nov 11 13:33:05 +0100

I got this from my good friend Frank Brokken of the Univ. of Groningen: my own STandard Instrument ARrival (STAR). Great or what!

Homework Essay

Sun, 13 Nov 11 13:33:05 +0100

Seen today on the 'net.

You are to assume the role of a Chinese immigrant in 1870 and write a letter home describing your experiences. Your letter should include the following: your contribution and experiences in the West.

LOL!

C++ mutexes again

Sun, 13 Nov 11 13:33:05 +0100

I wrote before about C++, threads, and mutexes. Well, as things go, ideas evolve and what I'd thought of as 'done and over with', came back at me.

The actual reason is that last thursday I was invited at the State Univ. of Groningen to present a C++ lecture, and I'd picked daemons, forking, threading, mutexes, and the whole shebang. I presented the following snippet of how globals could be locked in a threaded program:

// EXAMPLE 1  
// Write something to cout, without other threads interfering in the displayed line.
mutex_lock(&cout);
cout << "Hello World!\n";
mutex_unlock(&cout);

// EXAMPLE 2	
// Function gethostbyname() (DNS resolving) is known to be not thread-safe in many implementations
mutex_lock(gethostbyname);
struct hostent *hostaddr = gethostbyname("www.kubat.nl");
if (hostaddr) {
    .
    . Host successfully resolved
    .
} else {
    .
    . Hostname could not be resolved
    .
}	
mutex_unlock(gethostbyname);

The idea is that mutex_lock() can set a lock on any object, via its address (a void*). The reverse, mutex_unlock(), releases the lock.

How not to do it

The work is of course done in the mentioned functions mutex_lock() and mutex_unlock(). A controversial implementation is shown below.. read on why it's controversial, or can you spot it right away?

typedef std::map LockMap;
static LockMap lockmap;

static void lock_ptr(void *p) {
    if (lockmap.find(p) == lockmap.end() && pthread_mutex_init(&lockmap[p], 0))
	throw "Failed to initialize mutex";
    if (pthread_mutex_lock(&lockmap[p]))
	throw "Failed to lock mutex";
}
static void unlock_ptr(void *p) {
    if (pthread_mutex_unlock(&lockmap[p]))
	throw "Failed to unlock mutex";
}

void mutex_lock(void *p) {
    lock_ptr(&lockmap);
    lock_ptr(p);
    unlock_ptr(&lockmap);
}
void mutex_unlock(void *p) {
    unlock_ptr(p);
}

Internally, the functions use a map to find the right mutexes for each void* that's being handled. When locking something, function mutex_lock() first locks the entire map of locks, and then calls lock_ptr(p) to set a lock for that specific object. However, when unlocking, mutex_unlock() does not lock the entire map - the idea being that the map isn't being expanded, just read.

What's the problem?

"Aha," said the audience (specifically Thomas ten C., thanks for all the comments!), "there's a potential problem there!" The implementation of the Standard Template Library (STL) isn't guaranteed to be thread-safe; e.g., consider the following:

A thread is unlocking an object. It is at the statement lockmap[p] in line 12.
Another thread is at that time locking, and is at line 5, at lockmap.find(p) == lockmap.end().
But, if the STL implementation for std::map isn't thread-safe, then these two threads might mess up the underlying map beyond imagination...

I had assumed that reading the map wouldn't modify its layout, so that entire map locking would be only necesary during the writing phase, i.e., the locking of a particular object. Not necessarily true. "Assume nothing", I should've known... Thomas commented in a mail:

Microsoft writes: "A single object is thread safe for reading from multiple threads. [...] If a single object is being written to by one thread, then all reads and writes to that object on the same or other threads must be protected."

The SGI implementation, and the GNU implementation which uses this, is thread-safe when reading: "The SGI implementation of STL is thread-safe only in the sense that simultaneous accesses to distinct containers are safe, and simultaneous read accesses to to shared containers are safe." Gnu uses the same definition: "We currently use the SGI STL definition of thread safety."

Now what

Right. So where does that leave us? There could be several approaches to avoid errors that involve a combination of STL containers and mutex locking. One is, to apply a much wider lock scope before handling std::map. Or, to also lock the entire map during the unlocking phase. Hmmm... Another one is, not to use std::map, but to control the implementation where std::map isn't clearly defined. That means implementing the equivalent of a map in code which is guaranteed not to reshuffle anything in read/only mode. And that code is exactly what's shown below, up to the global functions mutex_lock() and mutex_unlock(). The below sections show and explain what's going on.

If you are interested in a source file having all this code inside: you can grab it here. All classes and members are contained in one file - including a main() function to test it all. If you want to use it, then feel free to split it up and customize it however you like.

Basic Mutex

A basic mutex is implemented in the class Mutex (how fitting). All it does, is initialize a mutex if necessary, lock it, or unlock it. For reasons of brevity, strings are thrown when errors occur.

class Mutex {
public:
    Mutex(): _initialized(false) 	{ }
    void lock();
    void unlock();
private:
    pthread_mutex_t _mutex;
    bool _initialized;
};

void Mutex::lock() {
    if (!_initialized) {
	_initialized = true;
	if (pthread_mutex_init(&_mutex, 0))
	    throw "Failed to initialize mutex";
    }
    if (pthread_mutex_lock(&_mutex))
	throw "Failed to lock mutex";
}    

void Mutex::unlock() {
    if (pthread_mutex_unlock(&_mutex))
	throw "Failed to unlock mutex";
}

Mutex Nodes

Internally, the mutexes will be stored as a tree - having leaves. The next level is therefore a node, which has a mutex, a left branch, and a right branch:

class MutexNode {
public:
    MutexNode(void *o);
    ~MutexNode();
    
    void obj(void *o)			{ _obj = o; }
    void *obj() const  			{ return _obj; }

    void left(MutexNode *l)		{ _left = l; }
    MutexNode *left() const   		{ return _left; }

    void right(MutexNode *l)		{ _right = l; }
    MutexNode *right() const   		{ return _right; }

    void lock()				{ _mutex.lock(); }
    void unlock()			{ _mutex.unlock(); }
    
private:
    Mutex _mutex;
    void *_obj;
    MutexNode *_left, *_right;
};

MutexNode::MutexNode(void *o): _mutex(), _obj(o) {
    _left = _right = 0;
}

MutexNode::~MutexNode() {
    delete _left;
    delete _right;
}

The Mutex Tree

The nodes are maintained in a tree - here is the typical recursive descent algorithm, and so on. Note also the method MutexTree::lock() which locks the entire tree before applying a lock to a singular node.

   
class MutexTree {
public:
    MutexTree();
    ~MutexTree();
    
    void lock(void *o);
    void unlock(void *o);
    
private:
    void locktree()		{ _treelock.lock(); };
    void unlocktree()		{ _treelock.unlock(); }
    MutexNode *nodelock(void *o, MutexNode *start);
    void nodeunlock(void *o, MutexNode *start);
    
    MutexNode *_root;
    Mutex _treelock;
};

MutexTree::MutexTree(): _treelock() {
    _root = 0;
}

MutexTree::~MutexTree() {
    delete _root;
}

void MutexTree::lock(void *o) {
    locktree();
    _root = nodelock(o, _root);
    unlocktree();
}

void MutexTree::unlock(void *o) {
    nodeunlock(o, _root);
}

MutexNode *MutexTree::nodelock(void *o, MutexNode *start) {
    if (!start) {
	start = new MutexNode(o);
	start->lock();
    } else if (start->obj() == o)
	start->lock();
    else if (start->obj() < o)
	start->left(nodelock(o, start->left()));
    else
	start->right(nodelock(o, start->right()));
    
    return start;
}

void MutexTree::nodeunlock(void *o, MutexNode *start) {
    if (!start)
	return;
    
    if (start->obj() == o)
	start->unlock();
    else if (start->obj() < o)
	nodeunlock(o, start->left());
    else
	nodeunlock(o, start->right());
}

Translating to mutex_lock() and mutex_unlock()

The class MutexTree is sufficient to implement the two classless functions shown at the top of this post. All we need is one static MutexTree to operate on:

static MutexTree mt;

void mutex_lock(void *obj) {
    mt.lock(obj);
}

void mutex_unlock(void *obj) {
    mt.unlock(obj);
}

Test Harnass

Plus of course, here's the test...

void *test(void *data) {
    for (int i = 1; i <= 10; i++) {
	if (i & 1) {
	    mutex_lock(&cout);    
	    cout << pthread_self() << " testing cout, loop " << i << '\n';
	    mutex_unlock(&cout);
	} else {
	    mutex_lock(&cerr);
	    cerr << pthread_self() << " testing cerr, loop " << i << '\n';
	    mutex_unlock(&cerr);
	}
    }
    return 0;
}

int main() {
    try {
	pthread_t th, threads[10];
	for (unsigned i = 0; i < sizeof(threads) / sizeof(pthread_t); i++) {
	    pthread_create(&th, 0, test, 0);
	    threads[i] = th;
	}
	for (unsigned i = 0; i < sizeof(threads) / sizeof(pthread_t); i++)
	    pthread_join(threads[i], 0);
	cout << "Done!\n";
	return 0;
    } catch (char const *s) {
	cerr << s << "\n";
	return 1;
    }
}

Update: I've modified the above version for faster access - which can be useful in programs that use up a lot of mutexes. The modified version has a hash-table, which indexes trees. The first lookup of a mutex given a void* is therefore much faster. Drop me a note if you are interested.

The hash-table version wins performance-wise in a worst-case scenario where loads of mutexes are being used, all relating to linearly situated objects. E.g, consider:

     int obj[5000];
     for (int i = 0; i < 5000; i++)
         mutex_lock(&obj[i]);

This is the worst case, in the sense that each consecutive object to lock is (pointer-wise) 'larger' than the previous. The binary tree of MutexTree will degenerate into a list. That's where the hash table is beneficial.

However, most programs (a) won't have that many mutexes, and (b) won't suffer from such linearity. I think therefore that in most situations the binary tree approach will do quite nicely.

Weird Eyechart

Sun, 13 Nov 11 13:33:05 +0100

This must be taken from a textbook of one of the extremely-densely-wired countries, where kids learn to say "OMG, bio brb" before anything else... Also be sure to check line 5, "pwn3d" spelled in real leet-speak ;-)
(Originally seen on Failblog.org)

Microproxy 1.01

Sun, 13 Nov 11 13:33:05 +0100

I wrote before about my teeny tiny proxy Microproxy. Well, version 1.01 is out - it helps in situations where your DNS queries over TCP are more reliable than over UDP. In that case, just add flag -t to the invocation...

Microproxy

Sun, 13 Nov 11 13:33:05 +0100

I wrote before how DNS lookups after sleep/wake cycles messed up my locally running proxies. I'd tried Squid, I'd tried Perl's HTTP::Proxy module - but all suffered from this effect. As announced, there would be some tinkering, but the DNS problem was solvable. Well, tinkering time's over and here's the result.

I have scratched my own itch and wrote my own tiny little proxy in C++. It works like a charm for what I want. It's small, it's got a minimal footprint, it's fast. If you're interested - it's right at this site and it's called microproxy.

Sven Kramer and the wrong lane

Sun, 13 Nov 11 13:33:05 +0100

The poor guy. He was right on track for the 10km Gold Medal in speedskating during the recent Olympic Games. But his coach sent him into the wrong lane and he got disqualified.

Didn't take long 'till the funnies started coming in..

Endearing Babe Magnet

Sun, 13 Nov 11 13:33:05 +0100

Suddenly, at middle age, the Perfect Recipy to be a Babe Magnet stikes home.

Here's how you do it. Go skiing without the wife (or, if appropriate, wihout husband, whatever your situation may warrant) but with the kids (in my case, two sons, aged 13 and 14). Walk around with your two kids, holding a snowboard, and if appropriate: hit the snow slopes, with the snowboard strapped under your feet.

This appears to have an irresistible attaction to the opposite sex (in my case, females). From young waitresses, thru middle-aged mums, to elderly grannies: they'll all chat you up - and they'll expect you to chat back. What's even better: even the silent ones aren't surprised when you chat them up.

This is a free tip. As with all that's free, there's also no warranty...

Speed of light measured using chocolate and a microwave

Sun, 13 Nov 11 13:33:05 +0100

This is too good to pass up. If you have some spare chocolate and a microwave, you can measure the speed of light - writes Kathy Celeri on wired.com. Just brilliant! In a simple home-grown experiment she comes up with 2.94e8 m/s - which is darn close to the speed of light in vacuum, 2.99e8. Kudos!

Never again expires after 65 years

Sun, 13 Nov 11 13:33:05 +0100

The Dutch government has recently forced the following security measure upon us poor Dutchies: In all new passports a fingerprint will be included as a biometric identification measure, and furthermore, all fingerprints will be centrally stored in a governmental database.

After some initial protest - mainly from the leftist parliament members, but hey, who listens to those guys - the measure was motivated by stating that the European Union requires this. Basta. However, the truth is somewhat different: The EU does require a biometric parameter in passports (as counterfeit measure), but does not require central storage of such ID's. And there's the catch. Although the Dutch government is complying with EU regulations, they're going way further than that. And they're walking a dangerous path.

Only 65 years ago, the Dutch people said "Never Again" to the antrocities of the second world war. "Never Again" to publicly marking people with identifications, such as of course the Jewish star that had to be sewn on coats and be visible at all times. History knows where that led to - readily available identification is oh-so-handy, and not only for benefical purposes..

The Dutch civil rights organisation "Het Niewe Rijk" (The New Empire) got into action and distributed approx. 60.000 flyers, inviting citizens to come to their town halls to have their social security number tatooed on their wrist. (For example, read "The Press", depers.nl.) The proponents of the governamental fingerprinting measure of course yelled "shame on you", and called this a disgusting protest.

But actually, Het Nieuwe Rijk is totally right. When all fingerprints are centrally stored, then all that officials have to do, is to carry around a portable fingerprint scanner with a wireless connection. Within seconds they'll not only know whether you're Jew, Catholic, Muslim or whatever, but they'll also know where and how you are insured, on what no-fly list you are present, where you live, what car you drive and how environment-friendly it is, and so on. In a sense, this fingerprint storage goes way beyond the Jewish star of WW2: we now carry countless identification stars with us. And we can't take them off - fingerprints are forever. And arguments that this government just wants "the best" for us and can be trusted, are absolutely invalid: even if we do trust this government, why are we forced to state that we'll also trust the next one, and the next, and so on?

We're tagged. We're waiting to be bagged.

"Never again" has lasted 65 years in the Netherlands.

encfs on the Mac

Fri, 29 Mar 13 09:31:36 +0100

I recently read a nice article on FileFault vs. EncFS on techieblurbs.blogspot.com, and I decided to try it out - with success. The topic really is about one of my own use cases that I'd been thinking about. Here's what I found...

In order to protect customers' data, I used to create encrypted disk images using my Mac's Disk Tool. This works really well: you assign a file to serve as image, then you open the encrypted image and while mounting it, MacOSX asks you for a pass phrase. Once mounted, the separate files are accessible. The only drawback is that backing it up is a pain:

Either I backed up the encrypted entire image file, so that the data would remain encrypted on the back up media. But this means that incremental back ups take very long. Every small change within such a filesystem leads to changes in the image, and hence the image file is eligible for back up.
Or, I backed up separate files from the image while it was mounted - which makes incremental back ups fast, but leaves the separate files unencrypted on the media. This of course creates a security hole that I don't want.

Enter encfs. This is a FUSE filesystem: a file system in "userland" that maps typical file-related system calls (open(), close(), opendir() and so on) to custom handlers. In the case of encfs, the handlers make sure that file by file, all passing information is encrypted or decrypted on the fly. This means that each file appears in its unecrypted form to any software, while it is actually stored in encrypted form on the disk.

Here's how to get encfs for the Mac: Make sure that you have the MacPorts package, and then simply type (as root):

port -v install encfs

And here's how to use encfs.

As any non-root user, create two directories to (a) hold encrypted files, (b) be the non-encrypted representation. This is required only once. For example:
```
# The username is assumed to be "myname" in this example
# The directory pair is PlainDocs and .EncDocs
mkdir /Users/myname/PlainDocs /users/myname/.EncDocs
```

Next, assign the mapping between the directories using the command encfs. This is very similar to mounting:

# Adjust the directory names as required on your own system
encfs /Users/myname/PlainDocs /users/myname/.EncDocs

Make sure that /Users/myname/.EncDocs is included in your back up scheme, and /Users/myname/PlainDocs is excluded. You want to back up the encrypted files, but not the plain-text ones.
After modifying or reading files in /Users/myname/PlainDocs, unmap the encrypted filesystem, by entering as root:
```
# Replace /Users/myname/PlainDocs with whatever is applicable
# in your situation
umount /Users/myname/PlainDocs
```

This works really like a charm and does the job. Just the last step is kind of bothersome: what if you forget to unmap the encrypted filesystem, and your laptop gets stolen whilst in sleepmode or at the login screen? Fortunately, MacOSX has "hooks" that are run upon events such as: putting the laptop into sleepmode, or logging out. So, the last step of unmapping the encrypted filesystem can be automated as follows:

As root, create a script /var/root/bin/umount-encfs with the following contents (I put this file under root's home directory so root only can see it, but you can use any path you like, just make sure it has root-only privileges):
```
#!/bin/sh

# /Users/myname/PlainDocs is the mapped directory,
# adjust for your own purposes
pids=`lsof /Users/myname/PlainDocs | awk '{if (NR > 1) print $2}'`
if [ -n "$pids" ] ; then
    kill $pids
    kill -1 $pids
fi
umount /Users/myname/PlainDocs
```
The purpose of this file is to list all programs that use files in the plain-documents directory, and to stop those programs. Then the directory is unmounted.
Make this script executable, using:
```
chmod +x /var/root/bin/umount-encfs
```

Make sure that the script is called when the laptop goes into sleepmode. Run as root:

# umount-encfs should be run when logging out  
defaults write com.apple.loginwindow LogoutHook \
  /var/root/bin/umount-encfs
 
# umount-encfs should be run when entering sleep mode
defaults write com.apple.loginwindow SleepHook \
  /var/root/bin/umount-encfs

Presto. Done.

Update: The stock encfs program doesn't handle relative paths too well. The following illustrates this:

  # This works
  encfs /Users/myname/PlainDocs /Users/myname/.EncDocs

but the following won't:

  # This doesn't work.. sigh
  cd /Users/myname
  encfs PlainDocs .EncDocs

So either you have to type absolute file names, or you can use the following tiny Perl script. I've saved this in my $HOME/bin directory as encfs, and my $PATH makes sure that it is found before before /opt/local/bin/encfs. So when I run the command encfs, my script is actually run - and the script inspects arguments and converts to absolute file names, and then runs the true encfs program.

#!/usr/bin/perl

use strict;
use Cwd 'abs_path';

my $encfs = '/opt/local/bin/encfs';

# Convert all args to absolute paths.
my @args = ($encfs);
for my $a (@ARGV) {
    if (-f $a) {
        push(@args, abs_path($a));
    } elsif (-d $a) {
        push(@args, abs_path($a) . '/');
    } else {
        push(@args, $a);
    }
}

# Exec true encfs
print ("Running: @args\n");
exec( {$encfs} @args );
die("Failed to exec $encfs: $!\n");

Update: if you're interested in using encfs, read also encfs revisited. In that blog post I'm describing the newer and better and hotter encfs helper script ;-)

Hyves.nl and sexual predators

Sun, 13 Nov 11 13:33:05 +0100

The mainly Dutch-oriented social networking site Hyves.nl (still popular - despite Facebook, Orkut, Twitter, Google's Buzz and many others) recently took part in a "scientific project". This involved data mining: The profiles of known pedophiles were investigated, and the number of minor-age friends on their profiles was counted. This number was compared with the profile pages of other Hyves users. The project was a cooperation with the Dutch police. They had two startling results to show:

In the age group between say 30 and 40 years, there was a significant correlation between known pedophilic tendencies and the number of minor-age friends.
Above that, say 45 years and up, the correlation disappeared - this was attributed to people stating their kids or grandkids as friends, thereby driving up the average number of minor-age friends.

The obvious conclusion: "Data mining of such sets makes sense. Given more research and obviously taking the right precautions, such analyses may in the future become valuable assets in stopping dangerous sexual predators."

Are these guys totally mental?

Don't get me wrong - I have kids myself, and just thinking about them being victimized is one of the worst things imaginable. But please take a step back:

Customer: "I'm really really fond of hamburgers. Can you devise a way to get me really great meat on my burgers?"
Statistician: Goes off to do his magic, spends the budget required for this task, requests some more, then comes back with preliminary results: "We have analyzed a significant sample of cows, which, as we know, often provide good burger meat. We have found that there is a significant correlation with the fact that these cows are mammals. We feel that further analysis is required: given more research and obviously taking the right precautions, such analyses may in the future become valuable assets in determining whether mammals are a good source of burger meat."

So basically the guys have found that known pedophilic predators on Hyves have significantly more minor-age friends - given the right age groups and so on. Yeah, a cow's a mammal. But what's the chance that any given mammal is a cow? What's the chance that some Hyves user with more than X minor-age friends is a pedophile, or will ever become one? This research no-where states how many Hyves users with minor-age friends actually are pedophilic sexual predators. The research has no predictive value whatsoever. Bleeding waste of my tax money, if you ask me.

Bayesian stats, biting 'em again. See also prohibiting photography and why it won't stop terrorism. See also the dangers of evidence based on fingerprints when statistics are not applied correctly. They've got it the the wrong way 'round. Give it up, spend the money on something useful. Or give the money to someone who can...

Or, if I'm totally off-base here, and the research was actually well planned and executed, taking all of the above points into consideration - then please enlighten me.

Funny textbook

Sun, 13 Nov 11 13:33:05 +0100

Seen today on Failblog:

Seems they're teaching kids Internet acronyms at a very early stage nowadays. LOLZ! There's even pwn3d if you look closely.

DNS failing after sleep wake cycle

Sun, 13 Nov 11 13:33:05 +0100

As I wrote before, I'd been using a simple straight-thru proxy based on Perl's HTTP::Proxy on my laptop. However, just as is the case with Squid, after a sleep/wake cycle, the proxy would just barf and not come back to life. At such times I would have to manually kill the proxy process and restart it - after which it would magically work again.

Annoying? Highly so. Impossible to solve? No way. If there's tinkering to be done, then tinkering it will be. I traced the problem to a failure of the DNS subsystem. After a sleep/wake cycle of the laptop, the C function gethostbyname() would simply return NULL and would not come back to life. Obviously, any proxy process that relies on domain name services, falls dead right there.

Oh the joy of having code to work on where you can tinker around and fix stuff. Oh the even bigger joy when it's your own code. Well, to summarize: I started writing my own simple straight-thru proxy where I know what's happening and why, and where I can freely tinker around. I'll post it on this site once I'm comfortable with it. In the mean time: here's a preview of how the DNS issue can be fixed.

Below is a C++ function dnsresolve() which takes one argument: a hostname. Its address is returned as an in_addr_t struct. The function basically just wraps gethostbyname() but additionally it does two things:

DNS entries are cached. Typically a browser will request a page from http://somesite/index.html, then the index page will lead to a multitude of requests like http://somesite/stylesheet.css, http://somesite/logo.png, and what not. So caching DNS entries makes sense: subsequent requests from a site don't have to be resolved.
When a DNS lookup fails, then the resolver function res_init() is called. There's the missing part! This was what I was looking for all along in Squid or HTTP::Proxy... Having this in the code means that after a sleep/wake cycle, the first DNS lookup will fail but that this lookup will invoke res_init(). If the network is up and running by that time, then next lookups will succeed by using the new resolver environment. From the manpage: The res_init() routine reads the configuration file (if any; see resolver(5)) to get the default domain name, search list and the Internet address of the local name server(s). Brilliant. That's exactly what I needed, and now I know where to get it.

Incase you're interested, here's the code for my wrapper dnsresolve(). I'm not adding all header files etc. to keep the listing somewhat readable. It'll be in my upcoming microproxy for sure, so stay tuned if you're interested ;-)

#include "main"

// Single DNS entry in the cache: address and the time it was resolved
struct DnsEntry {
    in_addr_t dnsresult;
    int lookuptime;
};

// Typedefs: map of entries, iterator
typedef std::map<string, DnsEntry> DnsMap;
typedef DnsMap::iterator DnsMapIterator;

// Cache of entries
static DnsMap dnsmap;

// dnsresolve("hostname") returns the resolved name as an in_addr_t type
// and caches the result. The cache expiry is 'nsexpiry' seconds.
// Upon failure a string exception is thrown.
in_addr_t dnsresolve(string const &host) {

    // See if we have the record stored yet and if it's still recent.
    DnsMapIterator it = dnsmap.find(host);
    if (it != dnsmap.end()) {
        DnsEntry entry = dnsmap[host];
        if (entry.lookuptime >= time(0) - nsexpiry) {
            MSG(4, (msg << "DNS cache for " << host << " still valid"));
            return entry.dnsresult;
        }
    }

    // Not found or expired. Look up.
    mutex_lock((void*)gethostbyname);
    struct hostent *hostaddr = gethostbyname(host.c_str());
    mutex_unlock((void*)gethostbyname);

    // If lookup is succesful: enter in cache. Else throw exception and reset
    // the resolver lib. A next time might be successful - e.g. after a
    // laptop wakeup on a new network (then the daemon must be kicked into
    // life).
    if (hostaddr) {     
        DnsEntry entry;
        MSG(4, (msg << "DNS queried succesfully for " << host));
        memcpy(&entry.dnsresult, hostaddr->h_addr_list[0], sizeof(in_addr_t));
        entry.lookuptime = time(0);
        dnsmap[host] = entry;
        return entry.dnsresult;
    } else {
        ostringstream o;
        o << "Failed to resolve downstream host " << host
          << ": " << strerror(errno);
        res_init();
        throw o.str();
    }
}

Update: The final version will also lock the static cache map dnsmap. Not yet included in this code (though mutex-locking around gethostbyname() is already in...)

Blast from the past

Sun, 13 Nov 11 13:33:05 +0100

I just recently came across an ancient article in Linuxjournal. It must be one of the first articles ever there, dated November 1st, 1997. The article is about Yodl, a document preprocessor. There was also a really ancient picture there, from the old days before digital camera's - I have no idea really how I got that photo into binary format. Ah yeah, the good old days. I drove a red Volvo Amazon, and had a Blues Brothers t-shirt ;-)

Simple and straight Perl HTTP::Proxy

Sun, 13 Nov 11 13:33:05 +0100

I wrote earlier about my pet project Crossroads, a software load balancer. I actually use it daily on my laptop - the main purpose being that I don't have to reconfigure my browser to different proxies in different environments. Basically, my setup is:

I run Crossroads on my local system on port 8000. My Firefox is configured to use localhost:8000 as its proxy to talk to the outside world.
Crossroads knows about a number of back ends: e.g., at a customers' location there's a proxy that Crossroads can dispatch to, at the office there's a Squid proxy to talk to and so on.
When I'm at home, without an outgoing proxy, there's always the following fallback: I run a local proxy, which Crossroads chooses whenever nothing else is available.

Works like a charm. This is one of the "obscure (ab)uses of Crossroads" as described on the XR forum.

Anyway, for the last part of this setup -the local proxy- I was always using Squid, which is fast and works well. Squid however has one major drawback: it caches DNS servers and results in such a way, that when my laptop goes into sleep mode and when I later wake it, I very often have to restart Squid to get it working again. I suspect that a Squid instance caches its DNS servers, and when I wake up the laptop on another network, DNS changes - but Squid doesn't find out about it. Bummer.

Just yesterday I found out about this wonderful lightweight proxy that fits my needs. It's a Perl module called HTTP::Proxy, which is just oh-so simple to use and works. Incase you're interested - here's a small start script to fire it up. It makes sure that the Perl proxy is started on port 3128 (the Squid port) and that information is logged to the system log (usually /var/log/messages or /var/log/system.log). If you want to run this:

As user root, install the module HTTP::Proxy. Type cpan to access the Perl archive, then type install HTTP::Proxy, and finally quit the cpan program.
Save the below script as e.g. /usr/local/bin/ppproxy. Make it executable using chmod +x /usr/local/bin/pproxy
Finally, to start it... type /usr/local/bin/pproxy &

Here's the script!

#!/usr/bin/perl

use HTTP::Proxy qw(:log);
use strict;

# Remove any pre-exising downstream proxy definitions.
for my $e qw(http_proxy https_proxy ftp_proxy) {
    $ENV{$e} = undef;
}

# Set up the logger
my $of;
if (-x '/usr/bin/logger') {
    open ($of, '|/usr/bin/logger -t pproxy')
      or die ("Cannot start logger pipe: $!\n");
} else {
    open ($of, '>>/tmp/pproxy.log')
      or die ("Cannot write /tmp/pproxy.log: $!\n");
}

# Instantiate and initialize proxy
my $proxy = HTTP::Proxy->new(port => 3128);
$proxy->logfh($of);
$proxy->logmask(PROXY | STATUS);

# Run tha proxy!
$proxy->start();

Update: This is an improvement over using Squid in my small setup - cuz what I need is a really small proxy. Unfortunately, this setup also suffers from faults after a sleep/wake cycle of my laptop. It appears that after waking, DNS entries of the proxy are no longer correctly resolved. Hmmm... Might code it myself in C++. More info to follow...

Avatar the Movie

Sun, 13 Nov 11 13:33:05 +0100

By now you've probably seen Avatar. I recently heard that it hit the one-billion dollar mark - great revenue, and I admit, impressive movie, great graphics. I enjoyed watching it.

I'd recently heard two interesting remarks: First, that it's pretty weird that the most advanced movie technology was used to make a movie which basically is anti-technology. Yep, there's a funny cynical twist right there.

I saw the second reaction on failblog.org, where I hang out sometimes to get a laugh or two. Here it is:

For the indexing inclined:

~~Disney's~~ James Cameron's
~~Pocahontas~~ Avatar!
In ~~1607~~ 2154, a ship carrying J~~ohn~~ake S~~mith~~ully arrives in a lush "new world" of ~~North America~~ Pandora. The settlers are mining for ~~gold~~ unobtanium, under supervision of ~~Governor Ratcliffe~~ Colonel Quaritch. ~~John Smith~~ Jake Sully begins exploring the new territory, and encounters ~~Pocahontas~~ Neytiri. Initially she is distrustful of him, but a message from ~~Grandmother Willow~~ the Tree of Souls helps her overcome the trepidation. The two begin spending time together. ~~Pocahontas~~ Neytiri helps ~~John~~ Jake understand that all life is valuable, and how all nature is a connected circle of life. Furthermore she teaches him how to hunt, ~~grow crops~~ tame dragons, and of her culture. We find that her father is Chief ~~Powhatan~~ Eytucan, and that she is set to be married to ~~Kocoum~~ Tsu'Tey, a great warrior, but a serious man, whom ~~Pocahontas~~ Neytiri does not desire. Over time, ~~John~~ Jake and ~~Pocahontas~~ Neytiri find they have a love for each other. Back at the settlement, the men, who believe the natives are savage, plan to attack the natives for their ~~gold~~ unobtanium. ~~Kocoum~~Tsu'Tey tries to kill ~~John~~ Jack out of jealousy, but he is later killed by the settlers. As the settlers prepare to attack, ~~John~~ Jack is blamed by the ~~indians~~ Na'vi, and is sentenced to death. Just before they kill him, the settlers arrive. Chief ~~Powhotan~~ Eytucan is ~~nearly~~ killed, and ~~John~~ Jake sustains injuries from ~~Governor Ratcliffe~~ Colonel Quaritch, who is then ~~brought to justice~~ shot with arrows. ~~Pocahontas~~ Neytiri risks her life to save ~~John~~ Jack. ~~John~~ Jack and ~~Pocahontas~~ Neytiri finally have each other, and the people resolve their differences.

Brilliant, Matt Bateman wherever you are! (And with apologies to the Film Actors Guild and other groups for misspelling names...)

Slightly NSFW Linux Ad

Sun, 13 Nov 11 13:33:05 +0100

Linux desktop domination has been on the free software agenda for a long time. Maybe these guys have found a way to make the Phaenguin irresistably popular?

WTF

Sun, 13 Nov 11 13:33:05 +0100

No, the abbreviation in the title isn't what you thought it is. It's Worse Than Failure, one of my fav sites where I go to cheer up a bit.

Quite recently I came across a great WTF code snippet in Javascript. I encountered this beauty in the codebase of webpages at a customer of mine. The code somehow tries to determine a hostname and URL where a next page is located, and ultimately will send the user there, using Javascript's document.location property. Without further ado here's a snippet. Note, I replaced actual Internet-facing servernames with sever1, server2 and so on, to protect the guilty.

    newpage = newpage + parseString;
    newtarget = '';
    //alert("Incoming webservername: " + webservername);
    //Intranet
    if ( webservername == "server1.com" ) {
        webservername = "server1.com";
    } else if ( webservername == "server2.com" ) {
        webservername = "server2.com";
    //Internet
    } else if ( webservername == "server3.com" ) {
        webservername = "server3.com";
    } else if ( webservername == "server4.com" ) {
        webservername = "server4.com";
    } else {
        if (prefix) {
            newtarget = prefix + "://";
        }
        newtarget = newtarget + webservername + webserverport + newpage;
    }
    if (newtarget == '') {
        newtarget = "https://" + webservername + newpage;
    }
    //alert("New target: " + newtarget);
    return newtarget;

WTF?
if (a == 3) a = 3;
else if (a == 4) a = 4; ??

But wait, there's more. This Javascript sourcefile was only deployed on some of the servers (production and pre-production). Testing had it's own version:

    newpage = newpage + parseString;
    newtarget = '';
    //alert("Incoming webservername: " + webservername);
    //Test environment intranet
    if ( webservername == "server5.com" ) {
        webservername = "server5.com";
    } else if ( webservername == "server6.com" ) {
        webservername = "server6.com";
    } else if ( webservername == "server7.com" ) {
        webservername = "server7.com";
    } else if ( webservername == "server8.com" ) {
        webservername = "server8.com";
    //Test environment internet
    } else if ( webservername == "server9.com" ) {
        webservername = "server.com";
    } else if ( webservername == "server10.com" ) {
        webservername = "server10.com";
    } else if ( webservername == "server11.com" ) {
        webservername = "server11.com";
    } else if ( webservername == "server12.com" ) {
        webservername = "server12.com";
    } else {
        if (prefix) {
            newtarget = prefix + "://";
        }
        newtarget = newtarget + webservername + webserverport + newpage;
    }
    if (newtarget == '') {
            newtarget = "https://" + webservername + newpage;
    }
    //alert("New target: " + newtarget);
    return newtarget;

And of course there's another Javascript source for yet more servers... Sigh. During deployments, the people had to copy one of the source files to the destination javascript source that would get picked up by the pages. Which would of course lead to errors - during deployments, one should always try to avoid non-automatic steps.

Stop Software Patents in the EU

Sun, 13 Nov 11 13:33:05 +0100

Gotta support this. So, all sign! (I saw this on Eddie's Blog, so I'm shamelessly repeating it. Which is in the spirit of this petition.)

HammerServer 1.02

Sun, 13 Nov 11 13:33:05 +0100

Whee! I've been quite recently playing around with CouchDb. It's really neat and nice: a networked, document-oriented database that does simple things, and does them really well: storing stuff, and letting you retrieve it. It doesn't provide referential integrity or built-in types - everything is just a string - but it's scalable and reliable, it's got built-in features for replication and what not. All stored documents are even automatically versioned and revisioned, so that data can always be rolled back to a previous state. Interesting!

And if you happen to like Perl, the module Net::CouchDb will make your life really a lot easier. Great fun to play with.

So to get some practical fun with CouchDb, I incorporated it as a back end type in my tamper-resistant HammerServer. By definition, there is more network overhead when storing data in CouchDb, since all is sent over HTTP. So when compared to a flat file, or a PostgreSQL database, CouchDb is slower. However, CouchDb's strenghts should become apparent when the datastore is spread over many nodes which balance-out inserting and retrieving records (which I didn't try out).

So if you like, have a look at HammerServer 1.02.

One of the fun things I found was the following. The HammerServer relies on sequential ID's to store data. Each record at a given ID is signed using its own data, but also using the signature of the previous ID (which is ID-1). This is done to form a "chain" of secure data, where deletions and insertions are detected. Therefore, the correct working of the HammerServer relies on atomic increments of some ID counter. Concurrent requests to insert new data may never wind up using the same ID!

In RDBMS terms this is easily accomplished as something like:

select nextval(sequence)

or in Oracle terms,

select sequence.nextval from dual

The problem is that CouchDb is a document-oriented datastore, meaning that making such an operation atomic isn't straight forward. In any case, such an atomic update isn't built in. How can the application enforce atomic operations in CouchDb, to avoid concurrency-issues?

A too simplistic application-oriented attempt might be:

Initially, create a document in the database, named e.g. lastid, with a data element nr initialized to the value 0.
When getting the next value, the process might be:
- Fetch the document lastid from the database,
- Get its field nr,
- Increment it,
- Write it back to the database.

The problem here is of course that this approach isn't designed to be atomic. Two concurrent requests might get the same ID, which would break HammerServer's security.

Fortunately, CouchDB's revisioning comes to the aid. Internally CouchDB also fetches revision data from the database when a document is requested. When the same document is sent back for storage, the revision data must still match - else, CouchDB issues an error stating that there is a revision conflict. Brilliant! The right pseudo-code is then:

Fetch the document lastid from the database,
Get its field nr,
Increment it,
Attempt to write it back to the database,
If there is a conflict error, then redo all - starting at the top.
Otherwise we're done, the last value of nr is the atomically incremented ID.

The HammerServer furthermore spices it up by retrying for no more than 60 seconds (just incase there's something really wrong at the back end). As an example here is some Perl code that uses Net::CouchDb to illustrate this. In the real HammerServer sources the code is quite different and you can find it in the method getnextid() of mod/db/CouchDB.pm. The below code is only an illustration of the concept.

# Connect to the CouchDb server
my $connection = Net::CouchDb->new('http://hostname:5984')
  or die("Can't connect to server\n");
# Connect to the database
my $cdb = $connection->db('database')
  or die("Can't connect to the database\n");

# The next ID to determine:
my $nextid;

# Fetch the "lastid" document, increment the field "nr". If an update
# conflict occurs, then redo until we're out of time. Oh, and die if
# some other weird error occurs.
my $start_t = time();
my $try = 1;
while (1) {
    # Fetch the counter document, increment number.
    my $doc = $cdb->get('lastid');
    $doc->nr += 1;

    # Write it back to the database.
    print("Try $try: incrementing to ", $doc->nr, "\n");
    my $result = $cdb->post($doc)
      or die("Failed to re-contact the CouchDB server\n");
    if ($result->{ok}) {
	# Data committed. We're done.
	$nextid = $doc->id;
	last;
    } elsif ($result->{error} eq 'conflict') {
	# Conflict error. Die miserably if this has been going on
	# for 60 seconds or more.
	die("Failed to increment lastid counter after 60 sec\n")
	  if (time() - $start_t > 60);
	# The 1 min hasn't elapsed yet, let's retry.
	print("Concurrency error, retrying\n");
	next;
    } else {
	# Some other error.
	die("CouchDB error: ", $res->{error}, ' ',
	    $res->{description}, "\n");
    }
}

# All done.
print("ID succesfully and atomically incremented to $nextid\n");

Conclusion: Yep this works like a charm. I only had to fire up two "trains" of insertion requests to detect logfile messages stating that retries were necessary. All in all, this approach is perfectly feasible. One might say: yech, that's a lot of work to just emulate select nextval(sequence). True. On the other hand, consider that CouchDb's philosophy is that tasks - and hence code and complexity - should be "pushed out" towards calling applications, so that the central database can remain lean and mean and fast. That argument is as good as any.

Perls Automagical Autoloading

Sun, 13 Nov 11 13:33:05 +0100

This will quite likely be already loooong known to all Perlmonks in the world, but hey. I just found out the possibility to "automagically" create methods for Perl classes, and I'm happy...

Before, I used to write getters and setters for all data fields in my Perl classes. For example:

package Animal;
sub new {
    # ...
}

sub name {
    my ($self, $val) = shift;
  
    # If $val is given then this method is considered a
    # 'setter': store the value in this object.
    $self->{name} = $val if ($val);

    # Now do the 'getter' thing, return the contained data.
    return $self->{name};
}

The purpose of such an accessor method is of course that you can have on object of the type Animal and you can use the method name() to either set or get the name - so its a getter and a setter at the same time:

my $dog = Animal->new();
$dog->name('Spot');
print("My dog is named ", $dog->name(), "\n");

The above stanza could be rewritten in terms of the array of method arguments @_, hence using $_[0] to address 'self', and using $_[1] to address the (optional) 'val'. This gives us somewhat shorter, though cryptical code (but isn't a really meaningful improvement):

sub name {
    $_[0]->{name} = $_[1] if ($_[1]);
    return $_[0]->{name};
}

In general, this getter/setter approach works just fine: one uses datafields $self->{whatever} to store data, and wrapper methods $object->whatever() are accessors: when the accessor has an argument then it's assumed a setter, else just a getter.

The only drawback of this approach is that classes tend to contain a lot of repetitive code. The above hypothetical Animal would have a method name() to wrap a datafield name, next it might have a method nr_of_legs() to wrap a datafield nr_of_legs, and so on. You get the idea.

Wouldn't it be nice if, when coding the class, one wouldn't have to hand-craft such repetitive getters and setters? Well, exactly this is possible using Perl's automagical autoloading. Here's how it works:

When a non-existing method is called on an object, Perl tries to invoke the method AUTOLOAD (if such method exists).
Whilst doing so, the invoked name is stored in a class variable $AUTOLOAD (if such a variable exists).
Hence, if you craft a method AUTOLOAD, which inspects a variable our $AUTOLOAD to find out the non-existing name, then that method can emulate what the non-existing getter/setter should be doing!

It's like dynamically creating methods when they're needed. Or magically opening a window where there first was a solid wall!

Time for an example. You can download the below code as automatic.pl. The code has in one file a package called Generic, where the automagic is implemented. Then the code is tested below that. I wonder if Donald Fagen had such fine automated aids to help him with his text writing?

#!/usr/bin/perl

use strict;

{
    package Generic;

    sub new {
	my $class = shift;
	my $self = {};
	bless($self, $class);
	return $self;
    }

    our $AUTOLOAD;
    sub AUTOLOAD {
	my ($self, $val) = @_;
	$self->{$AUTOLOAD} = $val if ($val);
	return $self->{$AUTOLOAD};
    }

    1;
}

my $r = Generic->new();
$r->title('girl');
$r->name('Ruby');
$r->lacks('pretty');
$r->question('when will you be mine');

print("I've got a ", $r->title(), " and ", $r->name(), " is her name\n",
      "She ain't real ", $r->lacks(), " but I love her just the same\n",
      $r->name(), " ", $r->name(), " ", $r->question(), "?\n");

First Update: I forgot to mention that the exact value of the variable our $AUTOLOAD is class::method. The autoload method can therefore verify against unwanted getters/setters, as thus:

# Standard stuff...
package Generic;
sub new {
    # ...
}

# Autoload version that allows only getter/setters title, name, lacks
# and question. All others are considered an error. You get the idea..
our $AUTOLOAD;
sub AUTOLOAD {
    my ($self, $val) = @_;

    # These are the allowed methods
    my %allowed = (title => 1, name => 1, lack => 1,
		   question => 1);

    # Here's the requested method: $AUTOLOAD without method name
    my $requested = $AUTOLOAD;
    $requested =~ s{.*::}{};

    # Check that this is allowed..
    die("Method not allowed\n") unless ($allowed{$requested});

    # Do the automagic.
    $self->{$requested} = $val if ($val);
    return $self->{requested};
}

Next update: Be sure to use our $AUTOLOAD and not my. Made that mistake myself and was searching for at least 30 seconds for the fault.

Office Poster

Sun, 13 Nov 11 13:33:05 +0100

Seen on the Cheezeburger Network (more precisely punditkitchen.com):

My Office Poster for next week!

The nr 1 Nerdjoke

Sun, 13 Nov 11 13:33:05 +0100

This one ranks number one in my collection of nerdjokes.

Two hydrogen atoms are walking down the street.
Atom 1: "Damn, I lost my electron again."
Atom 2: "You sure?"
Atom 1: "Yeah, I'm positive."

WoW Startscript for my Mac

Sun, 13 Nov 11 13:33:05 +0100

I wrote before about how I needed to reinstall World of Warcraft on a non-casesensitive partition because of WoW patch nr. 3. So since then, basically, I must mount a disk, navigate to the game executable, and double-click it to play

Well, I'm a keyboard type of guy and I hate clicking around. So all this of course can be scripted. It's all really very simple, but hey, maybe the below example will inspire someone to do their own scripting of repetitive tasks.

The script is appropriately called wow and it accepts arguments:

wow start mounts the disk and starts the game (in the back ground);
wow end kills the game if it's running and unmounts the disk;
wow (without arguments) mounts the disk, starts the game, waits for it to finish, and unmounts the disk.

The script uses the MacOSX command "open" to do its magic like mounting disks and starting apps. The open command is actually very versatile and worth taking a look at. From the help information:

Usage: open [-e] [-t] [-f] [-W] [-n] [-g] [-h] [-b ] [-a ] [filenames]
Help: Open opens files from a shell.
      By default, opens each file using the default application for that file.  
      If the file is in the form of a URL, the file will be opened as a URL.
Options: 
      -a                Opens with the specified application.
      -b                Opens with the specified application bundle identifier.
      -e                Opens with TextEdit.
      -t                Opens with default text editor.
      -f                Reads input from standard input and opens with TextEdit.
      -W, --wait-apps   Blocks until the used applications are closed (even if they were already running).
      -n, --new         Open a new instance of the application even if one is already running.
      -g, --background  Does not bring the application to the foreground.
      -h, --header      Searches header file locations for headers matching the given filenames, and opens them.

In this case, my script only uses open to mount an image, or uses open to start an app, or it uses open -W to start an app and wait for it to finish. Besides that, disktool is used to unmount a disk image. Well, here's the script. Hope it's somewhat useful to you. Mind that if you want to use this, you'll have to edit the configuration at the top of the script.

#!/bin/sh

# Another little proggle to make my life easier. This time a shell script
# that starts my favorite game, WOW. I have the game on a separate disk
# image. So when I want to play, I need to (a) mount the image, (b) start
# the game and play it, and (c) unmount the image as a cleanup. That's what
# this lil'script does.

# Configuration - edit at will. Specify the disk image, the mount point
# of the image, and the application (inside the image). You can find these
# out by locating your game image by hand, and by mounting it using the
# Finder. Then in /Volumes you'll see the mountpoint. The app is located
# somewhere inside the mountpoint.
image=/private/images/WOW.sparseimage
mountpt=/Volumes/WOW
app="$mountpt/World of Warcraft/World of Warcraft.app"
# End of configuration. The rest should need no tweaking.

# Mount the game image onto the mount point
function mountdisk() {
    if [ ! -d "$mountpt" ] ; then
        echo "Mounting $image"
        open -W "$image" || exit 1
        if [ ! -d "$mountpt" ] ; then
            echo "Failed to mount $image to $mountpt"
            exit 1
        fi
    fi
}

# Run the game app off a mounted image
function runwow() {
    echo "Starting $app"
    if [ ! -d "$app" ] ; then
        echo "Failed to locate $app"
        exit 1
    fi
    open "$1" "$app"
}

# Stop the game (kill the process)
function stopwow() {
    pid=`ps  ax | grep World | grep -v grep | awk '{print $1}'`
    if [ -z "$pid" ] ; then
        echo "Not running, nothing to stop"
    else
        echo "Stopping pid $pid"
        kill "$pid"
    fi
}

# Unmount the game image
function umountdisk() {
    disk=`disktool -l | grep "$mountpt" |
    awk '{print $3}' | awk -F\' '{print $2}'`
    if [ -z "$disk" ] ; then
        echo "No disk in use, not ejecting"
    else
        echo "Unmounting disk $disk"
        disktool -u "$disk" >/dev/null
    fi
}

# Main starts here, depending on the argument the above functions are
# called
if [ "$1" == "start" ] ; then
    mountdisk
    runwow
elif [ "$1" == "stop" ] ; then
    stopwow
    umountdisk
elif [ -z "$1" ] ; then
    mountdisk
    runwow -W
    umountdisk
else
    cat <

HammerServer section is online

Sun, 13 Nov 11 13:33:05 +0100

I just posted the docs for the HammerServer: a networked daemon that serves as an audit-log, but it's tamper-resistant (can't touch this). It's a pretty nice proof of concept thingy I think that can be used as a stepping stone for specific ideas and requirements.

The BING HQ

Sun, 13 Nov 11 13:33:05 +0100

Digging a WOW Tunnel

Sun, 13 Nov 11 13:33:05 +0100

Digging a WOW Tunnel

If you ever find yourself on a firewalled network that has just an outgoing proxy, and still feel the urge to connect to WOW, then here's how. This text shows how to make sure that you can log on, and use the regular play.

Ingredients

You will need:

A Unixy system, like a Macbook or a Linux box. On this system you'll need root privileges so you can edit /etc/hosts, run ifconfig etc.
A server on the outside that is Internet-connected and where you can run remote SSH commands. Verify this in advance by running e.g.
```
ssh USER@HOST ls
```
This should of course show the ls output of the stated user's home directory. Substitute appropriate values for USER and HOST.
In the next sections I'm assuming that you have your local SSH set up so that it tunnels-out via the proxy (hints: Configure this in ~/.ssh/config and use ProxyCommand proxytunnel).
Also you'll need to know the hostname of the Blizz logon server, which is in my case eu.logon.worldofwarcraft.com.
Finally you will also need to know the IP address of your game server. For me it's Bloodhoof, which resides on 80.239.179.103. If you don't know this IP address, then you'll just have to sniff it off the network using wireshark.

Approach

Basically, you'll have to do the following tasks:

Make sure that the WOW client will talk to your local machine as login server;
Forward this traffic to the true logon server using SSH;
Grab the IP of the realm server and assign it to your localhost, so that the WOW client will talk to your local machine to enter the world;
Forward this traffic to the real server over SSH.

Recipy

Edit /etc/hosts and add the line:
```
127.0.0.1 eu.logon.worldofwarcraft.com
```
Start forwarding this traffic to the real logon server, using the command:
```
ssh -v -N -L 127.0.0.1:3724:eu.logon.worldofwarcraft.com:3724 USER@HOST
```
Supply the right SSH user and host in the command.
Grab the IP of the realm server:
```
ifconfig lo0 alias 80.239.179.103
```

lo0

lo

Start forwarding the traffic of your new local IP address 80.239.179.103 to the real logon server, using the command:
```
ssh -v -N -L 80.239.179.103:3724:80.239.179.103:3724 USER@HOST
```

Undoing

To turn this back, edit /etc/hosts and comment-out the line that redefines the IP address for eu.logon.worldofwarcraft.com.

To remove the binding of the IP address 80.239.179.103, run as root:

ifconfig lo0 -alias 80.239.179.103

Wee Todd

Sun, 13 Nov 11 13:33:05 +0100

This was put to me by BOFH at a barbecue:

I'm wee todd
I'm sofa king
I'm wee todd did

Well, I got the second line right...

The On Off Switch Revisited

Sun, 13 Nov 11 13:33:05 +0100

Today I had to see my server that's colo-hosted to fix some things. The server had a very nasty habit of not booting up after a crash or power interruption. Time to fix it up, I thought. Well, that wasn't such an easy task. Here's why....

It's the on/off switch but revisited. Following my first blog I'd wisened up, I nowadays check the BIOS on server systems. Usually there's an option that says something like "reboot after power failure". Once this option is enabled, the server will happily boot the OS when it gets back power, instead of staying in stand-by mode. And that of course is basically what you always want: an unattended system should simply come up after a power failure, and not wait for a human to come press a button.

So of course, with this current server, I started the system, went into the BIOS screen, and looked for a similar option. To no avail. This server is an IBM e-server, model 330, and it doesn't have such a feature. I spent an hour looking for something like this, and came up with zip. Finally after googling for 15 minutes, I got a brainwave.

The e-server family of IBM's rack models has a counter in its BIOS that stores how many times the server has succesfully booted (after a planned reboot) and how many times it rebooted after a crash. If the server experiences too many crashes then the ratio of crashes vs. planned boots tells it not to boot anymore, but to go into standby mode. AAAAAAAAAAAAAAAAAAAARGGH!!

This is so totally braindead. Imagine that you're using a stable OS that doesn't need rebooting. Then the only downtime you'll ever experience will be due to hardware crashes, or due to power outages. Which means that there will be more crashes than planned reboots. So, the server decides for you that it's better to go into standby mode after a while.

Fortunately there is a BIOS setting to disable this behavior, but you have to really know about it before you find it. Well, I should've suspected something like that. Rack system or not - Big Blue will of course assume that you're running Windows and that you reboot your system regularly, by choice. How braindead can you get.

This reminds me of the following funny. The image should also have the following caption: "But IBM thinks I'm getting laid all the time."

Meatspace

Sun, 13 Nov 11 13:33:05 +0100

Seen today on Slashdot:

And then there was of course the obvious answer. Marked "insightful"? LOLZ!

"Meatspace.." I must confess, I'd never heard that one before!

My old houses

Sun, 13 Nov 11 13:33:05 +0100

While giving lectures at the State Univ. of Groningen, I took the opportunity to see two of my old houses. The first one is where I used to live as a student. I had some great times there with all the other guys and girls who lived there...

The second one is actually my first ever owned house. Great place it was..

That brings back loads of sweet memories...

LOLcats are funny

Sun, 13 Nov 11 13:33:05 +0100

LOLcats are very funny at times. Here's a long time favorite of mine.

Civic Duty WIN

Sun, 13 Nov 11 13:33:05 +0100

Www.failblog.org is classifying this as a "fail". I don't get it, why not a "win"? In particular, the following phrasing signals a win in my view: "Jury duty is a complete waste of time. I would rather count the wrinkles on my dogs balls than sit on a jury. Get it through your thick skulls. Leave me the f–k alone."

At the least, this guy is outspoken. Loose or win?

Vote for the baby, Sky Radio promo FAIL

Sun, 13 Nov 11 13:33:05 +0100

The Dutch / British station "Sky Radio" is apparently holding a contest "Vote for my baby". You enter your little toddler, and they've got a chance to win ... what? I've no idea, clothes, a walker, a wooden horse? No idea, really. But this struck me as odd:

I've got 6 hours and something before I should start voting. Or 364 days. Year-wrap gone bad, anyone?

Geez, giant suck.

My secure data center

Sun, 13 Nov 11 13:33:05 +0100

This all started as follows. A good customer of mine needed quickly a terabyte of secure storage, to store some old files for audit reasons. The storage would be put in a vault, just incase. The requirements were that the storage media should be very secure, and should be detachable - so that all could go in a vault.

The inhouse ICT club of course offered a fantastic solution, secure, redundant and all that - for a truckload of cash, and it would be ready in a month. I don't even think that the money would've been an issue, but the storage was needed "yesterday", not in a month. Well, that's how things go.

Enter the DYI method of Secure Data Center Installations. For starters, you need an old HP desktop, converted to Ubuntu, to which two Terabyte USB disks are attached. The two disks set us back about EUR 160. We of course encrypted both disks using Truecrypt and hooked them up. One of the disks is used as write media for whatever files need to be stored, the other is a back up which is rsynced every so often. Hey, if it needs to be stored for some time, we'd better have two..

A standard desktop that we cannibalized...

With a USB drive plugged in...

Next are of course physical security issues. Encryption is good, but physical access restrictions aren't bad either. Plus I have to admit, we didn't want this thingy to be noticed.. as in "Hey, what's that system doing over there? Who hooked up them USB drives? What version of Windows is it running? What? No standard Windows build? Li- what?" So enter the Powertools. We commandeered a desk cabinet that was previously used for paperwork, and drilled a few holes in the back for cables.

Powertools make my day.

They also make holes in the back.

The slider mechanism in the cabinet, previously used for hanging paper folders, made a nice support for a flat screen and a keyboard. Hey, a Secure Cabinet with a retractable screen and keyboard - who would've thought?

Retractable!

It even boots.

Here's the result. You'd never know there's a super-secret 1Tb storage unit in here, being mirrored onto a redundant second 1Tb. There was however one victim of all this: My one inch drill that I'd used for the back of the cabinet. Totally burnt. Well, it'd done its job, RIP...

Super-secret. It's got a lock.

The one casualty.

All in all? It made the office day a lot less boring!

My Valentine is sending me a dot exe

Sun, 13 Nov 11 13:33:05 +0100

Happy Valentine's day, for sure. It's even a happier Valentine for spambots. They are breeding like crazy. 'Tis the time they send mails with links that try to get you to download an executable "greeting card viewer". Of course. What else is new?

MacPorts trash: .mp_123456 savefiles cleaning

Sun, 13 Nov 11 13:33:05 +0100

As I was searching for some files on my hard disk, I saw I had a lot of files named *.mp_123456, especially under the directory /opt/local. The number (123456 in this example) can of course be any other random number. A short investigation revealed that those files are save-files from MacPort runs, that especially appear during forced installations or activations, i.e., after port -f install ...

So I decided to clean them up. For your pleasure, here's a little script that does it. Save it as mp-clean somewhere on your system, and run as:

mp-clean test: This will scan your entire disk and report how many savefiles it finds, and their total size. It may run for a looooong time, so don't be impatient!
A save-file is a file that ends in .mp followed by a number, and there must be a corresponding "real" file in the same directory. E.g., a save-file /opt/local/include/hdr.h.mp_123456 is only a save-file if the corresponding file /opt/local/include/hdr.h exists.
mp-clean test /opt/local/include: This is like the above, except that only /opt/local/include and its subdirectories are scanned.
mp-clean go and mp-clean go /opt/local/include don't only locate the files and report their total size, but they also remove them. This is the actual cleaner.

Now, removing system files is always a bit scary. But hey, it saved me some 50Mb diskspace and I haven't seen bad side effects yet. Nevertheless, use it at your own risk and of course make sure you have a backup before you run it...

Finally, here's the little script.

#!/usr/bin/perl

use strict;
$|++;

# Command line
my $action   = shift(@ARGV);
my $startdir = shift(@ARGV);
$startdir = '/' if ($startdir eq '');
die ("Usage: mp-clean test|go [startdir]\n",
     "Cleans up mp-savefiles from port. Default startdir is /\n")
  if ($#ARGV != -1 or ($action ne 'go' and $action ne 'test'));

# Locate the mp files.
open (my $if, "find $startdir -name '*.mp_*' |")
  or die ("Cannot start find\n");
my $totfiles = 0;
my $mpfiles = 0;
my $bytescleaned = 0;
while (my $mpfile = <$if>) {
    $totfiles++;
    chomp ($mpfile);
    print ("$totfiles files seen (at $mpfile)\n");
    
    my $orgfile = $mpfile;
    $orgfile =~ s{\.mp_[0-9]+$}{};
    next unless (-f $orgfile);
    $mpfiles++;
    
    $bytescleaned += (stat($mpfile))[7];

    if ($action eq 'go') {
        unlink ($mpfile) or die ("\nCannot unlink '$mpfile': $!\n");
    }
}

print ("\n",
       "Found MP files:        $mpfiles\n",
       "Total size MP files:   $bytescleaned\n");

Truecrypt 6 on Linux and the ext3 filesystem

Sun, 13 Nov 11 13:33:05 +0100

I recently installed Truecrypt on a USB drive, attached to a Linux box. It was Truecrypt version 6.1a. This version natively supports the "FAT" filesystem, which is of course not what you want on a Linux box.

The GUI that drives Truecrypt doesn't really help when you want to do "special" things, such as choosing a non-default filesystem for the encrypted disk. Fortunately, Truecrypt is built in the best Unix fashion - with a command line tool underneath, so that you get to control all the detailed aspects! Here's a short description of how to put an ext3 filesystem on a Truecrypt-protected disk.

First, the disk is encrypted. In this example my USB drive is the device /dev/sdb1. Adjust where necessary. The encryption is started using
truecrypt -c /dev/sdb1
Truecrypt will then prompt for the encryption algorithm, hash size and so on. At the prompt for the filesystem, take FAT. This doesn't really matter, it will get overwritten later on. Next, go shopping, drink coffee, make lunch - this step takes a while. (My 1Tb disk took 10 hours to encrypt.)
Next, the disk is "mapped". Which is like mounting, except that the device isn't really attached to a physical directory. It's only mapped to a pseudo-device. Truecrypt is placed between the real device and the pseudo-device to take care of all encryption. The command is:
truecrypt /dev/sdb1 --filesystem=none
The specification that Truecrypt should assume "no filesystem" prevents the actual mounting.
The raw encrypted device is now available as a pseudo-device. The following command shows which pseudo-device that is:
truecrypt --volume-properties
The output of this command shows a line like: Virtual Device: /dev/mapper/truecrypt1. In this case the virtual device is of course /dev/mapper/truecrypt1.
The mapped virtual device can now be used to create a new filesystem in the encrypted device. In this case I'm going for "ext3":
mkfs.ext3 /dev/mapper/truecrypt1
Once the filesystem is there, the virtual device is released. After that, Truecrypt is used to re-map the device and now to truly mount it:
truecrypt -d
mkdir /mnt/encrypted # a directory of your choice
truecrypt /dev/sdb1 /mnt/encrypted

As ever,
If you have useful additions or comments,
let me know!

www versus nl.youtube.com

Sun, 13 Nov 11 13:33:05 +0100

Seen today when accessing www.youtube.com (I'm showing the HTTP request and response headers):

GET / HTTP/1.1
Host: www.youtube.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 300

HTTP/1.x 302 Moved Temporarily
Transfer-Encoding: chunked
Date: Wed, 28 Jan 2009 14:29:06 GMT
Content-Type: text/html; charset=utf-8
Expires: Wed, 28 Jan 2009 14:29:06 GMT
Cache-Control: no-cache
Server: Apache
X-Content-Type-Options: nosniff
Location: http://nl.youtube.com/

Or, in normal English: When requesting the top page ("GET /") from host www.youtube.com, the server says: Go to "http://nl.youtube.com". OK, my browser thinks, let's check there:

GET / HTTP/1.1
Host: nl.youtube.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 300

HTTP/1.x 302 Moved Temporarily
Transfer-Encoding: chunked
Date: Wed, 28 Jan 2009 13:09:29 GMT
Content-Type: text/html; charset=utf-8
Expires: Wed, 28 Jan 2009 13:09:29 GMT
Cache-Control: no-cache
Server: Apache
X-Content-Type-Options: nosniff
Location: http://www.youtube.com/

Hahaha...

Anyway, even at Google there are sometimes problems. That's comforting in a weird sort of way. Next time I mess up my webserver, I'll know that I'm not the only one ;-)

[Update:] Checking back later, Youtube suggested to me a Dutch filter. Might this be related to the endless redirection loop? Hmmm...

Songsmith and The Police

Sun, 13 Nov 11 13:33:05 +0100

There have been enough stories about Microsoft's Songsmith (good friend Eddie wrote about it too. But the parodies are maybe even worse than the original Microsoft ad. My favorite is Songsmith's version of Roxanne (The Police):

Is that really a steel drum in that tune? Wow, amazing! It's pure genius that just by "listening" to the lyrics, Songsmith can predict that The Police would use steel drums a bit later (in Every Little Thing).. Simply stunning. Gee, I need to get that program!

My own Ministery of Silly Walks

Sun, 13 Nov 11 13:33:05 +0100

Sometimes there's no escaping looking stupid on a still frame. Actually that occurs quite frequently to me.

Here's a fine example, in full size, my own Ministery of Silly Walks (or is it, "Beware of that dog pile"?)

CoolIris Mini HOWTO

Sun, 13 Nov 11 13:33:05 +0100

A great way to browse pictures

Yesterday a collegue showed me CoolIris. Whee! What a magnificent way to browse through pictures or videos! Kudos, guys at CoolIris, and thanks for showing me, Bas!

Of course such technology can't go untested. So I tried it out to see how it works, and... it works really beautifully. If you want to test it out, here's what you need to do:

You must have Firefox 3. Well, we all have that, right? If not, get it at http://www.mozilla.org/. I think it's at the moment the browser to have.
In Firefox, you need to install the addon "Cooliris". If you don't have that extension yet, go to the Firefox menu item Tools, then Add-ons, and enter Cooliris in the search box. Install the add-on and you're all set.
Next, go to a CoolIris-enabled site. You will see that at the right top corner of the Firefox window, there is now a CoolIris laucher button. Click it.. and be amazed.
I've of course also created a small sample. My Nasa pictures collection is CoolIris-enabled, so give it a go. (The page takes a while to load, there's just lots of pictures there, don't be too impatient.)

Enabling your own site

Here's how you enable your own photo collection for CoolIris. It's so radically simple that you'll be amazed.

In the HTML page that presents the index to your pictures collection, add the following to the head tag:
```
      
```
The "path/to" is of course a directory specifier that you need to change, or remove if you're planning to serve the XML file from the current directory.
In the directory where the above "/path/to" points, create a file "cooliris-quick.xml" which maps thumbnails to the big pictures. In my case, a thumbnail picture is e.g. /nasa/THUMB-040523cruxa_seip_full.jpg, and the corresponding big version is /nasa/040523cruxa_seip_full.jpg. So in my case, there's just the "THUMB-" that needs to be taken out to get to the big picture. For me, the file "cooliris-quick.xml" looks like:
```
      
      
      ^(.*)THUMB-(.*)$
      {1}{2}
      
```
Notice how the "src" tag uses regular expressions. The "dst" tag references regular expressions in parentheses using {1}, {2} and so on. Really easy to build.

Well, that's about all! Have fun!

UDP and DNS balancing

Sun, 13 Nov 11 13:33:05 +0100

Based on a couple of ideas from the Crossroads forum and also based on thoughts of my good friend Eddie, I've crafted a prototype of a UDP balancer. In this case it's hand-crafted to forward or balance DNS lookups. The description is a bit lengthy; I parked it in its separate page. Enjoy and let me know if you have questions or remarks!

Life in graphs

Sun, 13 Nov 11 13:33:05 +0100

Stumbled on this by coincidence. Brilliant or what?

Skeined yet?

Sun, 13 Nov 11 13:33:05 +0100

"Have you skeined yet?" Or maybe it's "Have you been skeined yet?" The SHA digest algorithm has a contender: Skein (pronouce as: rain, but with sk). I've no idea if it's any good, but if Bruce Schneier is co-author of this thingy, then it's going to get loads of exposure. I wonder how many programs will get a new flag --use-skein-512 in the near future? Plus of course --pedantic which implies --use-skein-1024? The paper claims that Skein runs faster than SHA, and the download includes optimized code for 32 and 64 bit Intel systems. The smallest Skein-128 is supposedly suitable for very small systems (smartcards). All written in C, yay. Impressive!

Read more yourself and get the download zip.

New Crossroads on the horizon

Sun, 13 Nov 11 13:33:05 +0100

My pet project Crossroads (a software load balancer and fail over utility) is really taking jumps forward. There are countless people to thank - developers, bench markers, and not in the last place: the users. Since Crossroads got its forum at xrforum.org, the interest has increased and so has the number of people who actively participate. There have been many useful and new changes.

But first, version 2.30 - next stable - is about to come out. This is basically a (hopefully) bugfree stability release, with huge optimizations. Preliminary tests show that Crossroads in both TCP mode and in HTTP mode outperforms comparable balancers! There ya go.

But wait, that's not all. The next development version 2.31 is already in the oven. It's not available as download yet - but will soon be - so check either the Downloads section at crossroads.e-tunity.com or check the SVN repository at svn://svn.e-tunity.com/crossroads/trunk. What does the future hold?

The control script xrctl now relies on an XML configuration file, so that all controls have been externalized from Crossroads and from its control script.
The performance is even better than version 2.30-stable.
Much more flexible back end checking. The older versions would only try to establish a TCP connection to see if a back end is alive. Now, checks can be configured to connect to other ports or IP's, or they can do a "HTTP get" of e.g. a health check service. Or, as a last resort, a user-supplied program is called to do its magic and to tell Crossroads how the back end is doing.
The web interface is greatly enhanced. Its status has been steadily increasing from a "nice feature" to a true reporting and maintenance tool. All features can be viewed, and almost all features can be set. Even new back ends can be added. Currently the only things that can't be controlled through the web interface, are the balancer server port and the balancing type (tcp or http).
DNS lookups of back end addresses are cached. This ensures that the domain name server isn't hit all the time - and again increases performance.
Denial-of-service (DOS) detection can now call a user supplied program to take special measures. The detection of DOS attacks and protection inside XR itself was written previously by Gabriel M., but now, e.g. iptables can be invoked to block potential trespassers.

Big changes. I can't wait to push out 2.30-stable, so that 2.31-development can be made available as a download too. All in all, I'm very happy with the direction that Crossroads has taken. The complete rewrite from the "old" Crossroads-1 code has been worth while. And of course big thanks go to everyone who's involved - all testers, contributors, people who come up with ideas, and of course Rene K., forum master and tireless tester, bughunter, benchmarker, and what not.

Since images speak louder than words, here's a snapshot of the web interface. This balancer runs in HTTP mode, and the image shows what can be configured for it.

And here's the web interface showing a back end.

Interested? Is your curiosity tickled? Get Crossroads and become a member of the forum!

Thread safe or not

Sun, 13 Nov 11 13:33:05 +0100

Today I was mailing with Rene K., forum master of the Crossroads forum, co-developer, supporter, and benchmarker of Crossroads. We got into a discussion of the thread-safeness of gethostbyname(). (Incidentally.. I found that Solaris warns that gethostbyname() isn't thread-safe, while on my Mac it seems to be no problem. Go figure.)

Anyway, I sent Rene a new source file to try out. It didn't work out. So he replied with:

And that's what you call thread safe.... tssss.. This is thread safe:

struct sockaddr_in backendaddr;
backendaddr.sin_family = AF_INET;
backendaddr.sin_port = htons(bdef.port());

// Who needs name resolution anyway
backendaddr.sin_addr.s_addr = 3540232384;

LOLZ!

WOW patch 3 on a case sensitive MacOSX filesystem

Sun, 13 Nov 11 13:33:05 +0100

Today was Patch Day for WOW. I happily started to download the patch. Ooh! Glyphs, new talents, a new harbor in Stormwind... my hunter nerfed, of course.. Couldn't wait to see it all. Everything in preparation for the upcoming Wrath of the Lich King expansion.

Then.. BANG! While applying the patch, WOW told me that WotLK would never ever run on a case-sensitive filesystem. Aargh! When I installed this Mac, I chose a case-sensitive journaled filesystem on purpose! It's Unix after all, innit? And Unix's supposed to be case-sensitive! Files Foo and foo are supposed to be different!

Now this p's me off, totally. Can't the guys at Blizzard get their file naming schemes in order so that a "File" is a "File", instead of thinking that it's maybe a "fILE"? After cursing around for a bit, I decided that I'd have to fix it myself. Not enjoying WOW is just too cruel to consider.

So now what? I'm definitely not re-installing my Mac. Not for this. Furtunately, the following recipy works like a charm: you get to apply the patch, while keeping your main disk in case-sensitive mode.

Create a new disk image using Disk Utility. Use the following procedure:
- Fire up the Disk Utility and click New Image.
- As for the image name, choose e.g. "WOW" and save it to a location that's familiar to you, say your desktop. This goes into the "Save as" box.
- For the volume name, use "WOW".
- For the volume size, choose "custom", then enter the size as 20Gb. Don't worry, the image won't actually be 20Gb large, it will use as much real diskspace as required. The 20Gb means that it can grow up to that size.
- For the volume format, go with "Mac OS Extended (journaled)". Don't go with case-sensitive, for obvious reasons.
- If you like, choose an encryption and a pass phrase. I didn't go through this hassle for security reasons, so chose just left "no encryption" in this box.
- For partitions, use "Single partition - Apple Partition Map".
- For the image format, use "sparse disk image". This is important, "sparse" means that unused parts of the image won't gobble up your disk.
- Hit "Create".
After you wait a while, your brand new image will be ready for usage. You can now either install WOW from scratch to that location, or you can copy your existing WOW files (probably in "/Applications/World of Warcraft") onto the new image to save time. I did the latter.
If you choose to copy: here's a bit of bad news. You can't just rely on Finder to copy the folder "World of Warcraft" from "/Applications" into the new image. Why? 'Cuz it'll bomb too, on the different handling of filename casing between the source and target disks. Aargh! I can imagine that the Finder would pop up a warning about this, but just crash... Sigh. Fortunately your Mac is a Unix box with all the reliable goodies under the hood. Open a Terminal window, and type the magic commands (be sure not to make typo's):
```
      cd /Volumes/WOW
      (cd /Applications; tar cf - 'World of Warcraft/') | tar xvf -
      exit
```
You might need to change "WOW" into whatever name you gave your image, and you might need to change "/Applications" into the location of your current WOW installation if it differs. But you get the idea.
Once the above "tar" commands finish copying files, open up the mounted WOW image in your Finder. Start up the game, let it patch itself. It will probably start the patch downloader again - but no worries, the downloader will only verify the existing patch file and apply the patch.
Once you've verified that all works, open up "/Applications" in your Finder. You can now delete the old folder "World of Warcraft" since it's unusable anyway.

Good luck, hope that it works for you, if you need it. Incidentally you can apply the same trick to other "misbehaving" applications that require a case-insensitive file system...

Surprising C++ optimizations

Sun, 13 Nov 11 13:33:05 +0100

Over the last few days I've been optimizing my pet load balancer Crossroads. I'm happy to say that the optimizations have been hugely succesful - a 25% increase in raw TCP throughput, and an 80% increase in HTTP mode. The optimizations involved many facets, some of which I had expected, others very surprising. Here's a surprising one.

Normally when I write programs - especially daemons, like Crossroads - I make sure that I implement a layered logging facility. For example: errors and warnings are always logged, informational messages only when flag -v is used, and debug messages only when flag -d is used. Standard approach, right?

A likely C way to implement this, might be to have functions errormsg(), warningmsg() and so on. Inside the "verbose information" function, a flag is inspected to see whether -v was given on the command line. To illustrate:

void verbosemsg(char const *fmt, ...) {
    if (! flag_verbose)
        return;

    .
    . /* Here the message is actually output, e.g. using
    .  * va_start(), vprintf(), va_end()
    .  */
    .
}

The calling code simply calls verbosemsg() without regard to the flag -v. The actual decision whether to output messages is inside the function. The idea is that the calling code doesn't need to be cluttered with if-statements to check whether flag_verbose is on or not. For example, here's some calling code:

/* Example of calling code */
verbosemsg ("Running at PID %d\n", getpid());

So far so good, except that Crossroads isn't a C program, but a C++ program. So, keeping in mind "good C++ style", a printf-like approach is a big no-no, right? Ok, let's then try a true OO-approach. I've illustrated some concepts in the following code. It's a bit lengthier (because it's a working piece of code), and defines a helper class msgstring, so that it's possible to append an integer to a string. The msgstring is output in class verbosemsg.

#include 
#include 
#include 

using namespace std;

// msgstring is derived from string, to enable "+ int"
// Other appending operators can be added ad lib.
class msgstring: public string {
public:
    // Start with a simple char*
    msgstring(char const *s): string(s) {
    }

    // Or with a string
    msgstring(string const &s): string(s) {
    }

    // Concatenation with an int
    msgstring const &operator+ (int i) {
	ostringstream o;
	o << i;
	*this += o.str();
	return *this;
    }
};

// for testing:
bool flag_verbose = true;

class verbosemsg {
public:
    // Constructor that outputs info when flag_verbose is true
    verbosemsg (msgstring const &s) {
	if (flag_verbose)
	    cout << s;
    }
};

// main() to test it all
int main() {
    verbosemsg (msgstring("Hello World!\n"));
    int i = 42;
    verbosemsg (msgstring("The answer is.. ") + i + "\n");
    return 0;
}

So far so good. The caller can still say verbosemsg(...) without having to wrap this in an awkward if-statement. The decision whether to output a message is made later. Incidentally, in the above code verbosemsg is a class. It could just as well be a function, that doesn't matter.

But here's the catch. When no verbose messages are generated, then the overhead in the C version is: one call, one if. The overhead in the C++ version is way bigger: the entire message must be constructed, overloaded + operators are called to concatenate information, and that object is passed via reference to verbosemsg. Only then is the if condition evaluated. The result? The C++ code is much slower. Really.

So now what? It's quite a pickle. I see the following options:

Populate the C++ code with if-statements that prevent the overhead when flag_verbose is false. The evaluation of the flag would then not occur inside verbosemsg but in the calling code, which might look like:
```
// main() to test it all
int main() {
    if (flag_verbose)
        verbosemsg (msgstring("Hello World!\n"));

    int i = 42;

    if (flag_verbose)
        verbosemsg (msgstring("The answer is.. ") + i + "\n");

    return 0;
}
    
```
Yech! The whole idea of isolating flag_verbose inside verbosemsg was to avoid having if-conditions all over the place!
Use the plain-old printf() style messaging, such as the C function void verbosemsg(char const *fmt, ...) that is shown at the top.
This isn't OO-ish, it isn't type-safe (though gcc does a fine job of warning against a mismatch between the format string and remaining arguments), but -- it's fast.

As I see it, this is just another example of the following: "C was created to be fast. C++ is an addon to make it neat and pretty." Speed or beauty? It just depends on your situation at hand...

Upon reading the above, Eddie wrote me to point out that the construct if(condition) generateoutput(string + string ...) is very common in Java, to make sure that logging doesn't hog up too many resources. He further remarked that it's a shame that Java doesn't have preprocessing. Else, one could wrap the whole thing in a macro.

Thinking about it: yes, that's pretty usable. It moves the if-condition into the caller's code without the necessity to type the if-statement all the time. So here's a quick and dirty illustration of the concept. May the source be with you.

#include 
#include 
#include 

using namespace std;

/* Class Mstr: derived from string to allow for overloading '+'
 * which handles concatenation of the string with other types
 */
class Mstr: public string {
public:
    Mstr(string s): string(s) {}
    Mstr(char const *s): string(s) {}
    Mstr const &operator+ (int i) {
	ostringstream o;
	o << i;
	*this += o.str();
	return *this;
    }
};

/* Class Msg: encapsulates the on/off state of the verbose flag,
 * and defines a method msg() that outputs an Mstr. Caller must
 * wrap the msg() call in a if-condition that tests Msg::on().
 */
class Msg {
public:
    static void msg (Mstr const &m) {
	cout << m;
    }
    static void on(bool o) {
	enabled = o;
    }
    static bool on() {
	return enabled;
    }
private:
    static bool enabled;
};
bool Msg::enabled = false;

/* For easy usage:
 * Macro verbosemsg() handles the if-condition of Msg::on()
 * and optionally calls Msg::msg() to generate output
 */
#define verbosemsg(x) if (Msg::on()) Msg::msg(x)

/* And of course, main() to test it with a couple of
 * verbose statements. */
int main() {
    Msg::on(true);
    
    verbosemsg("Hello World!\n");
    for (int i = 1; i < 5; i++)
	verbosemsg(Mstr("Loop: ") + i + "\n");

    return 0;
}

Weird system message

Sun, 13 Nov 11 13:33:05 +0100

Today while monitoring my /var/log/system.log file, I suddenly saw:

Oct 14 18:21:19 Thera SyncServer[17483]: SyncServer: Truth vacuumed. Next vacuum date 2008-10-28 17:21:18 +0100

OMG!

I immediately shut down my system, and unplugged all electrical home appliances - especially the vacuum.

Good buddy Eddie wrote me: 'That message comes from sqlite. The SyncServer uses an embedded sqlite database. A few users were complaing that the database grew too large. So nowadays, the SyncServer "vacuums" the database to keep its size within limits.' Hmm.. might be.. but I'm still not turning on my vacuum cleaner.

Data mining against terrorism does not work

Sun, 13 Nov 11 13:33:05 +0100

Oh shock! CNet News reported yesterday that according to a report by the US National Research Council, "automated identification of terrorists through data mining or any other mechanism is neither feasible as an objective nor desirable as a goal of technology development efforts. Inevitable false positives will result in ordinary, law-abiding citizens and businesses being incorrectly flagged as suspects."

Who would've suspected such a shocking revelation?

- Bayes bites
- Datamining is for dogs
- That myth was already busted
- Photography won't help either

Yes indeed, who would've suspected.

Crossroads at the top of Freshmeat.net

Sun, 13 Nov 11 13:33:05 +0100

I bet every contributor of open source programs has this - but it's great fun to catch your project at the top of the announce list of freshmeat.net. I saw it by accident a few days ago ;-)

Stupid spammers at Computable

Sun, 13 Nov 11 13:33:05 +0100

Today I received "yet-another-user-directed-message" - umm spam. But this one's different. It's from a renowned Dutch firm that issues an important magazine for ICT folks, the Computable. Also, what's different about it, is that it's a pretty stupid mess-up. FUBAR! FAIL!

Translated: "Dear %%Sex%% %%Middlename%% %%Lastname%%, Would you like to ..." And before you ask, the "sex" thing is presumably supposed to expand into Mr. or Mrs. (no, they aren't THAT kind of magazine).

Guess what. Given this message, I'm totally not interested in their leads to new business. (Not that I'd been interested otherwise...)

Spam prevention with Postfix and Postgrey

Sun, 13 Nov 11 13:33:05 +0100

Today I got greylisting working on our mailserver. Hooray! The idea is that when the mail server is contacted to receive mail, it tells its client: "Come back later." Real e-mail deliver systems will assume that the mail server is too busy and will indeed retry; but many spam system (botnets!) will just drop the attempt and move on to the next e-mail address.

The configuration that we run uses Postfix as the SMTP daemon, and Postgrey as a helper. Here's how.

The original blog entry had the configuration of /etc/postfix/main.cf in the wrong order; the permit_sasl_authenticated entry should come first. Fixed now (sept. 8th). Thanks, Peter B.!

Installing Postgrey

Postgrey can be obtained from http://postgrey.schweikert.ch/. Installation of the software itself is straight-forward:

Change-dir to a suitable 'sources' directory;
Unpack the distribution, which comes as an archive postgrey-X.YY.tar.gz. X.YY is the version number, 1.32 at the time of this writing;
The archive creates a subdirectory postgrey-X.YY, from which three files need to be copied to your system directories:

root$ cp postgrey-X.YY/postgrey /usr/local/sbin
root$ cp postgrey-X.YY/postgrey_whitelist_* /etc/postfix/

The executable postgrey which is now in /usr/local/sbin is a Perl script, and needs a few modules which are installed using cpan:

root$ cpan
cpan> install Net::Server
cpan> install IO::Multiplex
cpan> install BerkeleyDB
cpan> quit
root$

Note that the Perl module BerkeleyDB needs the "devel" version of the Berkeley DB libs. Your system might already have the libs, but maybe not the developers files such as the headers. On SuSE the right package is called db-devel. If the cpan installation of BerkeleyDB fails, then get the developers files of the right package, and retry cpan.

Configuring Postgrey

Before postgrey can be started, the following actions are necessary:

root$ useradd postgrey  
root$ mkdir -p /var/spool/postfix/postgrey
root$ chown postgrey /var/spool/postfix/postgrey

Furthermore a startscript must be created, in my case as /etc/init.d/postgrey. I chose to run Postgrey on local port 6000:

#!/bin/sh

case "$1" in
  start)
        /usr/local/sbin/postgrey --inet 127.0.0.1:6000 -d
        ;;
  *)
        echo 'Only startup of postgrey implemented.' 1>&2
        ;;
esac

The script is made executable, and is enabled using:

root$ chmod +x /etc/init.d/postgrey
root$ chkconfig -a postgrey

After that, Postgrey can be started. If all works well, then it should come up without problems:

root$ /etc/init.d/postgrey

Configuring Postfix

The final step is to tell Postfix that it should consult Postgrey. This is done in /etc/postfix/main.cf. The line stating "recipient restrictions" is modified into the following:

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_policy_service inet:127.0.0.1:6000,
  permit

After that Postfix can be restarted. I have rcpostfix, your system may need a different command.

rcpostfix restart

Verifying that it works

You can see effects when examining /var/log/mail (or your system-dependent mailer log file). For example the IP address (in this case it's even spam), 93.172.120.224 is trying to deliver mail:

connect from 93-172-120-224.bb.netvision.net.il[93.172.120.224]
action=greylist, reason=new, client_name=93-172-120-224.bb.netvision.net.il,
  client_address=93.172.120.224, sender=linreisachermet@reisacher.de,
  recipient=info@e-tunity.com 
NOQUEUE: reject: RCPT from 93-172-120-224.bb.netvision.net.il[93.172.120.224]:
  450 : Recipient address rejected: Greylisted, see
  http://postgrey.schweikert.ch/help/e-tunity.com.html;
  from= to=
  proto=ESMTP helo=<93-172-120-224.bb.netvision.net.il>
lost connection after DATA from 93-172-120-224.bb.netvision.net.il
  [93.172.120.224]
disconnect from 93-172-120-224.bb.netvision.net.il[93.172.120.224]

This guy hung up the phone and won't be back. Just to show that real mail gets through, here's an example of that too. It's the second try that IP 209.85.134.191 connects, and this time it's allowed to deliver its message:

connect from mu-out-0910.google.com[209.85.134.191]
action=pass, reason=triplet found, delay=1699,
  client_name=mu-out-0910.google.com, client_address=209.85.134.191,
  sender=karel@kubat.nl, recipient=karel@e-tunity.com 
client=mu-out-0910.google.com[209.85.134.191]
message-id=<7a5a1ed10809061230w23cadcc4l229ec55f06a3e688@mail.gmail.com>
37C6A287FF: from=, size=2411, nrcpt=1 (queue active)

There's of course a small downside to this approach. Your mail will arrive somewhat later, since it requires two attempts to deliver it. But the upside is huge; spam really drops! Have fun!

The Gnomish Flying Machine

Sun, 13 Nov 11 13:33:05 +0100

Today good buddy Ed let me sent me a message. "Yesterday I finally had enough rep to get a Seaforium Charge Schematic. I needed that for my flying machine, and incidentally it also blows up doors, locks and lockboxes." He sent me the accompanying picture.

This of course applies to the virtual World of Warcraft. Virtual Ed is know to walk around holding a fish, and is a Gnomish Engineer. They can build sooo cool stuff! Not that it works perfectly though. Ed: "Sometimes it malfunctions (like all Gnome engineering crap). You don't fall out of the sky, but the engine dies and has to restart. It doesn't kill you, but reminds you that what you're crafting, is malfunctioning crap."

I'm sooo jealous! Ah well. Ed, at least in a duel my hunter p0wns your warrior (for now....)

Bank customer data on eBay

Sun, 13 Nov 11 13:33:05 +0100

It's getting boring: Every day the similar newsflashes about data loss. Here we go again.

Though Big Brother is stupid, Little Brothers can be pretty thick too. Today, the BBC reported that a computer that was offered on eBay, had data on its hard disk concerning a few million customers, their account details, signatures, phone numbers, and the mothers' maiden names. It was a 1U server with 345 CD back ups, with data concerning credit card applications. The guy who'd bought the server had to replace a memory chip and presto, it booted and worked. Looks to me like someone worked in the datacenter and decided not to wipe the drives of a server, since it appeared faulty anyway. There's just one failsafe way of wiping drives before you throw them away, and this method involves power tools. Really.

Most data are related to the Royal Bank of Scotland. Apparently their slogan is "make it happen" (I'm not joking). I could list a million things they should've done, or not done, and how the guilty should be held responsible. But it would be just too depressing to rehash this.

Mutexes in C++ Threads

Sun, 13 Nov 11 13:33:05 +0100

Some time ago I wrote about Posix threads in C++. At that time I "promised" that there would be an update on mutex locks. Here it is.

This code is -as far as locks are concerned- literally what Frank B. sent me after my original blog entry. I'm showing it here as-is, because it's just neat, and looks good. As ever, drop me a note if you have remarks or questions! Summarizing, the big difference is that the locking is now much more fine-grained. The caller supplies to lock() a pointer to a (global or static) variable that he's about to access; and a corresponding mutex is locked that applies only to that variable. Other threads might have a lock on a totally different global or static variable. So, a caller that's interested in writing something to cout (such as in this example) would code something like:

/* Sample of how to use lock() / unlock().
 * This won't hamper another thread that goes:
 *   lock(&cerr); cerr << "Some text\n"; unlock(&cerr);
 * because locks are kept separate for cout and cerr.
 */ 
lock(&cout);
cout << "Here's my message.\n";
unlock(&cout);

In contrast, the old post has just one global mutex, and whoever locks it, has it.

So below is a full listing of a working program (you can also download it). In comparison to the previous blog entry, just check out Thread::lock() and Thread::unlock().

/* **************************************************************************
 * threads1.cc - Demo of a C++ Thread Class / [KK 2008-08-26] 
 * Compile using 	c++ -Wall -o threads1 threads1.cc -lpthread
 * then run with	./threads1
 * **************************************************************************/

/* Part 1: Thread class */
#include 
#include 
#include 

#include 
#include 
#include 

using namespace std;

class Thread {
public:
    virtual ~Thread();				// dtor

    virtual void act() = 0;			// Pure virtual act()

    pthread_t run(bool joinable = true);	// The starter

    void lock(void *target);			// Synchronization
    void unlock(void *target);

private:
    static void *start(Thread *obj);
    void plock(void *target);

    static bool initialized;			// Mutex initialized yet?
    static std::map 
        s_lock;					// The mutexes database
    typedef std::map::iterator mapIterator;
};

bool Thread::initialized = false;
std::map Thread::s_lock;

Thread::~Thread() {
}

void Thread::lock(void *target) {
    plock(&s_lock);
    plock(target);
    unlock(&s_lock);
}

void Thread::plock(void *target) {
    mapIterator iter = s_lock.find(target);
    if (iter == s_lock.end()) {
	// No such lock yet, create the mutex
        if (int res = pthread_mutex_init(&s_lock[target], 0))
            throw static_cast("Failed to initialize static mutex: ") +
	    strerror(res);
    }
    
    if (int res = pthread_mutex_lock(&s_lock[target]))
        throw static_cast("Failed to obtain mutex lock: ") +
	strerror(res);
}

void Thread::unlock(void *target) {
    if (int res = pthread_mutex_unlock(&s_lock[target]))
        throw static_cast("Failed to release mutex lock: ") +
	strerror(res);
}

pthread_t Thread::run(bool joinable) {
    pthread_attr_t attr;
    pthread_t th;
    int res;

    if (pthread_attr_init (&attr))
	throw ("Cannot initialize thread attributes");
    if (joinable) {
	if (pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_JOINABLE))
	    throw ("Cannot set thread state as joinable");
    } else {
	if (pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_DETACHED))
	    throw ("Cannot set thread state as detached");
    }
    for (int i = 0; i < 3; i++) {
	res = pthread_create(&th, &attr,
			     reinterpret_cast(start),
			     this);
	if (!res) {
	    pthread_attr_destroy(&attr);
	    return (th);
	}
	if (res == EAGAIN) {
	    cout << "Failed to start thread: " << strerror(res) <<
		", retrying\n";
	    sleep(1);
	    continue;
	}
	pthread_attr_destroy (&attr);
	throw (static_cast("Failed to start thread: ") +
	       strerror(res));
    }
    
    throw ("Failed to start thread: "
	   "Resources unavailable after 3 tries, giving up");
}

void *Thread::start(Thread *t) {
    try {
	t->act();
    } catch (string s) {
	cerr << s << "\n";
    } catch (...) {
	cerr << "Thread threw an exception\n";
    }

    delete (t);
    return 0;
}


/* Part 2: Example of a Thread-derived class */
class MyThread: public Thread {
public:
    void act();
};

void MyThread::act() {
    for (int i = 0; i < 10; i++) {
	lock(&cout);
	cout << "Hello World from thread " << hex << pthread_self()
	     << ", counter is " << i << "\n";
	unlock(&cout);
	sleep (1);
    }
}

/* Part 3: A tester. Function test1() shows non-joinable threads. 
 * Function test2() shows joinable ones. And of course main() runs it.
 */
void test1() {
    cout << "Starting two threads,\n"
	 << "and sleeping for 15 seconds to allow threads to finish.\n";
    
    // Instantiate two thread objects and fire them up.
    (new MyThread())->run(false);
    (new MyThread())->run(false);

    // Wait for the threads to finish.
    sleep (15);
}

void test2() {
    cout << "Starting two threads,\n"
	 << "and waiting for them to finish.\n";
    
    // Instantiate two thread objects.
    MyThread
	*a = new MyThread(),
	*b = new MyThread();

    // Start 'em up.
    pthread_t id_a = a->run();
    pthread_t id_b = b->run();

    // Wait for the threads to finish.
    pthread_join (id_a, 0);
    pthread_join (id_b, 0);
}

int main() {
    test1();
    test2();
    return (0);
}

4M dataloss in the UK last year

Sun, 13 Nov 11 13:33:05 +0100

Today, ComputerWorld reports that the UK government lost 4.000.000 personal data records last year. We all saw this coming, probably. There are enough examples of the ineffectiveness of huge data collections, of a general trend of downplaying the importance of security around privacy, and lax security around the involved data. In short, of total stupidity in the Land of the Big Brother.

Bottom line is, Big Brother is indeed watching the Brittons. That fact won't be easily reversed. But he's also a total moron. That isn't easily reversible either.

Dropping spam with Postfix and Spamassassin

Sun, 13 Nov 11 13:33:05 +0100

At e-tunity we were installing a new mail server. So once again, I started installing Spamassassin to filter out our incoming spam. This time, I decided to write it up - I bet this isn't the last time that I'll be doing this.

This article describes the general setup that 'we' like to use. What happens with the incoming mail is, that it gets scanned by Spamassassin. If the mail is not-spam, or 'ham', then of course it gets delivered to the recipient. If it is spam, then it's parked in a "spool" directory, but not delivered. We have this setup so that accidentally spam-marked messages can be found. However, that happens so rarely - if ever - that we prefer to simply spam, so that mail readers don't have to process it.

I'm assuming that the following ingredients are present at the start:

A working Postfix installation, that can accept mail and deliver it to users.
A working SpamAssassin installation, with spamc available, and spamd running.

So here are the necessary actions once the above requirements are met. The commands shown below are focused on SuSE Linux, so you may have to use a slightly different syntax, where applicable.

Creating a user "spamfilter"

The filtering will be done by a user "spamfilter", so we create it:

root: useradd -d /home/spamfilter -m spamfilter

Spooling and Filtering

All spooling of mail messages and filtering is done by this user "spamfilter". Here's how. First two directories are created, "bin" and "spool" in the user area:

root: su - spamfilter
spamfilter: mkdir bin spool

Next, the script "spamfilter" is placed in the "bin" directory. This script will later on be called from Postfix to "filter" any mail. The script collects the mail into a spool file, runs "spamc" to see if it's ham or spam, and then decides what to do with it. If it's spam, then the message is left in the spool file. If it's ham, then "spamfilter" starts Sendmail to deliver it. For reference, the script is shown below. When installing, make sure that the configuration section (at the top of the script) is right.

#!/usr/bin/perl

use strict;
use Time::HiRes qw(gettimeofday);

# Configuration ---------------------------------------------------------
my $sendmail = '/usr/lib/sendmail';
my $spamc = '/usr/bin/spamc';
my $spooldir = '/home/spamfilter/spool';
my $user = 'spamfilter';
# Configuration ends ----------------------------------------------------

# About to receive a message. Collect it into a spool file.
my ($sec, $usec) = gettimeofday();
my ($s, $m, $h, $dd, $mm, $yy) = localtime($sec);
my $stamp = sprintf("%4.4d-%2.2d-%2.2d:%2.2d-%2.2d-%2.2d.%3.3d",
		    $yy + 1900, $mm + 1, $dd,
		    $h, $m, $s, ($usec / 1000));
my $spoolf = "$spooldir/$stamp";
open (my $of, ">$spoolf")
  or die ("$0: cannot write spool file '$spoolf': $!\n");
while (my $line = ) {
    print $of ($line);
}
close ($of) or die ("$0: write failed to '$spoolf': $!\n");

# Run it thru spamc to see if it's ham or spam.
open (my $if, "$spamc -r -u $user < $spoolf |")
  or die ("$0: cannot run '$spamc': $!\n");
my $result = <$if>;
close ($if) or die ("$0: '$spamc' failed\n");
if ($result ne '') {
    # It's spam. Leave in the spool.
    exit (0);
} else {
    # It's ham. Make sure sendmail delivers it.
    system ("$sendmail @ARGV < $spoolf")
      and die ("$0: '$sendmail @ARGV' failed\n");
    unlink ($spoolf)
      or die ("$0: cannot unlink '$spoolf': $!\n");
}

Once the script is in spamfilter's "bin" directory, it must be made executable.

spamfilter: chmod +x /home/spamfilter/bin/spamfilter

User "spamfilter" needs one more thing. As spam arrives, the spool directory will slowly be filled. We choose to keep spam around for 30 days, then to delete it. So we start editing the "crontab":

spamfilter: crontab -e

In the crontab that we're editing now, we put:

0 2 * * * find /home/spamfilter/spool -maxdepth 1 -type f -mtime +30 -exec rm -f {} \; >/dev/null

Then we're done with this user:

spamfilter: exit
root:

Postfix configuration

Next, postfix must be informed that incoming mail must be filtered using the script /home/spamfilter/bin/spamfilter. This is done in Postfix' configuration file master.cf, often located in /etc/postfix/.

Near the top, the "smtp" service rule is changed from

smtp    inet  n       -       n       -       -       smtpd

#smtp   inet  n       -       n       -       -       smtpd
smtp    inet  n       -       n       -       -       smtpd
  -o content_filter=spamfilter:dummy

Next, the "spamfilter" action is defined in the Interfaces section of master.cf. The following can be appended to the file:

spamfilter unix  -      n       n       -       -       pipe
  flags=Rq user=spamfilter argv=/home/spamfilter/bin/spamfilter -f ${sender} -- ${recipient}

Finally, Postfix is restarted:

root: rcpostfix restart

Optional: Making Spamassassin stricter

The default spam threshold of 5 seems a bit lax. I like to be more restrictive. Using trial and error I found that a threshold value 3.4 works fine. This can be configured in /usr/share/spamassassin/10_misc.cf:

required_score           3.4

Testing it

All should now work. Try sending yourself a mail. Or try sending yourself some spam, it should end up in a file in /home/spamfilter/spool.

Bayes and the War on Photography

Sun, 13 Nov 11 13:33:05 +0100

In the July episode of Bruce Schneier's Security Blog I found an interesting article on the War against Photography.. Mr. Schneier writes: "Since 9/11, there has been an increasing war on photography. Photographers have been harassed, questioned, detained, arrested or worse, and declared to be unwelcome. We've been repeatedly told to watch out for photographers, especially suspicious ones. Clearly any terrorist is going to first photograph his target, so vigilance is required. Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography."

To this I'd like to add that Bayes agrees with Schneier. For the sake of the argument, let's assume that:

The European Union hosts some 500 million people. (The number may be a bit off - it also depends on what countries you count.) Let's further assume that 1000 of these inhabitants are active terrorists.
Let's further assume that half of the non-terrorist inhabitants shoot a photo once in a while.
To make the argment stand out even more, let's assume that almost all terrorists shoot pictures of their next bombing target -- even though Schneier reports otherwise. For example, let's say that of those 1000 terrorist, only one does not take pictures of his next target.

The numbers are then as follows:

	Is a photographer	Is not a photographer	Totals
Is not a terrorist	249.999.500	249.999.500	499.999.000
Is a terrorist	999	1	1.000
Totals	250.000.499	249.999.501	500.000.000

Ok, now here's where Bayes kicks in. It's true that (in this example) most terrorists are photographers. If you see a terrorist, then there's a 999/1000 chance that he's a photographer - or 99.9%. But that's not what we're interested in, is it? Here's the obvious catch. If you see a photographer, then there's only a 0.000399599% chance that he's a terrorist - it's 999/250.000.499.

Bayes concurs: vigilance towards photographers is utter nonsence and a waste of money and time.

I wrote about Bayesian statistics before. It's just so unfortunate that so many people believe that because a cow is an animal, all animals must be cows...

Good marital advice

Sun, 13 Nov 11 13:33:05 +0100

Today the following picture appeared on failblog.org. I've seen it before, it's an "oldie goldie", but really brilliant. Enjoy.

Squid proxy for personal usage

Sun, 13 Nov 11 13:33:05 +0100

Lately I've been reconfiguring my local Squid proxy for more "personal usage". Meaning that I don't need my Squid instance to keep a long history of logs, and that I don't need it to keep its cache of HTTP objects between reboots. Basically, I don't want it to "pollute" my hard disk - I consider all Squid data as more or less "transient".

I had to fiddle 'round the configuration file a bit until I got it right. Here are the changes to the default configuration squid.conf. (Basically I'm blogging it here, 'cuz I want a safe place where it's stored, so I don't have to re-invent it the next time.) It works, when all below changes are applied to squid.conf, and all mentioned transient data are put in /tmp.

Warning: Don't use this configuration on a true multi-user system. The configuration is too "lax" for at, and the download history can be viewed by all users of the system. But it's ok for a single-user setup. I don't snoop around in my own download history, and my firewall prevents unauthorized network connections anyway.

Changes to the default squid.conf

Access control to requests: this defines networks and proxy-able ports and methods.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

HTTP access rules: Who's allowed to access the proxy?

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny all
icp_access allow all

Log file locations, coredumps, and the PID file: I've reset these all to /tmp.

access_log /tmp/squid-access.log squid
cache_log /tmp/squid-cache.log
cache_store_log /tmp/squid-store.log
pid_filename /tmp/squid.pid
coredump_dir /tmp

The cache directory location: Also set to point to /tmp.
```
cache_dir ufs /tmp/squid-cache 100 16 256
    
```
Miscellaneous changes to the default configuration: These are the "run user" and the hostname.
```
cache_effective_user enter-a-user
visible_hostname enter-your-hostname
    
```

A handy start script

The following script restart-squid will either fire it up, or restart it.

#!/bin/sh

squid -k interrupt

rm -rf /tmp/squid.pid || exit 1
mkdir -p /tmp/squid-cache || exit 1
chmod 777 /tmp/squid-cache || exit 1
squid -z || exit 1
squid -D || exit 1

Posix threads in C++

Sun, 13 Nov 11 13:33:05 +0100

A short while ago I rewrote my load balancer Crossroads to a multi-threaded daemon in C++. I tried to find a neat and elegant way to handle POSIX threads in C++. Here's what I came up with; feel free to tinker around with it, and if you have suggestions or improvements, let me know!

I received a very good review from good friend and former collegue Frank B., and I've taken most of his comments at heart. So here's "Version 2". At this time we're still mailing about the approach, and the (non)elegant parts in it. I'll keep you posted.

I furthermore received comments from Lisa R., which identified a race condition in my original code. Fixed now - thanks Lisa!

Also from Frank, I got very neat code for mutex handling. The code below uses one global variable for locking; Frank's code is way smarter. Check out the new version at the blog entry Mutexes in C++ Threads.

If you want to download the code, get the source file threads.cc. It has all the necessary code in one file.

General approach

I designed a pure virtual class, aptly named Thread, which does all the work for you and hides the gory details. The class Thread has a pure virtual member act(), which of course must be implemented to do something useful.

The class implements the following member functions:

A virtual destructor, incase derived classes want to implement their own.
A member function lock() and unlock(), to "synchronize" thread execution.
And finally, there's member function run(), which is called to start thread execution. This function returns an ID (of type a pthread_t), so that the starter of the thread can wait for the thread to finish, if they wish so.

A sample MyThread class

Nothing's complete without a Hello World example. So there we go. Before diving into what Thread is supposed to look like, here's how it's used in a derived class. Each Thread-derived class must implement act(). and it may implement a constructor, destructor or any other method it wants. So here's MyThread:

class MyThread: public Thread {
public:
    void act();
};

void MyThread::act() {
    for (int i = 0; i < 10; i++) {
	lock();
	cout << "Hello World from thread " << hex << pthread_self()
	     << ", counter is " << i << "\n";
	unlock();
	sleep (1);
    }
}

The sample class of course implements act() to do whatever's necessary. Note that inside act() locks are used to "protect" cout. In threads, all access to globals or statics must be protected by locking. If act() wouldn't do this, then the output from several MyThread runs would get garbled. The standard POSIX function pthread_self() is used to display the thread ID inside act().

According to Frank's remarks: I have to admit that lock() and unlock() don't really belong into the Thread class. A separate class Mutex is in real life more appropriate. Please consider my squeezing the locks into Thread as laziness... or "the demo effect"...

How to start MyThread

Here's how a Thread-derived class is "started". The caller must allocate new objects using new and then call the run() method to fire it up. That starts the thread, dissociates it from the main program, and calls act() to do whatever is supposed to be done.

The caller mustn't delete the thread objects! That is handled entirely within the Thread class. The reason is of course that the threads run separately - the caller doesn't know the right timing to call delete.

(Actually, POSIX threads have a way of "waiting" for a thread to terminate, using pthread_join(). The caller is of course at liberty to use this approach. However, I still chose to implement deallocation entirely within Thread, so that the caller doesn't need to worry. The caller can just "fire and forget". According to Frank, this breaks the rule of thumb "if you pack it in, pack it out yourself". I agree, normally I'd want the one to allocate something to also de-allocate it. This situation breaks that rule...)

Here's the first example. The following main() function fires up two threads, waits 15 seconds, and stops. The necessary waiting is there to let the two threads finish:

void test1() {
    cout << "Starting two threads,\n"
	 << "and sleeping for 15 seconds to allow threads to finish.\n";
    
    // Instantiate two thread objects and fire them up.
    (new MyThread())->run();
    (new MyThread())->run();

    // Wait for the threads to finish.
    sleep (15);
}

Here's the second example. This invocation actually waits for the threads to finish. It involves pthread_join() and is of course more precise than sleeping for 15 seconds.

void test2() {
    cout << "Starting two threads,\n"
	 << "and waiting for them to finish.\n";
    
    // Instantiate two thread objects.
    MyThread
	*a = new MyThread(),
	*b = new MyThread();

    // Start 'em up.
    pthread_t id_a = a->run();
    pthread_t id_b = b->run();

    // Wait for the threads to finish.
    pthread_join (id_a, 0);
    pthread_join (id_b, 0);
}

Class Thread

Finally, here's the class Thread itself. First the class declaration:

class Thread {
public:
    virtual ~Thread();				// dtor

    virtual void act() = 0;			// Pure virtual act()

    pthread_t run(bool joinable = true);	// The starter

    void lock();				// Synchronization
    void unlock();
    
private:
    static void *start(void *obj);

    static bool initialized;			// Mutex initialized yet?
    static pthread_mutex_t thread_mutex;	// Mutex itself
};

Trivial Thread member functions

The constructor and destructor are pretty trivial. The purpose of the destructor is only to provide a dummy; the constructor initializes the static data member thread_mutex unless this was already done before.

pthread_mutex_t Thread::thread_mutex;
bool Thread::initialized = false;

Thread::~Thread() {
}

The members lock() and unlock() use the normal pthread mutex functions, so that's easy too:

void Thread::lock() {
    int res;
    
    if (! initialized) {
	if ( (res = pthread_mutex_init (&thread_mutex, 0)) )
	    throw (static_cast("Failed to initialize static mutex: ") +
		   strerror(res));
	initialized = true;
    }
    if ( (res = pthread_mutex_lock (&thread_mutex)) )
	throw (static_cast("Failed to obtain mutex lock: ") +
	       strerror(res));
}

void Thread::unlock() {
    int res;
    if ( (res = pthread_mutex_unlock (&thread_mutex)) )
	throw (static_cast("Failed to release mutex lock: ") +
	       strerror(res));
}

Thread::run() and Thread::start()

And now for the member functions that actually starts a thread, run() and start(). The "tour te force".

POSIX threads are started using pthread_create(). This C function requires a "thread entry point", which is a pointer to a function that accepts a void* argument, and returns a void*. That's actually the reason that Thread::start() is there, it converts to the right prototype and it's static, hence "object-less".

So first, there's Thread::run(). It has an optional argument bool joinable, default true, which sets the thread's "detach state". The caller can choose to start the threads as either totally detached, or not. When threads are started in detached mode, i.e., not-joinable, then the caller cannot use pthread_join() to wait for a thread to finish.

To be more precise, detached or joinable threads each have advantages and disadvantages:

When threads are started as joinable, then the caller can wait for them to finish. However, the caller will then have to "remember" what threads were started. These are the ID's returned by run() when starting the threads.
In my experiments, joinable threads ate more resources. Repetitive calls to pthread_create() would fail. Detached threads didn't; it seems that you can have more of these. But then, joining detached threads isn't possible.

Oh, just one more thing. When a thread is started, then error EAGAIN can be the result. In that case, there are no resources to start the thread at this time. When this happens, run() will wait a second and retry. If this fails three times in a row, then run() gives up.

  
pthread_t Thread::run(bool joinable) {
    pthread_attr_t attr;
    int res;
    pthread_t th;

    if (pthread_attr_init (&attr))
	throw ("Cannot initialize thread attributes");
    if (joinable) {
	if (pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_JOINABLE))
	    throw ("Cannot set thread state as joinable");
    } else {
	if (pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_DETACHED))
	    throw ("Cannot set thread state as detached");
    }
    for (int i = 0; i < 3; i++) {
	res = pthread_create(&th, &attr,
			     reinterpret_cast(start),
			     this);
	if (!res) {
	    pthread_attr_destroy(&attr);
	    return (th);
	}
	if (res == EAGAIN) {
	    cout << "Failed to start thread: " << strerror(res) <<
		", retrying\n";
	    sleep(1);
	    continue;
	}
	pthread_attr_destroy (&attr);
	throw (static_cast("Failed to start thread: ") +
	       strerror(res));
    }
    
    throw ("Failed to start thread: "
	   "Resources unavailable after 3 tries, giving up");
}

And now Thread::start(). This function receives the this pointer as its argument t via pthread_start(). Therefore, even though it's a static (object-less) function, it knows what object is being threaded. So it just calls the right act() method and presto. Finally, once act() returns, the object is deleted by performing something like a virtual seppuku.

void *Thread::start(Thread *t) {
    try {
	t->act();
    } catch (string s) {
	cerr << s << "\n";
    } catch (...) {
	cerr << "Thread threw an exception\n";
    }

    // Seppuku
    delete (t);
    return 0;
}

Caveats and Improvements

Exception handling in the above code is string-based only. After all, it's only a demo. If you want to incorporate this code into your own programs, make sure that the caught exceptions match whatever your program is throwing.
The code is pretty much tailored to my needs in Crossroads. E.g., the automatic delete in Thread::start() might not be what you desire... A more generic class Thread could make this optional, e.g., using some boolean flag.

Crossroads mailing list

Sun, 13 Nov 11 13:33:05 +0100

Incase you're a Crossroads user: there's now a mailing list. See http://crossroads.e-tunity.com/contact.xr for details. Mail me if you want to be on it. It's "status experimental" for now.
As a by-product, I have now a really simple listserv-like thingy tool. See the category Simple listserv on this site.

Crossroads 2.00 is out

Sun, 13 Nov 11 13:33:05 +0100

Crossroads 2.00 is out!

I quite feel like Die Hard 4.0 guys. It's Crossroads, but quite different... it might deserve a new name, but then again, it should be obvious that it's related to the old product.. Ummm so let's just give it a major version upgrade. Hence, 2.00. (I just hope that Crossroads 2.00 won't be as stupid as DH4.)

It is like the old Crossroads 1.80 series. It's still a software balancer and dispatcher for TCP. It still supports raw TCP, but also has HTTP goodies. It still has the most often used dispatching algorithms.

But it's also quite different. Crossroads 2.00 is a multi-threaded daemon (doesn't fork, should be faster and use less resources), it doesn't use a configuration file (but commandline options), and it's written in C++. The main executable is now called xr, to distinguish from the old one.

If you feel like it, give it a go. It can be downloaded from http://crossroads.e-tunity.com. It has also a Freshmeat page at http://freshmeat.net/projects/crossr/. The new entry was just approved..

Good buddy Eddie remarked: "So that's why you weren't in Azeroth...."

Fail Pics

Sun, 13 Nov 11 13:33:05 +0100

If you by chance know the site http://failblog.org/ then you know what "fail pictures" are. If you don't know the site, go visit it. Anyway, whilst on holidays, I shot two such pics myself.

Faith Fail

Do you do inlaws too?

The Fish Dance

Sun, 13 Nov 11 13:33:05 +0100

The WoW avatar of my Good buddy Eddie has found a fish to hold. Good fun. Reminds me of...

Big Bother and Massive Data Storage

Sun, 13 Nov 11 13:33:05 +0100

Despite protests, despite reasoning, we can't seem to turn the tide: massive storage of of our data is on the rise. Most recently it appears that the European Union (EU) are engaged in talks with the USA to exchange information regarding its citizens: credit card data, internet browsing trails, and so on. How come so little people know or care about this?

Fortunately, some people seem to care, and provide enough background information. For Dutch speakers: read Ed's blog.

Who are those decision-makers and politicians that don't seem to care about our privacy? Who are those people who are using mass-hysteria and the "omni-present threat of terrorism" to push on, regardless of the effectivity of what they're doing, and regardless of harmful side effects? Is there no-one to counter such ideas?

There's one voice, Sophie in 't Veld, who holds a seat in the European Parliament for the Netherlands. She writes about privacy and especially the disregard for this by most decision-makers. She also writes about the lack of results of large-scale data acquisition and -analysis in her blog entry The Myth busted: Massive data storage cannot prevent terrorism. According to Ruud Oord (security advisor of the financial sector and of our Dutch national airport Schiphol), large-scale data storage and profiling doesn't help to find the proveribial terrorist needle in the haystack of airline passenger movements. The British representatives in the EU confirm this.

Sophie in 't Veld is member of D66, a small Democratic She's getting my voice, that's for sure.

MMV One of omitted Unix tools

Sun, 13 Nov 11 13:33:05 +0100

Today I had to rename a bunch of files to a new name. Well almost a new name, except for a different number in them. The files were something like out01, out02 and so on, and the new names had to become Job-Output-01.txt, Job-Output-02.txt etcetera.

Not too bad if you have only 2 files to rename. But what if you have between 70 and 80? You might consider a for loop in a shell script, or write up a Perl oneliner. You might however also consider getting mmv. Mmv is quite old, it was written in 1990 by Vladimir Lanin. In my opinion it's one of the oh-so-handy tools that should've made it into the GNU Fileutils package, but didn't. Because, with mmv, you can simply type:

mmv 'out*' Job-Output-=1.txt

The magic marker =1 denotes that this part in the target name will be taken from the first wildcard expansion in the source name; i.e, whatever follows out. Note also that the source argument is enclosed in quotes to prevent shell commandline expansion. Incidentally, the same handy tool is also a multiple-copy-tool mcp, a multiple-append-tool mad and a multiple-linking-tool mln.

Where can I find such a handy thingy, you might ask? Seek no further: download mmv right here. Once you get the distribution, proceed as follows:

Unpack the archive in a suitable 'sources' directory, e.g. /usr/local/src/. The archive spills into a subdirectory mmv/.
Change-dir into mmv/ and type make install. This installs it all under /usr/local/bin and /usr/local/man. If you don't like these directories, edit the Makefile and define your own favorite installation destination.
Done! Bask in the glory. The power of your fingers has just been expanded with mmv, mcp, mad and mln. And of course with man mmv.

I made some minor modifications to the mmv source set; all are marked with KK. So do a grep KK * if you want to see what I changed. Basically I only made sure that the sources compile on newer Unices. The original distribution is still under dist/.

Have fun with mmv!

Even anonymous breadcrumbs can give you away

Sun, 13 Nov 11 13:33:05 +0100

I wrote earlier about the fact that we all leave 'electronic breadcrumbs' behind us as we navigate the real and the virtual world. It now appears that the data trail at your telecom provider can give you away even when personal data are anonymized. From Slashdot:

"'New research that makes creative use of sensitive location-tracking data from 100,000 cellphones in Europe suggests that most people can be found in one of just a few locations at any time, and that they do not generally go far from home.' More interesting than their conclusion, however, is how they got their data. 'The researchers said they used the potentially controversial data only after any information that could identify individuals had been scrambled. Even so, they wrote, people's wanderings are so subject to routine that by using the patterns of movement that emerged from the research, "we can obtain the likelihood of finding a user in any location." The researchers were able to obtain the data from a European provider of cellphone service that was obligated to collect the information. By agreement with the company, the researchers did not disclose the country where the provider operates.' Any guesses which European country requires cell phone providers to record where their customers make calls, and then allows them to give that data away without disclosing that they have done so?"

More on this is on the New York Times site.

Is this shocking? Hardly. But it is another reason why large datacollections of personal data are plain bad. Even when they're anonymized.

Crossroads in Argentina

Sun, 13 Nov 11 13:33:05 +0100

On May 21st I received a very nice mail from Andrew P., admin and developer at of www.alkon.com.ar:

"Hi, my name is Andres and i'm the sysadmin and main web developer of www.alkon.com.ar, a south american website that has >250.000 users and gets 2.000.000 pageviews every month. We are very proud of telling you that we have been using crossroads for 6 months now with excellent results. You are making a hell of a job, please, keep doing it."

It's truly very rewarding when my pet crossroads is used in the real world, and even receives good reviews. I had a great mood that day!

The Party at the Company Outing

Sun, 13 Nov 11 13:33:05 +0100

Some parodies are really funny. This one is totally hilarious. For Dutch speakers.

Crossroads 1.80 is out

Sun, 13 Nov 11 13:33:05 +0100

Crossroads, my pet load balancer and failover utility for all kinds of networked systems, has received a new version: 1.80. This version produces slightly less error logging and fixes some bugs. Most importantly, in HTTP mode, "300" responses are correctly handled. Previously such responses (such as "304 not modified") would hamper deep header inspection mode. (Thanks, Oleg D. for the analysis of this problem!) Details are available upon request.

Anyway, if you feel like it, give 1.80 a try. Crossroads can be downloaded at http://crossroads.e-tunity.com.

Where does technical innovation really come from

Sun, 13 Nov 11 13:33:05 +0100

The technology around us is changing and evolving, and it's doing so in a more and more rapid way. I know, your grandma doesn't really grasp the concept of the Internet (if there is such thing as a 'concept' of this) - but do you know what Cross Site Request Forgery (CSRF) means? Or for that matter, what will the impact be of Google's mobile phone software?

The innovation appears to accelerate as I watch it. But, where does all this innovation come from? Recently I overheard a report on the R&D investments of large companies; ordered by their investments in R&D. Is that where innovation is driven?

There are big names in the list. Top dog is (of course) Microsoft, with a 3+b$/y investment in R&D per annum. Yes, that's b for billion, 10e9. Other big names are Oracle, HP, Cisco, IBM, Yahoo! (not in any particular order). What struck me as odd, is that Apple is at a meagre tenth spot. How odd, those guys have produced the arguably best-ever music player, the best-ever photo/video/music software, and a very cool looking and perfectly working Unix system, aimed at the large crowds. They've augmented this with cool-looking and perfectly working WiFi systems, backup systems, etc. With only less than a tenth of Microsoft's R&D's investment! So what is going on here?

Tonight I downloaded the Firefox 3 beta for MacOSX. I hadn't gotten around to downloading it before, and I had been quite happy with 2.x. Well, version 3 rocks. It looks great, renders great, loads faster than 2.x, it's available for all platforms. Now that's a fine bit of innnovation, right there. So where does this innovation come from? It isn't in the top 10 budget of R&D investments of the above-stated companies, that's for sure.

This type of innovation is in my opinion the real thing - this is what keeps Microsoft, IBM, HP, and all others on their toes. Besides Firefox there's of course Linux, FreeBSD, GNU, OpenOffice, OLPC and what not. Without such projects, I'm sure that Intel and Microsoft would never have jumped on the wagon of low-cost computing platforms for third world countries. Similarly, as I'm no stranger to self-flattery, I think that without Crossroads and other load balancers, Cisco would have never lowered the price of their stuff.

But it's not about forcing the lowering of prices. It's not about denying companies their profits. What is is about, is providing good qualiy and low-cost software to everyone. The era of exclusive software, where a good text processor was like caviar, is over. Software is nowadays simply the food, water, and electricity of every-day life - a commodity product. Everyone uses it, everyone relies on it, and everyone should be assured that it's good and wholesome, just like you can rest assured that your tap water is fit for consumption. Free software Magazine has even made educated guesses as to what software will be become more of a commodiy next year - the predictions range from more document integration to gaming, office applications and multimedia.

The days of exclusivity of software are gone, and for that matter, huge license fees are a thing of the past. We're all willing to pay a few bucks for Apple's iWork, 'cuz it gets us a nice DVD and a booklet. But who in their right mind will pay 800+ euro's for a DVD with Microsoft Office Pro, with OpenOffice 'round the corner?

Some big companies think that other companies are their main competitors. Other, smarter, big companies think that open source software is their competitor. I think that the market has simply changed - there is no competitor to blame. Good software is a commodity. We're so dependent on it, that it should in fact be added to the Bill of Rights: "Everyone should be entitled to good, working software." Just as everyone should receive to health care, should be able to get a job, should be free of discrimination, and so on.

So I, as a consumer. Should I support certain companies, should I get products from HP, Cicso or Microsoft? In my opinion, no, unless they produce something that I really want. They do not drive innvation, their goal is to keep software exclusive - as opposed to commodity. They don't deserve my support unless they "do good".

'Nuff ranting. Off to bed now.

Corporate bs generator

Sun, 13 Nov 11 13:33:05 +0100

Yesterday, EvR / [BOFH]Basilisk showed me a neat file with totally meaningless phrases which are perfectly usable to generate those annoying company-wide e-mails to inform all employees of the newest-and-bestest things that management came up with.

Unfortunately, there was only the file with the phrases - and not the generator itself. That's not right! But fortunately it can be easily corrected.

But how good are computers at generating BS? Will they ever be as good as humans? The generator is a neat start, but it has a long way to go before it can match Yahoo's mail to all employees. Ah there's a fine read..

Even the Vatican has to adapt

Sun, 13 Nov 11 13:33:05 +0100

Even the Vatican has to adapt - eventually. The BBC reports that the Vatican, or more precisely the Vatican Observatory, states that extraterrestrial life may exist, and that it might've been created by God. According to the director of the observatory:

"Just as there are multiple forms of life on earth, so there could exist intelligent beings in outer space created by God. And some aliens could even be free from original sin."

Wow! Free from sin! That must be cool.. 'cuz we are all hampered by the Adam and Eve's original bad idea of eating apples. That's why we've been cast out of the Garden of Eden, right? That's why we're condemned to suffer anything from outright catastrophes (like the earthquake in China) to daily nuisances (traffic jams)! Finally, it all makes sense.

So how about previous blatant mistakes of the Catholic church, like the condemnation of Galileo's heliocentral model of the universe? "Mistakes were made, but it is time to turn the page and look towards the future." Ah.

And what about the statement that the Earth is about 10.000 years old, and that evolutionary evidence like fossiles were placed in the Earth's crust just to annoy scientists? Another mistake?

Now many more mistakes will have to be admitted to support an -albeit changing- Catholic thought model, while much more plausible models for the Universe exist? Why should we blindy trust some ideas about an All-knowing Supernatural Being, while science provides models that are more logical, open to discussion, and -best of all- open for experimental verification? Guess I'm just an atheist. Or just too stupid, which would make me an agnostic.

What is it that keeps people running home to supernatural concepts whenever they see things they don't understand?

Big Brother is watching your dog

Sun, 13 Nov 11 13:33:05 +0100

Given my predisposition for privacy-related issues: this is too good to skip. A few days ago, CNET reported on the effectiveness of closed-circuit TV (CCTV) systems in the UK (which incidentally has the most camera's per capita, and is in that sense the Biggest Brother, ever since the let's-do-all-we-can-to-fight-terrorism panic of the last years).

Guess what.

The camera's didn't help in terrorism-related crime fighting, which is their prime purpose.
They helped on only 3% of the 'normal' crime cases. A very meagre result.
They did help in a number of other obviously very important situations. Here's a few examples of their usage:
- Investigation of littering;
- Checking the misuse of disabled-persons parking passes;
- Verifying damage claims;
- Spying on a person who'd called in sick;
- And the best ever: park surveillance to check on dog fouling.

So basically, a multi-billion installation of CCTV circuits, with trained and qualified personnel watching the images, changing tapes, archiving data carriers for long periods and what not, is used to check whether British dogs shit in parks. Bloody brilliant.

From the article: "Is this surprising? Not really. Just as we've seen in the U.S., once law enforcement and intelligence agencies are given new unchecked powers, abuse tends to happen. The more secretive and unchecked the powers, the more widespread the abuse." In this case we're simply lucky that the 'abuse of unchecked powers' is directed at dog shit. So far.

666 all over the place

Sun, 13 Nov 11 13:33:05 +0100

Ooh my! The Devil's Number is creeping up on us! Read on Slashdot:

"The estimated population of the world will pass 6,666,666,666 today. No doubt an interesting number for people everywhere (not referring to any religion connotations). [...] An interesting coincidence, the estimated number of available IPv4 addresses is getting very close to 666,666,666. It should cross over today as well."

And what's more... if you live in the Netherlands, there is probably a number 6 in your telephone number! (Dutch phone numbers have 9 significant digits, and 1 - 0.9⁹ is 0.61258, so that's a 61% chance...)
Update: There's even a 6 in that 61% chance! Aargh!

Security and privacy are incompatible

Sun, 13 Nov 11 13:33:05 +0100

"If you want more security, you'll end up with less privacy." Sure thing, Tony. Unfortunately many institutions would have us believe this. Maybe they actually think it's true, maybe it's because once we stop disagreeing, lots of privacy-decreasing measures can be effectuated, without all the nagging. "If you're pro-privacy, you must be anti-security!" Yeah, right.

From the recent news: US government agencies will start collecting DNA of everyone who's gets arrested, whether brought to trial or not, whether found guilty or not -- so reports Yahoo. Apparently the permission to do so was passed long ago in the 911 aftermath, when just about anything was allowed, as long as it would be good for security.

So why does a good doorlock increase security, while it's not privacy-related at all? Why do good seat belts and airbags increase my security while driving, while they are in no way related to my persona when they are fit into the car? I'll even bet that seat belts and airbags have saved more lives than all anti-terrorist measures put together.

It's a sad thing that Joe Average isn't impressed by the lives that are saved by seat belts, but instead is frightened by drive-by shootings and terrorist attacks. If he'd look at things from a rational perspective, he'd see that money spent on DNA databases and no-fly lists is basically wasted. Has anyone wondered how many lives insulin has saved, and how much each saved life has cost, as opposed to the moneypit of so-called security measures that don't help at all?

And I've not even begun fulminating about the privacy impact of DNA gathering, of retaining flight data, mindless logging of website visits, the grave effects of identity theft and/or mistaken identities. Who's to guarantee that the DNA database won't be leaky, that it will be handled by trustworthy, reliable and responsible personnel, that it's security technology will state-of-the-art, so that data exposure will never occur?

I bet that the same agencies who have initiated the DNA store will vouch for its security. Here's another recent news bit. The Oklahoma Dept. of Corrections had a data store of sexual offenders, with a nice web frontend. The Daily WTF has a great article on this. The site had plain SQL in the URL's of the pages.. as in:

http://docapp8.doc.state.ok.us/pls/portal30/url/page/sor_roster?
 sqlString=
  select distinct o.offender_id,doc_number,o.social_security_number,
                  o.date_of_birth,o.first_name,o.middle_name,o.last_name,
                  o.sir_name,sor_data.getCD(race) race,
                  sor_data.getCD(sex) sex,l.address1 address,l.city,
                  l.state stateid,l.zip,l.county,
                  sor_data.getCD(l.state) state,l.country countryid,
		  sor_data.getCD(l.country) country,
		  decode(habitual,'Y','habitual','') habitual,
		  decode(aggravated,'Y','aggravated','') aggravated,
		  l.status,x.status,x.registration_date,
		  x.end_registration_date,l.jurisdiction
  from registration_offender_xref x, sor_last_locn_v lastLocn,
       sor_offender o, sor_location l ,
       (select distinct offender_id
        from sor_location
	where status = 'Verified' and upper(zip) = '73064' ) h
       where lastLocn.offender_id(%2B) = o.offender_id
         and l.location_id(%2B) = lastLocn.location_id
	 and x.offender_id = o.offender_id
	 and x.status not in ('Merged')
	 and x.REG_TYPE_ID = 1
	 and nvl(x.admin_validated,to_date(1,'J')) >=
	     nvl(x.entry_date,to_date(1,'J'))
	 and x.status = 'Active' and x.status <> 'Deleted'
	 and h.offender_id = o.offender_id
  order by o.last_name,o.first_name,o.middle_name
 &sr=yes

(BTW I formatted this crazy URL. Just had to see what's inside for myself.) Now this is a true WTF. What were those developers doing when they wrote this? What were they thinking?

So the Oklahoma Dept. of Corrections brought a website live with a totally open portal into its database, filled with privacy-sensitive data. And at the same time, largescale DNA gathering is supposed to be a good idea, and no, it's not a waste of money, and yes, the security around it will be state-of-the-art. Sure thing, Tony.

Unfortunately I'm not just flaming USA-related stuff. If only things were that simple. These stupidies arise all 'round us, no matter on which continent you are. There's no escaping.

The Hallmark E Card

Sun, 13 Nov 11 13:33:05 +0100

Suddenly there's a great Hallmark E-card in my inbox. Ah, how nice. Someone's thinking of me.

Hmmm.. I wonder who that is. Being the cautions netizen that I am, I of course check whether it's the real thing. Let's see what the "send one" link is about.

The link leads to hallmark.com. Hmmm. Looks authentic 'nuff.

Ok, let's check the "view" link then. Whoops! The site h1.ripway.com doesn't sound like hallmark! Oh my, is someone trying to trick me into clicking on a link and infecting myself?

And then of course curiosity gets the better of me. I wonder what that URL http://h1.ripway.com/telnet/tender.scr is about? So let's try wget -SO- http://h1.ripway.com/telnet/tender.scr | more....

ROFLMAO, the sods who are spamming this crap have run out of bandwidth. That's not the way to Global Domination you l33t l0z3rz.

Crosroads Solaris port is out

Sun, 13 Nov 11 13:33:05 +0100

The latest version of my pet project Crossroads, version 1.79, is finally out. Oh how I struggled to get a good Solaris 10 port out! (Thanks go to Oleg D., for his feedback and tireless testing!)

Anyway it's finally there. The subtle differences between Linux and FreeBSD (MacOSX) on one hand, and Solaris on the other hand, have again surprised me. There are some basic implementation differences, e.g., on Solaris you can't getrlimit(RLIMIT_MEMLOCK), it just isn't there.

Plus, the handling of NULL pointers under Solaris is way stricter. Lenient systems will allow you to syslog(loglevel, "%s", nullpointer) (where of course nullpointer is a null pointer ;-). The logged message will simply state "NULL". Not Solaris. It isn't lenient at all. It crashes with a segmentation fault. Ah well, that will teach me to avoid sloppy programming.

Identity theft can cost you dearly

Sun, 13 Nov 11 13:33:05 +0100

Today the BBC reported how identity theft can cost you more than just cash. Simon Bunce used to shop on the Internet using his credit card, and fell victim to identity theft. He only found out after his credit card details showed in payments related to child pornography.

Simon's nightmare was about to start. He was arrested by the British police, lost his job, was cut off by his relatives, and almost had to sell his family home. The police was taking months to investigate, so finally Simon took matters into his own hands. He obtained the records related to his case, and found out that the IP address where his credit card details were misused, was located in Indonesia. The child pornography related purchases were made at the same time he was in a London restaurant, using his physical credit card.

So finally he was able to convince the police that he had fallen victim to a case of identity fraud. Too late. He managed to find another job, but earns only 25% of his former salary.

The moral of the story?

Credit card details != A living person
Everyone assumes that if your credit card number shows up, then you must've purchased something. Not necessarily true. The police, Simon's employer and his relatives had found him guilty based on this assumption, which turned out to be a false one. My prediction is that we'll see an increase in the percentage of mismatches between an electronic data trail and a physical identity. Identity theft is on the rise, and therefore, the reliability of electronic data is going to decline.

People don't like uncertainty, that's the problem right there. It's much more convenient to assume that a log record of an electronic transaction is simply "the truth", while in fact it's only an observation, with a chance of being false positive, and with a chance of being false negative. We should start thinking of electronic data in the same manner we think of medical symptoms: fever may mean that you've caught a flu, but doesn't have to. And you may have a flu without running a fever.

In the case of the reliability of electronic data trails, the path gets even more slippery. The chance of hitting a false positive is not a fixed one: it will increase as identity theft occurs on a larger scale, it may decrease as we find measures aginst such thefts, and I'm sure it's dependent on a variety of other factors.

In Simon's case, it's pretty obvious that neither the police, nor his employer, nor his relatives thought this way - even despite the graveness of the accusation. In my opinion at least the involved police officers should've used their brains; they are supposed to be the professionals here. The idiotically simple proof of innocence that Simon Bunce finally delivered himself, should have been delivered by the police, long before making accusations.

Crossroads can already do that

Sun, 13 Nov 11 13:33:05 +0100

I received a very nice mail from Hamza S., about Crossroads:

Good to see that the Crossroads website is back online. Thanks for
sending the documentation earlier; it helped a lot. We are now using
it in a test environment and should be going to production soon.

During our tests, we came across one feature which would make
Crossroads a very formidable option for load balancing solutions.
(Please remember that this option may already be in there but we
missed it.) What do you think about adding IP awareness? For example,
in our case we have two different websites running on two servers each
and we are load balancing between those two servers. On each web
server we run two sites on two different ports. If Crossroads could
listen for the same port on two or more IP addresses, it would allow
users such as us to run two or more sites on the same server on the
same port but different IP addresses. Then Crossroads would listen to
port 80 on one IP and forward it to another, while also listening on
port 80 on another IP and forwarding it to yet another IP.

Hmmm.. I had to think about it. I did implement a statement to bind to a specific address before, didn't I? It was actually for security reasons: one could bind the Crossroads daemon to e.g. 127.0.0.1, so that external calls would not be serviced. I was wondering: would this work for Hamza's purpose?

I ran a small test on my server which has one network address card, configured at 10.1.1.1, and a virtual IP address at 10.1.1.2. Here's the Crossroads configuration:

#define DEBUG yes

service google {
   verbosity DEBUG;
   port 30000;
   bindto 10.1.1.1;
   backend g {
       verbosity DEBUG;
       server www.google.com:80;
   }
}

service etunity {
   verbosity DEBUG;
   port 30000;
   bindto 10.1.1.2;
   backend e {
       verbosity DEBUG;
       server www.e-tunity.com:80;
   }
}

And guess what.. it just worked! The URL http://10.1.1.1:30000/ yielded the Google site, and http://10.1.1.2:30000/ the e-tunity site. Wow. This is the first time that someone asks about a new feature in Crossroads, and it's already in there. Thinking about it, I must even admit that this is the first time that someone asks about a new feature in any of my programs, and it's already in there. Celebration!

A dagerous safari

Sun, 13 Nov 11 13:33:05 +0100

Disturbing news for us Mac users.

At the latest CanSacWest conference in Canada, a MacBook Air was the first system to be hacked. (The proud winner of the contest, Charlie Miller, got to keep the MacBook plus a cheque for 10k$). The MacBook fell pray to its attackers after they were allowed to work on the system itself; previous network-only attacks had failed. The exploit used a vulnerability in Safari 3.1.
Safari, Mac's standard browser, has been identified having several security holes. Most were related to the rendering engine - an open source component, of which a too old version was used in Safari. Due to this, Windows ports of Safari were known to be unstable and defective.

So now it would appear that MacOSX versions of Safari are leaky too. What a bummer. Fortunately my favorite browser is still Firefox, which runs great. But just out of curiosity.. what was the nature of the hack? I'm assuming that the embedded library in Safari was tricked into a buffer overrun situation, with a stack smash that started /bin/sh as a root process? Love to know...

Moral of the story is I guess, that it's great to use open source components - but just as with closed-source, you just can't disregard new versions when they come out.

Why some Java J2EE projects are inefficient

Sun, 13 Nov 11 13:33:05 +0100

This morning I received an unexpected mail message from Iwan E., one of the architects I'm working with. We sometimes exchange ideas about how things are, and how they should be, regarding the software development processes at our customer.

Why some of the Java EE / J2EE projects are inefficient
... or at least suboptimal

   1. Architects are more skilled in PowerPoint, than popular Java
   IDEs (OpenOffice ist still rare in real world :-))
  
   2. It takes several DVDs, sometimes hours, even to install the
   basic infrastructure (like appserver and database)
  
   3. Some popular servers take several minutes to start and deploy -
   you have to repeat this procedure several times a day
  
   4. It takes longer to open a case (and reproduce a problem) for a
   bug of the appserver, than fix it by yourself (of course if you had
   the source :-))
  
   5. It is hard to find developer hardware, where the "enterprise"
   development tools run efficienlty - ...and because they were
   expensive, it is hard to get rid of them...
  
   6. The architects love layers and tiers - several mapping
   procedures are needed just to pass a persistent entity from the
   persistent layer to the presentation
  
   7. Everything is configurable, replaceable and mockable. The XML
   overhead is huge. The question is: When did you really needed to
   replace something in your passed projects?
  
   8. Either it is waterfallish, or agile with all buzzwords and
   strange rituals. Both sides could be extremely inefficent. It seems
   like sometimes it is hard to be just rationale...
  
   9. Developers are sometimes too extreme: either everything is
   overengineered with millions of patterns or best practices, or
   hacked down in "go to spaghetti" fashion
  
  10. "The thrill is gone..." many developers, architects and managers
  just lost they enthusiasm and passion. This is one of the main
  reasons, why many projects are just so inefficient...
  
  11. HA, Clustering, etc. is used even for "guestbook-like"
  applications. Complexity rules!
  
  12. Strange QA rules (like documenting obvious getters/setters)
  drive the development and maintenance costs

I should like to add #13, which is totally politically incorrect:

13. We are stuck with herds of junior developers instead of a handful experienced developers and engineers. The corporate rationale is that juniors are cheaper, and everything is manageable anyway. The fact is ignored that small self-managing teams of cracks are better, more efficient and faster. In fact fewer better developers would lead to on-time, better and cheaper applications.

The Hummingbird

Sun, 13 Nov 11 13:33:05 +0100

About half a year ago I spoke with my collegue Michel Geerink about digital photography. Whilst swapping war stories, he told me that he had a great shot of a hummingbird in midflight. It was with his Canon EOS350D, exposure 1/400sec, and a 400mm lens at F7.1.

Yesterday he mailed me the photo. Great work!

Click the image for a large view.
Copyright (c) Michel Geerink

The Easter delusion

Sun, 13 Nov 11 13:33:05 +0100

This weekend I read an interesting interview in the NRC, a Dutch newspaper with probably the best reputation in our small country. They interviewed Richard Dawkins, a British scientist and atheist, author of the book "The God Delusion", who is often seen as a rabid anti-religionist. In the article Richard Dawkins retored: "Do I look like a militant? Do I sound militant?" No, indeed he doesn't. He rather looks like an English gentleman. But the article's title suggests otherwise: "Jesus would now be an atheist".

Richard Dawkins appears an anti-religionist on two fronts: One, he's a true scientist, and a Darwinist. Any theory that claims that the Earth is less than 10.000 years old, is therefore discarded. Two, he fights any theory that hampers education and free thinking, like the all-too-well discussed Creationism ("Intelligent Design") that we too often see in the USA.

Personally, I couldn't agree more. Has religion outlived its usefulness, which it undoubtedly had centuries ago, when it helped structure lawful communities?

Coincidentally during this Easter weekend we visited a good friend, who lives in the countryside, and had a great time. There were 7 adults and 10 kids ranging from 6 months to 13 years, all hanging out 'round a great pyre and enjoying good food, drink, music and company. At one time the subject turned to the origin of the Easter festival. Hmmmm.. let's see what we can find here.

The Jewish religion celebrates the exodus from Egypt and liberation from slavery. "Pesach" probably refers to the sacrificial lamb. Pesach-derived terms are still widely used, such as "Pasen", the Dutch term.
"Easter" and its German counterpart "Ostern" are probably derived from the goddess Eostre (Eastre, Ostara), a Germanic paganistic goddess of dawn. Her feast would be celebrated around the spring equinox and would welcome the warmer season. During the feast, huge bonfires would be lit to chase away the dark spirits of winter, to welcome the light and to welcome the fertility that the coming spring would bring.
Also associated with fertility, are Easter eggs (and bunnies). What better symbol of new life could one find? In Slavonic countries, there are even associated traditions of men visiting women for the obvious purpose of courting, and being payed by beautifully painted Easter eggs.
Finally there's of course the Christian religion, which celebrates Jesus' resurrection. Easter holidays end a period of 40 days of fasting and repenting, during which probably not even eggs could be eaten. Maybe that's why the 'old' eggs would get painted, and during the feast one could safely eat the new ones?
Easter holidays are typically somewhere between the end of March and the end of April. How come? The 'algorithm' to compute the date is quite complicated:
- Take the date of the spring equinox (March 21st in the Gregorian calendar),
- Wait until the first full moon,
- Wait until the first Sunday after that,
- And that's your Easter Sunday.
How complicated! This doesn't mix too well with Sun-based calendars, like the Julian or Gregorian ones.

So there we are. When we celebrate Easter, we paint some eggs because in ancient times they would have expired their freshness date. We eat other eggs, because they're a symbol of fertility, light and spring. We build bonfires, because the old Germans chased away spirits with fire. We call it Easter holidays, because of a paganistic goddess. Or we call it "Pasen" because of a Jewish feast. The date is never the same because instead of being calendar-related, it depends on the moon cycle.

And we call all this a Christian holiday. I'm pretty sure that the early Christians modelled their feast so that it would coincide with other paganistic feasts of that period. That's the best way to compete with others: make sure that your feast is on the same date, and make sure that your feast incorporates some elements of the others (eggs, bonfires, the name) - and before you know it, you'll have more followers than you can count.

Ah well. Personally, I don't really believe in Eostre, Eastre or Ostara. So call me an atheist. But I do know that I don't need an excuse to hang out with good people around a nice fire while sipping wine.

McAfee detects mass hack of 200.000 webpages

Sun, 13 Nov 11 13:33:05 +0100

Part of the article. Edited for brevity.

Today I read at the ITNews website that McAfee detected a mass hack of unprecedented size. Some 200.000 pages were infected! The first 'mass hack' only affected some 10.000 pages, so that this second once appears 20 times larger. It seems to affect the PHP-based phpBB forum system.

I was intrigued and read on. "[The phpBB attack] relies on social engineering The infected pages bring up what appears to be a pornographic web site. Upon loading the page, a 'fake codec' social engineering attack is attempted. The user is told that in order to view the movie on the page, a special video codec must be installed. The user then downloads a trojan program which installs a malware package on the users system then delivers a fraudulent error message telling the user that the supposed codec could not be installed."

Hey, that's odd. I wrote about this type of spam more than a month ago - and I suggested how to fight it. The above quoted description of the attack is furthermore quite off, or incomplete to say the least. The attack vector is as follows:

On a phpBB board, users create profiles. They can optionally enter their ICQ number, their hobbies, and so on - and also a 'homepage' URL.
Distributors of malware register their name, and enter the homepage field, and they make sure that this field points to a site that is controlled by them or by their organization.
Other users may see this profile, and click on the homepage URL.
In the case of the 'second hack wave' that's described here, the homepage is a porn site that tries to get their visitors to download a 'viewer', which is in fact a trojan.

So what's the matter here? In my opinion, this 'second wave hack' is not a true hack of webpages. Rather, it's a spam-like attempt to get unsuspecting users to download a trojan. It's just spam, but in a different format. All social networking sites that allow users to self-register and to specify personal information, are potential distribution channels. The sites themselves aren't hacked; the attack is on a meta-level.

For example, imagine that on some social networking site, users can see each other's email address. Then a similar attack vector is to obtain e-mail addresses of all subscribers, to send them the trojan as attachment, and to hope that they click on it. Here also the site is only a distribution channel: this would not be a hack of the SMTP (e-mail) protocol. Neither is the above described 'second wave' a hack of phpBB based forums. A better description would be: "This attack relies on social engineering. It uses social networking sites (in this case: phpB forums) to entice users to download malware."

Furthermore, what bothers me, is that no information is provided as to what the number 200.000 means. I suppose that it means that the attackers ran scripts which in registered some 200.000 users with a homepage link leading to a malware site. Is that a lot? As compared to what - the total number of spam messages on websites, or as compared to the total number of spam via e-mail? Should we fight it? (Yes of course we should, even if we don't know the exact spread. See my previous article.)

But how many phpBB users have actually clicked the link? How many have actually downloaded the malware trojan? That would be ultimately the effective number to classify this attack. Alas, I don't know.

What I do know, is that security-wise we should be painfully aware of how attacks work, what the exact details are, and how we should make the public aware of threats. It's no use to warn the public against phpBB forums; unsuspecting users will avoid phpBB and will be enticed into downloading malware via other methods.

More predictive statistics

Sun, 13 Nov 11 13:33:05 +0100

A while ago I wrote about some wrong statistical conclusions. Here's a nice one to add to the list.

If you want to collect evidence of monsters, then go live on an island and name it something that starts with "New".

The rationale is here: The only scientifically proven "monster" is the giant squid, or Kraken. Its remains statistically wash up most frequently on the shores of New Zealand and Newfoundland.

Backwards conclusions even on Slashdot

Sun, 13 Nov 11 13:33:05 +0100

Today I saw a quite unfortunate entry on Slashdot:

I see such backwards conclusions only too often. The quoted study says that an experiment (which ran from 1976 to 1980), in retrospect shows different characteristics between one group that had cats, and another group that didn't. And then the article concludes that having a cat influences those characteristics! What a blatant amateur error!

These errors occur frequently in newspapers and magazines, if you look closely enough. Correlation is mistaken for cause and effect. In some papers or magazines this will be purely for the effect of bold headlines that sell copies. But alas, now this error has also shown up on Slashdot. Shame on you, /.!

Incase you're interested: Statistically, you can only claim a cause and effect relation if you randomize your testing group regarding the presence or absence of the factor you're investigating. In this case this would mean that in 1976, half of the sample group would have been assigned a cat and half would have been forced to live without one. Then, years later, the two groups would have been compared with regard to the occurrence of heart attacks. This obviously didn't happen in this study; therefore, there may be other relevant factors which aren't discussed at all. For example: did the people with cats live in the countryside, enjoying a laid back life style, while the people without cats lived in large cities, ratracing every day? That might be a more plausible explanation for heart attacks than having a cat!

That's why randomising your population is so important. It distributes all other effects (even those we can't yet think of) evenly over the two groups. It's even better when you can do this blindly: the sample population with the factor 'cat' wouldn't know it, and neither would the sample population without the factor (though as a subject in the study, it would be kind of hard not to know that you have (or don't have) a cat at home). And just to state the obvious: it's best when neither the subjects nor the investigators know whether the factor was applied. That's a double blind experiment.

Medical literature has numerous examples of experiments where correlation gets mistaken for cause and effect. One of the more famous blunders was the conclusion that living in slums causes schizophrenia. By the time the results were made public, the damage was already done. It took years to correct this fault; closer investigation showed that schizoid personalities are drawn to slums and will preferably live there (as opposed to e.g. suburbia).

For all who don't like to use their brains, but instead like to rely on mindless headlines, here are a few more 'conclusions':

Make your kids listen to Mozart. They will have better school grades. (No kidding! There used to be people who made their kids listen to Mozart because they believed this.)
Don't be poor. You will have a higher chance of being killed in a crime. (Ah. So if you live in a bad neighborhood and win the lottery, that suddenly makes your life safer? Hmmmm... On this individual basis, quite the opposite might be true!)
Stay young, you will have better teeth. (Yeah, let's not grow old anymore.)
Be white, instead of black. You will have an overall better health. (Again, large-number statistics, collected a-posteriori, applied predictively to individuals. In the same vein: Get straight short black heir, a yellowish complexion, call yourself Li, and you'll get better math grades.)

A fractal photograph

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I saw a nice article on Sciencenews.org about mathematical visualisations. Lots of such visualisations are of course based on fractals. That's why - I find - one of the nicest onces was a picture of Waclaw Sierpinski, one of the 'founders' of fractals and inventor of the Sierpinski carpet. According to the article:

"To create a Sierpinski carpet, take a square, divide it in a tic-tac-toe pattern, and take out the middle square. Then draw a tic-tac-toe pattern on each remaining square and knock out the middle squares of those. Continuing forever will create the Sierpinski carpet."

The photo is of course composed from such carpet fragments.

Kaprekar revisited

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I wrote about Kaprekar numbers. Just an hour later I received this mail by Eddie:

"Ah. I saw your blog entry about your Kaprekar numbers. With a proggle... I tried it out right away. Don't want to nag, but you can optimize that proggle somewhat."

What news! Flabbergasted, I stare at the mail. First of all, Ed uses a fantastic term for little scripts: proggle. That's here to stay, Ed! Second, Ed suggests an optimization. Hmmmm... Let's be very careful here. The famous DE Knuth already remarked that "premature optimization is the root of all evil". Ed suggests to optimize:

"Instead of

    $sum   = $left->copy();
    $sum->badd ($right);
    return ($nr->bcmp($sum) == 0);

you might also:
$left->badd($right); if ($nr->bcmp($left) == 0) { $sum = $left; $left = Math::BigInt->new($leftstr); return 1; } return 0;
I'm removing a copy which you always perform, and I introduce a penalty (for the rare case that you find a Kaprekar number). The difference is but a few percents, but still..."

I cannot delay! I need to test this right away. Is it a meaningful optimization? I quickly hack together two scripts: kaprekar1 which is my old version, and kaprekar2, with Ed's optimization proposal. The new scripts take a start and end value as arguments, so that I can better compare timings.

I fire up the two versions, using time to check.. and...

Method	Timings
	Real	User	Sys
kaprekar1	1m1.039s (61.039s)	1m0.724s (60.724s)	0m0.080s
kaprekar2	0m58.890s	0m58.637s	0m0.091
Speedup	3.5%	3.4%	n.a.

Brilliant! Yes, the difference is but a few percent, but still. That should teach me! Every often-repeated code snippet, even in Perl, is a candidate for optimization, always.

Onward to the next proggle!

(Oh, incase you're wondering what the Kaprekar numbers are up to 500 million: 9 45 55 99 703 999 4950 5050 7272 7777 9999 77778 82656 95121 99999 318682 329967 351352 356643 390313 461539 466830 499500 500500 533170 538461 609687 643357 648648 670033 681318 791505 812890 818181 851851 857143 961038 994708 999999 4444444 4927941 5072059 5555556 9372385 9999999 36363636 38883889 44363341 44525548 49995000 50005000 55474452 55636659 61116111 63636364 69115816 74747475 75247525 80226927 80726977 83409436 86358636 88888888 91838088 94520547 99999999 332999667 432432432. That's it, I'm not generating any more, have 'nuff of 'em now.)

Kaprekar numbers

Sun, 13 Nov 11 13:33:05 +0100

This morning I awoke painfully aware of yet another totally useless bit of information in my head: Kaprekar numbers are integers, where you can take the square of the number, chop it in two parts, add the parts, and that sum yields again the number you started with. This prompted me to verify this bit of information in David Wells' Penguin Dictionary of Curious and Interesting Numbers, and yes, it's how Kaprekar numbers work.

For example, 9 is a Kaprekar number: the square is 81, and 8+1 is again 9. Also, 45 is a Kaprekar number: the square is 2025, and 20+25 is again 45. These two numbers (9 and 45) are incidentally the smallest Kaprekar numbers.

So far so good. I got up, had my coffee, started work.. and got dragged into a phone conference. I couldn't hang up, I couldn't concentrate on real work.. now what. Let's doodle!

Here is the result: a little Perl script that goes from 1 upwards, and checks for Kaprekar numbers. The first version I had, was with 'normal' Perl number handling, but that soon grinded to a halt, as squares overflowed. So here's a version with Math::BigInt which performs quite well, I must say. Just for fun, there's an alarm handler which shows every 10 seconds at which number the script is. Otherwise I might get suspicious that it doesn't work at all and stop it...

#!/usr/bin/perl

use Math::BigInt;
use strict;

$|++;

my $nr     = Math::BigInt->new('1');
my $square = Math::BigInt->new();
my $left   = Math::BigInt->new();
my $right  = Math::BigInt->new();
my $sum    = Math::BigInt->new();

local $SIG{ALRM} = sub {
    print ("Now at ", $nr->bstr(), "\n");
    alarm (10);
};

alarm (10);
while (1) {
    print ($nr->bstr(), ' is a Kaprekar number: sq=', $square->bstr(),
	   ', left=', $left->bstr(), ', right=', $right->bstr(),
	   ', sum=', $sum->bstr(), "\n") if (kaprekar());
    $nr->badd(1);
}

sub kaprekar {
    $square = $nr->copy();
    $square->bmul ($nr);

    my $len = $square->length();
    return (undef) if ($len & 1);
    
    my $str      = $square->bstr();
    my $leftstr  = substr ($str, 0, $len / 2);
    my $rightstr = substr ($str, $len / 2);

    $left  = Math::BigInt->new($leftstr);
    $right = Math::BigInt->new($rightstr);
    $sum   = $left->copy();
    $sum->badd ($right);
    
    return ($nr->bcmp($sum) == 0);
}

Aah, just great. Now I know that 9 45 55 99 703 999 4950 5050 7272 7777 9999 77778 82656 95121 99999 318682 329967 351352 356643 390313 461539 466830 499500 500500 533170 538461 609687 643357 648648 670033 681318 791505 812890 818181 851851 857143 961038 994708 999999 4444444 4927941 5072059 5555556 9372385 9999999 is the series of Kaprekar numbers up to 10 million.

And above 10 million, 36363636 is another one. I think that'll be my favorite. Always wanted to know that. Another bit of useless information has been inserted into my brain.

A tale of the criminal ineptitude

Sun, 13 Nov 11 13:33:05 +0100

Today I overheard a story on the Dutch radio, which I'd like to share.

A while ago, a burglary occurred in the Singer museum in Laren, NL. The burglars stole a few bronze statues which they wanted to melt for copper to make a quick buck. With today's high copper prize, recycling can be a very a profitable business. These guys had obviously a fairly loose definition of "recycling".

Unfortunately for the burglars, recycling paper is not in their vocabulary. On the crime scene, police found a torn up printout of an itinerary from one of the burglars' home to the museum. The police proceeded by taping together the paper scraps and retracing the route.

The burglars were apprehended. Today they were sentenced to 4.5 and 4 years in prison, respectively. The statues were returned to the museum. One of them, Rodin's "The Thinker", was unfortunately damaged.

Irritating Selfregistered users in PHPBB

Sun, 13 Nov 11 13:33:05 +0100

In my spare time, I host and administer a small phpbb forum. Visitors can register their user name, a forum administrator can then activate them, and they can participate in the forum information exchange.

So far so good. But in these modern times, loads of unwanted users self-register to advertise porn sites, which is something I don't want to see on my forum. Besides, such "users" are no more than robots who in their mechanical dumb fashion create the same-o same-o crap entries over and over again. The user entries consistently show a URL in the "user homepage" field that leads to porn sites. These sites in try to seduce the visitor into downloading their "viewer". Yeah right. Sure, we're all going to download that executable and run it on our system...

Nevertheless, I don't want those users in my database. Fortunately, fighting back is pretty trivial - a dumb, mechanical silly script is enough to push back those dumb, mechanical robots. Here's a little Perl script that does just that. If you want to use it, then proceed as follows.

Edit the '$db' variables at the top of the script and substitute your own values.
Try out the script, using '/path/to/script test'. It will show you which users would get deleted.
If you're satisfied, try the script more, using '/path/to/script go'. This will actually delete the unwanted users.
If you like it, add an entry to 'crontab' to invoke the script regularly. I run it each 10 minutes and that works perfectly.

#!/usr/bin/perl

use strict;

my $db = 'MyDatabaseName';
my $dbuser = 'MyDatabaseUser';
my $dbpass = 'MyDatabasePassword';
my @badwords = qw(porn penis orgy girls blonds nasty);

# Check arg list.
my $opt = $ARGV[0];
if ($opt ne 'test' and $opt ne 'go') {
    die ("Usage: $0 {test|go}\n");
}

# Create database connection.
open (my $of, "|mysql -u$dbuser -p$dbpass $db")
  or die ("Cannot start mysql: $!\n");

# Create the where clause.
my $where = 'user_active = 0 and (';
my $nbad = 0;
for my $b (@badwords) {
    $where .= ' or ' if ($nbad > 0);
    $nbad++;
    $where .= "upper(user_website) like '%$b%'";
}
$where .= ')';

# List what would be deleted.
print ("Where clause:\n",
       "$where\n");
print $of ("select username, user_website from phpbb_users where $where;\n");

# Run the delete.
if ($opt eq 'go') {
    print $of ("delete from phpbb_users where $where;\n");
}

close ($of) or die ("MySQL indicates error!\n");

B2B Spam in the Netherlands

Sun, 13 Nov 11 13:33:05 +0100

February 6th, and I'm again cleaning out some B2B spam. I've written about this earlier: besides consumer spam, business spam is now illegal in the Netherlands too.

And still I'm seeing such messages. Originating from a Dutch address, and about the same-o stupid things that you don't need - in this case a CD/DVD storage box. Sheesh.

Time to do something! So I surf to the Opta, the Dutch telecom watchdog, to log a complaint.

It takes me ages to find the right link, in this case to www.spamklacht.nl (literally: spam complaint), where I dutifully fill out a complaint form - being the cough good citizen that I am.

Guess what. At this time, complaints can only be logged by consumers. Not by companies...

Opta, please get your gear in order.

Surprising iSight Capture

Sun, 13 Nov 11 13:33:05 +0100

I recently wrote about iSightCapture, a commandline utility that I use to regularly snap the environment of my notebook. Funny thing is... it does just that, regularly make a snap. Which can lead to (not so?) surprising shots.

Breadcrumbs at WickedLasers.com

Sun, 13 Nov 11 13:33:05 +0100

After an interesting article on Slashdot I recently visited WickedLasers. Those guys sell a flashlight which is capable of setting fire to paper! Way cool, in a nerdish sort of way. On the downside, it eats batteries like crazy, you can operate the flashlight for about 15 minutes only, it seems.

Anyway, that's not what this entry is about. I am nerdish enough to appreciate such a flashlight, I am however also a privacy-minded person. While I was accessing the site, I got the following error:

Apparently they were having a small database problem - can happen, no big deal. But hey wait! Why would they be interested in inserting my host name into their table 'hosts'? It seems that they (a) picked up my IP address, (b) reversed it into a hostname, and then (c) tried to store it in a database, together with the access time ("NOW()"). I think that they're going to lengths to get this information. Especially the reversal of an IP address to a hostname is costly (in terms of processing time). It's not something you do just for fun; you only do that if you really really want the information. In my case, the last database-related step failed, which made this action apparent. If the database had not malfunctioned, my hostname would have been stored without me ever noticing!

Time for Mr. Privacy Concern to step up and ask questions! And so I did. The site lets you log tickets for the WickedLasers staff; so I went ahead and wrote one:

Within a day I received a friendly answer from Andrew Hammel of WickedLasers:

So yes, they do store the reversed host name. They are not trying to mask or deny it; and apparently it's just part of some shopping cart system they are using.

I decided that this is good enough for me at this moment. I don't fancy riding around on a skinny horse, engaged in crusades against windmills, and followed by a short guy on a mule. But it does illustrate some of my ideas:

Why does their shopping cart system need to store my hostname? Even more important: why did the attempt to store the hostname occur even before I made a purchase?
Is this some odd security feature to check that, in the event that I should make a purchase, I am still connected from the same originating address? If so, I think it's a bit weird feature.
How long are they storing my hostname? That question was -alas- not answered.
Also, they failed to answer my two questions regarding the protection of such data, against both external and internal parties.

Implementing a solid data privacy (and very much related: security) is not something you do on a system-by-system or application-by-application basis. It's not a "trick" that you use (or not). Rather, it's a state of mind. And while I do believe that the guys at WickedLasers are not malevolent, they don't appear to be in the same state of mind as I am. What I do believe, is, that privacy concerns will affect us all in the near future. Even the guys at WickedLasers.

iSight Capture Utility

Sun, 13 Nov 11 13:33:05 +0100

I recently stumbled upon a commandline utility that captures a still image from my Mac's iSight camera. The utility is appropriately called "isightcapture". Great! Just what I was looking for! Now I can automate capturing the environment once every while, and forwarding the image to a secure location. If my Macbook ever gets stolen, who knows - I might get an image of the thief!

(This is by no means a new idea. There's a snazzy utility called iAlertU that does the same thing. But it's commercial, scripted and depends on the GUI - not what I need. Orbicule seems to do the same thing. But hey, I can do this myself and have the full freedom of scripting! And apparently a MacBook thief was already caught using a similar approach.)

The original server where the capture utility was hosted, is now however down, so I'm providing the utility from this page. If you want to use it:

Download the archive iSightCapture.tar.gz.
Unpack the archive, using "tar xzf iSightCapture.tar.gz".
Read "iSightCapture/isightcapture.rtf" for more instructions.
Copy "iSightCapture/isightcapture" to a directory on your path, e.g. to "/usr/local/bin".
To snap an image, enter something like: "isightcapture picture.jpg".
If you want to snap regular images and upload them to a secure site, be creative! This post doesn't elaborate on that.

I've written the author regarding open-sourcing this utility. Who knows? I hope I'll be posting the source code later on. Enjoy!

This is me, testing "isightcapture". Whee, it works! Who's that looking over my shoulder?

The Male Brain

Sun, 13 Nov 11 13:33:05 +0100

In its Sunday edition of January 26th, the Dutch newspaper "De Telegraaf" (a.k.a. "De Fabeltjeskrant" - the fairytale newspaper) published the following story on its first page (the translation is fairly liberal due to my limited language skills):

"Male brain ignores women
Amsterdam, Sunday. The female voice is far too difficult to understand for most men. This is because a man must use his whole brain to decode a female voice. One small brain lobe suffices to decode a male voice, so have discovered British scientists.
Decoding a female voice is even so tiresome that a man would rather ignore it. The male brain can without difficulties shut itself off for high, shrieking tones. They understand only half of it anyway, so as far as they are concerned, they aren't missing much."

Usually I question such odd reports of so-called scientific experiments and results. But in this case, I'm willing to make an exception and accept these results without hesitation.

Searching for the next Uri Geller

Sun, 13 Nov 11 13:33:05 +0100

The Dutch commercial TV station SBS6 has reached yet a new milestone in its search for banality. Tonight a much advertised show is airing at 8pm, called "Who will be the next Uri Geller?" The Grandmaster himself will make his appearance in a series of shows where promising young psychics will be judged. "Already the most talked-about show of 2008!" Yeah right.

Let's not forget the true Grandmaster of the Uri Geller age: James Randi, founder of the Sceptic Society and famous buster of charlatans, pseudo-psychics and other make-believers who make their fortune by robbing the all-to-gullible public. For decades, Mr. Randi has been exposing tricksters who claim that they possess supernatural powers of mind. There is even the famous One Million Prize to be won: if you can perform some feat, which cannot otherwise be explained by scientific methods, then James Randi himself will give you one million dollars. There's a catch though - you have to perform your trick in a controlled environment, under scrupulous watchful eyes of cameras, trained personnel and sometimes James Randi himself. Should I add that no-one has yet won this prize, or is that obvious enough?

The following video is a very nice summary of James Randi's work regarding Geller, including comments by James Randi. There's one remark that Mr. Randi makes that really strikes home: "Why would you believe in psychic powers, when other explanations are much more plausible?"

Enjoy, stay sceptic, and use your own brain - don't rely on other people's mental powers.

If you want the full enchillada: here are four more videos on James Randi and Uril Geller.

Opt in for b2b spam

Sun, 13 Nov 11 13:33:05 +0100

January 23rd was a historic day in the Netherlands. Our government finally levelled rules on all unsollicited e-mail: previously, business-to-consumer spam required an 'opt-in' (subscription) by the recipient. Spammers who only provided an opt-out link in their mail would get fined. Unfortunately, when these rules were introduced years ago, business-to-business spam was somehow overloooked.

As of yesterday, the same rules apply to business-to-business spam. If you want to receive spam, you have to request it - whether you are a consumer, or act on behalf of a company. This might not seem like a big deal, but in my opinion, it is. The website of the Dutch Chamber of Commerce freely provides contact e-mail addresses of companies, which are abused by b2b spammers. "Advertise on our radio station!" "Buy cheaper DVD's!" "Would you like to reach 350.000 consumers at once?" Well, no more of that. The first mail spams that I receive are going to be forwarded to the Opta, the Dutch telecom watchdog.

Finally.

Bokito Revisited

Sun, 13 Nov 11 13:33:05 +0100

Here's a short, personal update about Bokito and especially the glasses.

Last holidays I was swapping funny stories with friends, and told about the famous glasses. The next day I got a little present.. I'm happy now.

Top Crossroads User

Sun, 13 Nov 11 13:33:05 +0100

Felix O. recently mailed me the usage data of their Crossroads installation.

The heaviest Crossroads user of the moment is a websearch company, who at the time of writing this (January 2008) runs over 5 million page hits per day via Crossroads. They are requests for dynamic pages, load-balanced using Crossroads' HTTP balancing. This is on average 60 Crossroads requests per second flat rate, climbing to approx. 250 per second. The same Crossroads instance also balances 300-500 database connections that carry approx. 50Gb of data. The Linux box where Crossroads runs, is 50% idle.

Encouraging, or what? I'm also working on the 1.7x series of Crossroads which optimizes the HTTP processing of TCP streams. The load on HTTP-related processing should be significantly lowered.

World of Warcraft Dancing

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I saw this really great vid on Youtube. It has fragments of real life dancing (from movies or videos) and features World of Warcraft characters dancing alongside. I'm just wondering: how did this vid come to be?

Either the person who made this, has no social life whatsoever. They've been matching real life movies with WoW characters until they got it right. Or I'm way off base?
Or this was an inside job. Someone from Blizzard supplied a list of movies and videos that had been used as a basis for the avatars' dancing moves. That would've made the matching way easier.

In any case, I admire the quality of this vid. The avatars appear to be dancing 'alongside' real characters. They're even dressed like the real ones! And are the female elves way hot, or what?

Justice dispensed better late than never

Sun, 13 Nov 11 13:33:05 +0100

The wheels of justice grind slowly, and ever so often they will grind a black grain to dust, even when it's way due. But better late than never. Here are two examples that at least I find encouraging. Both examples concern data exposure and privacy, two of my favorite subjects.

TellSell

TellSell lost about 30.000 credit card data because they failed to protect the data sufficiently. EMC, an European credit card clearing house, decided to cut them off. I suspect that the affiliated credit card companies were getting too much flak for fraudulent transactions. Anyway, last week, TellSell filed bankrupcy in the Netherlands.
Quite perversely, TellSell's logo are (were?) two cogwheels that are intertwined, but for no reason whatsover. They don't really do anything useful, do they?
Moral of the story: Get your data protection right, or roll over and die. Or in a broader sense: You may think that your primary business process is limited to selling kitchen knives. It's not. As soon as you start doing business over the Internet, your primary business process will extend to the whole palet of security issues, privacy, and what not. Better be prepared. Ignorance is not an excuse.
Hells Angels

A part of the legal proceedings against the Dutch Hells Angels were declared invalid. The Dutch General Attorney's office had tapes of illegal wire taps, and had been repeatedly warned against keeping such tapes. The tapes apparently held confidential information of conversations between suspects and their attorneys. The Dutch Justice Department had repeatedly warned the General Attorney's office, and had summoned them to stop this. When -again- tapes of such confidential conversations turned up in the files of the proceedings, the Justice Department declared the whole proceedings invalid.
This was a huge blow to the Attorney's Office. Had the Hells Angels not violated many laws? Were they not true suspects of society-undermining activites? They might. But the Justice Department showed balls here: get with the program, or you don't have a case. Kudos for taking this stand!

Jeremy Clarkson and Identity Theft

Sun, 13 Nov 11 13:33:05 +0100

It seems that identity thieves have a sense of humour.

A while ago there was a quite famous loss of 25 million records of British families who are entitled to child benefits, including bank account numbers. Jeremy Clarkson, BBC presentator and one of the guys behind my favorite car show "Topgear", didn't think it was quite such a big deal. "All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing." And he put his money where his mouth is - he published his bank account number and bank name.

Only a few days later, he wrote: "I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes 500 pounds from my account. The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again. I was wrong and I have been punished for my mistake."

Jeremy, you're a gentleman for admitting that your original statement was false.

Jeremy Clarkson continues: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." Amen! And in the same vein: are we going to rethink our position on privacy?

Terrorism in the Netherlands

Sun, 13 Nov 11 13:33:05 +0100

The Netherlands are involved in an important fight. A battle even. We're not totally sure against whom, but we're very serious about it. The government informs us that more than 200.000 professionals are involved in this, day in day out, fighting...

Terrorism. Fighting terrorism, you might ask? Yes, terrorism.

Have the Netherlands recently suffered terrorist attacks? Are the people frightened of things to come? Well no, not particularly. The only "terrorist" activities that we've had here, were in the 1970's, when post-colonial second generation Indonesians, specifically from the island group the Molucs, decided that a fight for their right was appropriate. They hijacked trains in the Netherlands and occupied a school. They wanted a contry for themselves. It was a frightening time, and unfortunately, people got killed. Eventually, in typical Dutch tradition, everyone reconciled. The terrorists didn't get their own country, but were allowed to hold a memorial for their fallen comerades.

So where does the current terrorist threat come into play?

In the town of Delft, car mechanics discovered a bomb underneath a Peugeot, just as they were about to service the car. And this week a Peugeot blew up on a highway near Delft! The driver managed to get out of the car and was rushed to a hospital, with burn injuries to his legs.

Terrorism? Oooh!

My imagination ran off with me.
Senior terrorist: "Last week you learned to make car bombs. This week your assignment will be to blow up some cars."
Junior terrorist: "Oh, I can't wait! What may I blow up? Some trucks that transport chemicals, or better yet, petrol or flammable substances? Or maybe government officials' cars?"
Senior terrorist: "No, that's better left to the professionals. You need practice first. You will start by blowing up Peugeot 207's.
Junior terrorist: "Awwww.. C'mon! Can't I go and blow up something serious?"
Senior terrorist: "No, and that's final. Next week we will evaluate your performance and discuss your further career."

After a day or two, the news reached us that the victim was a drug peddler, who had apparently ripped off the Turkish mob during a deal. Alas, the 200.000 professionals who are fighting terrorism are still waiting for their moment to shine.

The mind and bodysnatchers are among us

Sun, 13 Nov 11 13:33:05 +0100

They are among us. They have been living among us for a long time, we even can't be sure how long. But we finally have the proof.

They have been engaging in voodoo and zombie rituals in the French Polynesian Islands, and we have unrefutable evidence. We now know how they operate.. and how they turn us into mindless slaves, meek as dogs on leashes, and how they then use our bodies for their progeny.

They are small, much smaller than we are. That's maybe why we don't recognize them as our mortal enemies. They are fast and deadly, their weapons are poisons. First they will numb us with a poison sting and patiently wait.. while we feel how we loose control of our bodies, and realize that we are no longer able to defend ourselves. Then they will administer a second poison sting, right into our brain. Again they will patiently wait, knowing that they have already won, while we loose control of our minds as well. Our bodies continue to function: we breath, we look, we turn our heads - but without a will, as if our bodies no longer belong to us, as if our bodies are on autopilot. We have become zombies.

Their tactic is our worst fear: we are stripped from everything that makes us 'ourselves', we are robbed of the control over our bodies, as well as the control over our minds.

They are patient. They are precise. They are prepared.

Their nest will typically be nearby, ready for the grisly future that awaits us.. All they have to do, is to drag us into it. We follow them wherever they decide to take us, unable to resist. We are meek as lambs on the way to the slaughterhouse.

Once in their power and in their nest, their purpose becomes apparent. Without remorse they will lay their eggs into our bodies. Their larvae will hatch and silently feast on the nutrients that we provide. We are degraded into mindless organic hatcheries, nothing more than a container of nutrients. Their larvae will grow and reach maturity, and finally we will die, not even aware, not even thankful that the ordeal is finally over.

Do you dare to watch?

Bruce Schneier and Hildo

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I ran across two noteworthy sites that I'd like to share.

First, there's security guru Bruce Schneier. He answered a user-submitted list of questions for the Freakonomics blog of the NY Times. A worthy read with a treasure of links to related Bruce Schneier's work.

Bruce Schneier isn't only a crack in the technical sense (he wrote the Blowfish and Twofish algorithms). I find that the most interesting articles are the ones where he digs into psychological and economical aspects of security. Read for yourself. Incidentally, his blog comments are also available in podcast format (which comes out monthly): a great passtime when in traffic jams.

On a lighter note: if you're Dutch speaking, be sure to check out Hildo's Egocentric Website (twolefthands.nl). The guy has huge glasses and an even bigger beard, does his own metal work for his Harley, tries to play the Banjo, and shares his insights on gourmet cooking with us. Based on what one can read on his site, he's a happy camper..

Bye bye, good Christian soul

Sun, 13 Nov 11 13:33:05 +0100

Yesterday, whilst bored in a traffic jam, I overheard an interview on the radio. They talked to Cardinal Simonis, our local representative of the Catholic God, who will vacate his seat on December 12th. They of course talked about his many years of service, the decline in the number of church visitors, the problems of our multi-cultural society, and what not.

Here are a few snippets that I thought I should share.

On the subject of dwindling influence of the Catholic church. Simonis: "No, the influence is not diminishing. Only last month we sent an open letter to many organisations in the Netherlands. The letter was very well received." Yeah, right, that's why I never saw it. Incidentally I asked some co-workers and friends, no-one saw the letter yet as e.g. a reprint in some newspaper.
On the subject of more and more nudity on TV. Simonis: "Yes, I am concerned and troubled about the ads for female lingeray. It's another symptom of the 'sexualisation' of our society." I kinda agree with the guy, though it's not really about lingeray. Shouldn't he be more troubled about trafficking, child porn and the such? That however doesn't seem to bother him. I wonder whether the guy's aware of such things at all - I wouldn't be surprised if he only sees the poster ad for lingeray because it's on the way to his office.
About the level of education in the Netherlands: "Yes, well, I am an alpha-type myself." [Red: In Holland the school subjects are loosely divided into 'alpha' (languages, history etc.) and 'beta' (technical stuff, math, physics, chemistry, biology etc.).] "Beta-sciences are important, technology-wise and for the the quality of living. But all 'real' thinking is course done by the alpha people." Is this guy for real?
Later on, still about the dwindling numbers of church-goers in the Netherlands. Simonis: "Yes, the counts of visitors have been declining." Well thank God that the influence of the Catholic church is still sky high (see above), despite that fewer people visit the sermon. Simonis, cont.: "But the Catholic church is strong as ever in Africa and South America." Interviewer: "So do you think there's a chance that the new cardinal will be African or South American?" Simonis, somewhat condescending: "No, Miss, don't you worry. That's not going to happen."

As I was listening to the interview I didn't even get excited or disgusted or the like - in fact I was surprised by the lack of emotion. I just felt a slow dumbness descend over me.

Confusing mail message

Sun, 13 Nov 11 13:33:05 +0100

I'm confused. They're mailing me personally, so it's gotta be important. But I can't make heads or tails of it! What did I win? How many rubles? How do I get in contact with them to claim my prize? Where do I download their viewer.exe which of course is not a Trojan but instead will do something fantastic that I'm always dreaming about? Are the 17 steps mentioned below the sure-footed way to unspeakable riches and personal happiness?

Update: I'd asked for some translation help, and got it pretty fast from Eddie. Ed doesn't speak Russian any more than I do, but he's a handy sort of chap and knows of many sites that can translate stuff. E.g., Google Translate can do it.

It seems they're trying to get me to participate in a symposium on the legal aspects of leasing stuff in Russia. Bummer. I hoped that they'd inherited an obcene amount of rubles and were trying to get it out of the country via my Dutch account.

From: 	 ogl@bottledblessings.com
Subject: Регистрация договора аренды
Date: 	 December 3, 2007 2:24:30 PM GMT+01:00

Здравствуйте!

Пришлашаем Вас принять участие в однодневном семинаре на тему:
Договор аренды. Правовые, налоговые и бухгалтерские аспекты. Налоговые
преимущества договора аренды. Конкретные способы минимизации налоговой
нагрузки с учетом позиции Минфина.

(Письма Минфина РФ, ФНС РФ, Арбитраж)

Семинар пройдёт 21 декабря / 2007, г. Москва

Программа: 

1. Виды договоров аренды . Требования закона к форме договора аренды и
его государственной регистрации. Последствия его несоблюдения.
Существенные условия договора.
Диспозитивные и императивные нормы.
2. Объекты аренды. Права третьих лиц на объекты аренды.
3. Правовое положение сторон договора аренды.
Сохранение договора аренды в силе при смене арендодателя.
4. Возмездность договора аренды.
Понятие возмездности договора аренды. Арендная плата: метqоды
определения и составляющие цены арендной платы. Формы арендных
платежей. Взаимозачет и иное удовлетворение требования кредитора по
возмездному договору аренды. Изменение цены арендной платы.
5. Сроки в договоре аренды.
Определенный и неопределенный срок аренды. Предельный срок договор
аренды. Сроки внесения арендной платы. Последствия их просрочки.
6. Расторжение договора аренды.
Расторжение договора аренды по взаимному согласию сторон. Расторжение
договора в одностороннем порядке. Расторжение договора по требованию
арендатора. Возмещение убытков при расторжении договора. Обзор
судебной практики оснований расторжения договора аренды.
7. Прекращение и возобновление договора аренды.
Гибель арендованного имущества. Истечение срока действия договора.
Выкуп арендованного имущества в течении срока действия договора. Иные
основания прекращения договора аренды. Возобновления договора аренды
по согласию сторон. Преимущественное право арендатора на заключение
договора на новый срок. Возобновление договора аренды при замене
стороны обязательства.
8. Налоговые преимущества договора аренды.
9. Регистрация договора аренды и налог на прибыль.
Позиция Минфина РФ , ФНС России и арбитражных судов.
10. Субъекты арендных отношений. Их права и обязанности
10.1.. Арендодатель. Его правовой статус. Предоставление имущества
арендатору. Документальное оформление передачи.
Правовые и налоговые последствия не оформления передачи арендуемого
имущества. Недостатки арендуемого имущества и их обнаружение
Бухгалтерский и налоговый учет Арендодателя с учетом изменений ,
внесенных Федеральными законами 58-ФЗ и 119-ФЗ:
передача имущества в аренду , учет арендной платы ( НДС, налог на
прибыль), начисление амортизации по О.С., переданным в аренду , ремонт
переданного в аренду имущества , оплата коммунальных услуг, выкупная
цена .
10.2. Арендатор. Его правовой статус.
Бухгалтерский и налоговый учет Арендатора с учетом изменений ,
внесенных Федеральными законами 58-ФЗ и 119-ФЗ :
арендные платежи и проблемы вычета НДС по коммунальным расходам ,
ремонт арендованного имущества, условия выкупа арендованного имущества
10.3. Ремонт арендованного имуществ с позиции арендодателя и арендатора.
10.4. Арендная плата и "коммунальный" учет. Противоречивая позиция Минфина РФ.
11. Оптимизация налогообложения при учете расходов на содержание и
улучшение арендованного имущества, ремонтных и коммунальных расходов
путем включения в договор контрактных оговорок
12. Договор аренды в условных единицах
13. Субаренда.
14. Аренда федерального и муниципального имущества. Особенности
исчисления м вычета НДС.
15. Аренда земельного участка под строительство. Позиция чиновников.
16. Договор безвозмездного пользования (ссуды). Налоговые последствия
для ссудополучателя..
17. Обзор практики рассмотрения арбитражными судами споров по договорам аренды .

Продолжительность обучения: с 10 до 17 часов (с перерывом на обед и кофе-паузу).
Место обучения: г. Москва, 5 мин. пешком от м. Академическая.
Стоимость обучения: 4900 руб. (с НДС). 
(В стоимость входит: раздаточный материал, кофе-пауза, обед в ресторане).

При отсутствии возможности посетить семинар, мы предлагаем приобрести
его видеоверсию на DVD/CD дисках или видеокассетах (прилагается
авторский раздаточный материал).

Цена видеокурса - 3500 рублей, с учетом НДС.

Для регистрации на семинар необходимо отправить нам по факсу или
электронной почте: реквизиты организации, тему и дату семинара, полное
ФИО участников, контактный телефон и факс.

Для заказа видеокурса необходимо отправить нам по факсу или
электронной почте: реквизиты организации, тему видеокурса, указать
носитель (ДВД или СД диски), телефон, факс, контактное лицо и точный
адрес доставки.

Получить дополнительную информацию и зарегистрироваться можно:
по т/ф: (495) 543-88-46
по электронной почте: solon@besttraining.ru

Так же Вы можете посетить другие наши программы:
11 декаюря: Новый закон "О рекламе"
13 декабря: Автомобиль в вашей организации
17 декабря: Сложные вопросы признания "прочих" расходов в 2007 году
24 декабря: Торговые организации. Бухгалтерский учет, налогообложение.
26 декабря: Основные средства - бухгалтерский и налоговый учет

Medion MD 85276 reviewed

Sun, 13 Nov 11 13:33:05 +0100

If you're into gadgets and unexpected peripherals, check out Eddie's review of the Medion MD 85276 digital notepad. He bought it at a Dutch supermarket, where one can often find el-cheapo electronics - and sometimes even pretty good stuff. The review has also very useful links to software which converts the notepad files from its closed TOP format into SVG, which is open enough to be further handled.

I can't wait to see Eddie in action during meetings, toting his electronic scratch pad, and e-mailing images of his notes just seconds after meeting closure..

Recent cases of data exposure

Sun, 13 Nov 11 13:33:05 +0100

There have been some shocking cases of data exposure the last few weeks. Just to name two:

The credit card clearing house EMC (who handles transactions for Visa, Mastercard and I think a few more credit card companies) decided not to business anymore with TellSell, the guys who'll send you 20 free knives if you order their set of stick-free pans. Reason: TellSell didn't sufficiently protect the credit card data of their customers, leading to too many fraudulent transactions. Apparently customer data were stolen via TellSell's site, and re-used on other sites by data identity thieves.
The top story: the British government "lost" 25 million records of families entitled to child benefits. Each record would hold names and account numbers. It seems that the data were backed up or copied unto two CD's, and the CD's somehow got lost. It's not clear whether this case is a theft; the CD's may still show up (did they check their car trunks? It's where I usually find stuff that I've "lost").

Anyway, these news bits somehow strangely fall into place, regarding my previous posts of the trustworthiness of governments or organisations, and of the necessity to keep data around.

In the case of the data exposure in Britain, I argue that there will always be f**kups due to human error. And even if we could eliminate the human factor: who's to guarantee that the technology of data protection is sufficient to prevent data exposure? It would obviously be best if the data were not in readable format anyway. Now I can see that the British "Ministry of Family Affairs" (there is no such thing, but bear with me) needs to know who's entitled to child benefits. They would need a list of families. But do they need the account numbers too? Why were those account numbers not stored separately, in a list maintained by the "Ministry of Finance"? The two lists might've been linked by keys based on non-reversible hash algorithms. If this had been the case, then the impact of the data exposure would've been far less: only a list of families would have leaked, without sensitive account data.

In the case of TellSell, I argue that this organisation doesn't need to keep credit card data at all. They only need a list of website visitors, and for each visitor, they need to construct a non-reversible hash value of credit card data. When appropriate, the hash value sent to EMC for payment purposes. Oddly enough, I wrote about using hash values for this purpose just two weeks ago.

In both cases, technological or human errors led to data exposure. But more fundamentally: the way that the data were stored was flawed when looking at the matter from a security perspective.

In most cases software will be designed and built so that it's delivered fast and cheap: meaning here: "store all data you can yourself, instead of delegating data ownership where it belongs." Delegating ownership would of course mean that complex algorithms of non-reversible hashes would need implementing, that transmission of data would involve transmitting such hashes and verifying them, and so on. Security-wise a good concept, but definitely more expensive than the current approach of least resistance.

I'm just wondering what will happen in the evaluation of these cases. I'm sure that the poor guy who backed up 25 million records onto two CD's and then misplaced them, will get some punishment. His boss will also suffer some consequences. But the IT architect who designed this? I'm pretty confident that he'll still be considered an expert who did a fine job. The same goes for TellSell. They will rigorously review their website security features and probably axe a few scapegoats, but they will never question the overall design.

Bayes bites

Sun, 13 Nov 11 13:33:05 +0100

As I'm re-reading my notes on privacy and huge data collections, a favorite story springs into mind. It's about Baysian statistics. The idea for the text below is from John A. Paulos' book A Mathematician Reads the Newspaper (I can highly recommend reading this).
Imagine a city of 10 million people, where a brutal crime is committed by one of the citizens. Furtunately, the killer left their fingerprints at the murder scene, so the detectives have a perfect starting point for their investigations.
Another fortunate thing is that the City has collected the fingerprints of all citizens in a huge database, with the purpose of speeding up and helping the fight against crime. Great! One might expect that the murder will be solved swiftly...
So the detectives fire up their systems and let the computer compare the crime scene prints against the set of the prints of all citizens. The computers start crunching numbers, everyone holds their breath, and.. finally.. after 3 weeks of humming, the computer finds a match. A suspect is arrested and brought to trial.
The court hears all involved parties, and all subject matter specialists. Just to be sure of the evidence, the judge asks an expert: "How good is that fingerprint matching system?" The expert answers: "Your honor, it's the newest-bestest system one can have, all singing and dancing. The chance of error is very small indeed: it will correctly identify a fingerprint in 99.9999% of the cases! There's a chance of only one in a million that the machine says it's a match while in fact it isn't."

The jury is convinced. Despite the fact that the suspect continues to plea not guilty (but hey, that's to be expected), a guilty verdict is returned. The jurors' motivation is: "The defendant simply must be the one who did it. Why, there machine is almost error-safe! The chance of a bad decision are only one in a million. That's good enough for the court, We, the jury, are convicting the defendant."

The truth here is that the suspect probably didn't do it. If the fingerprint maching machine makes an error once in a million comparisons, then statistically it would spit out 10 suspects, since there are 10 million citizens. The chance that any randomly chosen suspect who is identified by the machine has committed the crime, is therefore 10%. The chance that the John Doe who was arrested and convicted is actually not guilty, is 90%.

The error that was made by the jurors is a typical one. The "one in a million" error chance suggests that the fingerprinting method is pretty accurate. Which it may or may not be - but in any case, that's not the question here. Bayes described his theorem using the following phrasing: "What are the odds that X happens, given the fact that Y is already observed". The "given that" clause is paramount: the jurors should have asked themselves, "what are the odds that the defendant is not guilty given the fact that his fingerprints matched". The answer to this question is straight forward: we expect 10 people's fingerprints to match, and only one of them is the perp - so there's a 90% chance that the defendant is not guilty. The given-that clause will typically decrease the size of the reference population by selecting out a group with an already known factor.

I always try to illustrate this for myself as a matrix of categories and (sub)populations. We have two factors here: (a) A person is guilty or not, and (b) a person's fingerprints match or they don't. These categories can be illustrated in a simple 2x2 matrix, with a third row and column for totals:

	Guilty	Not Guilty	Totals
Fingerprints match	1	9	10
Fingerprints don't match	0	9.999.990	9.999.990
Totals	1	9.999.999	10.000.000

I think that this representation nicely summarizes all of the above, though admittedly it takes some time to getting used to such illustrations. The bottom line of this example is that large data collections (such as a database of fingerprints of all citizens) may not be useful at all in determining culprits when used as the sole source of information. On the contrary: "very precise" methods and large datasets may look good but produce very bad results. Every method, however precise, has a chance of producing false positives (see also the Schiphol entry), and even a small chance of false positives will yield quite large numbers of distinct cases when the reference population is large enough.

As a last remark. Incase you're wondering how precise fingerprint comparisons are: current methods are approx. 98.5% accurate or better, which is way less than the hypothetical 99.9999% used in this example. That's another reason why I think that Japan's plans to fingerprint all foreigners make no sense.

Japan starts fingerprinting foreigners

Sun, 13 Nov 11 13:33:05 +0100

Seen on slashdot:

"If you're planning to visit Japan sometime in the near future, you should be aware of the welcome you'll get. Last year, Japan's parliament passed a measure requiring foreigners to submit their fingerprints when entering the country. The measures, which apply to all foreigners over 16 regardless of visa status, take effect tomorrow. The worst part: the fingerprints are stored in a national database for an "unspecified time", and will be made available to both domestic police and foreign governments."

There goes the personal privacy again. Thanks to such measures, we're forced to place an implicit trust in organisations or countries that we don't really know. Also we're forced to extend this trust into the future, since Japan will store the fingerprints "for an unspecified time". And what's even scarier, we're forced to trust the Japanese authorities "by proxy". We have no idea who the "foreign governments" are that Japan is willing to share the data with.

I wrote earlier about a similar idea of the European Union, concerning storing flight movement data. That idea didn't make sense to me, and neither do the Japanese plans. I still think that

The "ownership" of my personal data lies with me, unless proven otherwise.
No-one should be forcing me to trust anyone for an unspecified time. You might ask me to trust you now, but you can't expect me to state that I'll be trusting you in ten years!
In the end, such measures will make no sense at all, they simply won't be effective. Not even historical data indicate that this measure should help: no terrorist attack in Japan ever was committed by foreigners.

Trust by proxy in a time warp, what a bitch.

Privacy, Yahoo and the Strange World

Sun, 13 Nov 11 13:33:05 +0100

It's a strange, strange world. A while ago, two Chinese bloggers were convicted after Yahoo had turned over their identity data to the Chinese authorities. The prison sentences in China are not for the feeble of heart: one of the bloggers will spend 10 years in jail for speaking out for democracy on his blog, and I'm not sure what the sentence of the other blogger is.

I suspect that Yahoo are eager to do business in China, which they see as one big emerging market, and hence are forced to comply with local regulations. The sentencing of the two bloggers is harsh and conter-democratic, we will all agree - but did Yahoo do anything wrong, in the strict sense of the applicable law? I don't know.

And neither do the US authorities. Yahoo were summoned to a hearing in Washington DC, where two of their US-based executives were put to the test: could Yahoo have known what the Chinese authorities were going to do to the two bloggers, as they were turning over the identity data? If so, could they have avoided handing over the data? Could they have complied with the Chinese regulations in a "less strict" way? What does that mean, "yeah, comply with the Chinese authorities, but feed them bullshit"?

It's a strange world. Yahoo and other companies are required by law to retain data, and are required to turn over such data to the authorities when requested to do so. However, it appears that there are exceptions to this rule:

The rule doesn't need to be adhered to strictly when applied to foreign governments.
Actions that follow from this rule will come under scrutiny when the public outcry is loud enough.

How hypocritical is that? The very same US authorities have implemented a "no fly list" which is already shown to malfunction: once you get on it, you won't be able to fly, and getting off the list seems almost impossible. The very same US authorities tap all sorts of communications and retain such data, fishing for information on undesirable activities. Our own Dutch authorities require ISP's to retain Internet-activity related data for 18 months for the same purpose. Why? Because it may come in handy some day. Dutch Telecom providers have data stating which mobile phones connect to which ground stations - making it possible to track the movements of the phone owners. Why? Because they can.

So as I'm surfing the web, making phone calls, and doing all sorts of things, I'm leaving a trail of data. I consider such data very personal: they are my actions, which are private. If you want to know what I did and when, ask me - and if I think you're entitled to know, then I'll tell you. This doesn't work the other way 'round! You're not entitled to dig through my personal data to see if you can find anything that's of interest to you, whether your interest has a legal perspective, a commercial perspective or whatever. It's a matter of principle.

So, which organisations can I trust to handle my data trail in a careful and responsible way? The Dutch state? The European Union? The Chinese or US authorities? My telecom provider? My ISP?

My data trail is just too wide and too fragmented to enumerate whom I can trust and whom not. As far as I'm concerned, there is only simple common sense here: don't retain my data!

Here's how I think it should work.

To my telecom provider: "When my mobile phone connects to some ground station, don't store such data on a per-connection basis. If you need to know the load of a given ground station, use a counter - not separate connectivity entries that are later analyzed."
To my ISP: "Don't store my IP address with the URL's I visit. Don't store the mail headers of my incoming or outgoing mail. You don't need such data. If you bill me for bandwidth usage, simply store counts of upstream and downstream transfers."
To my forum site operator, where I regularly post: "Don't store my IP address. I know you need some measure to block addresses when people post offensive material, but you can achieve this by storing e.g. a SHA-2048 hash of the IP address. This can be checked when someone connects to the forum, but a posteriori it is harder to reverse this to a physical address. If a forum entry isn't flagged offensive for say 3 days, then remove the associated data where the hash of the poster is stated."
To my authorities: "Don't force my telecom provider, ISP, forum operator and others to store my private data. There is no guarantee that they are trustworthy. Even if we all agree that they're OK today, who knows how they will be in say 5 years from now? If you need to investigate me for e.g. illegal activities, get a court order, and start tapping my actions. Avoid situations where investigations can be run by sifting through existing data."
To all of the above: "Rethink your point of view. At the moment it's OK to store private data, as long as you do it in a 'secure' way (whatever that may be - usually you have to appear to be making some effort so that the data don't get out on the street). That's not the way to look at this matter: rather, storing data should not occur unless absolutely necessary (e.g. my bank needs to know who I am). In all other situations, storing private data should be discouraged and even illegal!"

I know, this is oversimplifying things. But I still feel that the general principle applies. You get the idea.

Privacy, Fall through algorithms, and Securing data

Sun, 13 Nov 11 13:33:05 +0100

Today I was discussing data privacy with my good buddy & collegue Eddie. We were talking about the idea of hashing sensitive information and storing the hash, instead of storing the actual plain-text information - an idea that I suggested in my previous note on Yahoo and data privacy. Is storing hashes instead of plain data feasible? When can it be used, and when not? Our discussion prompted me to elaborate a bit.

What's a hash value anyway?

The principle works as follows. One can convert text to a value by chopping the text into chunks and feeding them into some algorithm which is non-reversible. That means that if you have the text, you can compute the value - but not the other way 'round.

Imagine the following hash function: If you want to compute the hash value of a name, then take each letter of that name, where a=1, b=2 and so on, and add these values. The result is the hash of that name. This very simple hash function illustrates the concept: "karel" would become 11+1+18+5+12=47, while "eddie" would become 27. But knowing only the number 47, it would be impossible to reconstruct my first name. So the algorithm is truly one-way.

What good is storing a hash instead of the original data?

So based on this algorithm, one could distinguish two names without actually knowing them, but only knowing the hash. E.g., let's say that both Eddie and I register at some website. I am mainly interested in music and build up my profile accordingly, while Eddie is interested in tech news stories. Now let's say that the website owner is so privacy-aware that he decides not to store the usernames in a database, but only the hashes. I can still log on using "karel" and Eddie can log on using "eddie", but the first thing the website will do, is convert my name to "number 47" and Eddie's to "number 27". Then the website looks up a personal profile based on the hash number, and shows corresponding data on the site. So profile number 47 will display playlists of music, and profile number 27 will display the latest tech news. The trick here is that the actual user name only exists on the login page, where I enter "karel" and Eddie enters "eddie". Beyond that login page, the user name no longer exists, only the hash!

No problems so far. But what is it good for? Well, one important aspect is, that my username is not stored in the site's list of profiles. So a malevolent sysop there cannot get at my username and log in using my account! Since only number "47" is known there, the malevolent sysop has no way of knowing that he must type "karel" to steal my identity.

But wait! This hash algorithm isn't too safe, is it? Number 47 can also be constructed using four j's (four times 10) and one g (7). So user name "jjjjg" would also access my profile. And what if my evil twin Lerak decided to register? He would also hit the same hash!

Accidentally hitting the same hash is called a 'collision'. Obviously a good hash function should not be only one-way, but should also avoid collisions. There are very good hash functions out there, such as the SHA family. However, none of these are guaranteed to avoid collisions.

Is there a practical application for this?

When I purchase items over the Internet, I often use my last name and account number for billing. The account number in the Netherlands consists of nine digits (eg., 123456789). I enter the name and account number at the site where I'm purchasing an item, and the site then connects to my bank to see if my balance is sufficient for the transaction. Furthermore the site will surely store my last name and account number, so that I don't have to retype it during a next purchase. They'll do anything to improve the "user experience" and to entice me into visiting them again.

Two things are happening here: One, when I'm purchasing something for ten euro's, the site asks my bank: "Is the balance of Kubat, with account number 123456789, sufficient for a transaction of 10 euro's?" Two, the last name Kubat and the account number 123456789 are stored in some database of the site.

There is a number of dangers lurking here. First, someone may be eavesdropping on the chitchat between the site and my bank. They can find out that the combination Kubat/123456789 is valid for making purchases, and start making purchases in my name! Second, any malevolent employee of the site can find this in the site's database and also misuse my identity for their profit.

Obviously I don't want that to happen. So we can take a number of measures - e.g., secure transactions between the site and my bank, and restrict database access for all but a few site employees. Unfortunately, however well designed the security measures may be, there will always be ways around them. And there is still the basic question - do the data need to be there in the first place?

So, why don't we use hashes instead of plain text data?

The hash512 value of my last name "Kubat" is UlieNqKVJFYPlgu7ZAMUl0J5SG5ZV7nKtF9AK+fuuV/K3uljp0Glj2CyUFvC3N1GCV7SgxBmxkTOmCM+EeIGeA.
When I log onto the site, I state my last name just once - on the login page. Beyond that, my last name just isn't available anymore, only the above hash.
The hash of my account number "123456789" is 2eZ2LdHI6vbWGzxhkvxAjU1tXxF20MKRabwk5xw/J0rSf81YEbMT1oH35V7ALXPUmclUVba1u1A6z1dPuo/+hQ. I'd have to enter my account number just once, when making the first purchase. AFter that, the site's database would store that "Person UlieNqKVJFYPlgu7ZAMUl0J5SG5ZV7nKtF9AK+fuuV/K3uljp0Glj2CyUFvC3N1GCV7SgxBmxkTOmCM+EeIGeA has account 2eZ2LdHI6vbWGzxhkvxAjU1tXxF20MKRabwk5xw/J0rSf81YEbMT1oH35V7ALXPUmclUVba1u1A6z1dPuo/+hQ".
When I purchase an item, the site would ask my bank: "Does person UlieNqKVJFYPlgu7ZAMUl0J5SG5ZV7nKtF9AK+fuuV/K3uljp0Glj2CyUFvC3N1GCV7SgxBmxkTOmCM+EeIGeA with account 2eZ2LdHI6vbWGzxhkvxAjU1tXxF20MKRabwk5xw/J0rSf81YEbMT1oH35V7ALXPUmclUVba1u1A6z1dPuo/+hQ have a balance high enough to cover ten euro's?"
My bank cannot reverse the supplied hashes to my name and account number; no-one can. But that's not necessary! My bank has a full list of customers and account numbers, They can pre-generate lists of hashes, and compare the two hashes that the site sends with their list to find my data.

Much better. Since the hashes aren't reversible to values, the security risks have magically disappeared. But what about collisions? Fortunately we are quite able to verify whether collisions occur. They don't - each account number, ranging from 00000000 to 99999999 yields its own unique hash.

And consider the following real-life situation. Many people purchase items over the Internet and pay with their credit card. Each transaction needs to be verified with a credit card company, where a website might ask: "Is credit card holder A. Smith, with card number 1111222233334444 and verification code 123 and expiry date 02/10, good for 20 dollars?" Any malevolent person only needs to get hold of these data; once they have them, they are free to roam Internet sites and purchase items using Smith's stolen identity.

In contrast, imagine that the identifying data were a hash of the combined values. In this case we could build up one long identifier, consisting of "Smith,1111222233334444,123,02/10", compute the hash (which is incidentally "svzW3IjYHVr+sFj85FVXyZmMHrtcPMSJdZoTb9BXOjSfoEOdfZYeGYjSlMCbBcaPheYS1yiIMqu7ox+ICxjoIw") and use that -again- in the following way:

The hash would be computed just once, when the user registers at the site. After that, the original data would be discarded, and only the hash would be stored in the site's database.
Verification of the transaction for 20 dollars would only transmit the hash, not the separate data.

All wannabe identity thieves who are looking for a quick buck: good luck extracting the separate name, credit card number, verification code and card expiry date from this hash.

So where and how can this approach be used?

The hash approach is suitable for all situations where a requestor asks some central service a question concerning a person, or indeed, anything that's identified by some data, such as in the previous examples. The approach is not suitable in situations where a requestor asks a generic question without supplying an identifier.

So for example, if websites were allowed to ask a credit card company: "Give me a list of all your customers whose balance is high enough to make a $20 purchase", then this approach couldn't be used - there is no "identifier" in the question to hash. Furtunately, this isn't a request that's allowed by the credit card companies (one may hope).

Is this appraoch in use?

Personally, I haven't heard of it. Except for the fact that passwords are stored in encrypted format; the encryption routine being a one-way non-reversible algorithm. That's why you can't phone the helpdesk and ask, "what is my password again, I lost it". The helpdesk guys don't know, and they have no way of finding out. All they can do is reset your password to some value that you can use for your next login. The password storage methodology is so common that I wonder why the same concept hasn't been applied to other privacy-sensitive data.

Will the approach ever be used? One may hope so, I don't see any obstacles, only benefits. Well there is of course one obstacle - websites and credit card companies would need to change their systems to conform to the new way. This won't ever happen unless someone tells them to. As I stated previously: storing private data should be prohibited, unless it is absolutely necessary and there's no other way. That would be a good incentive!

Perl snippets for the playful

If you want to play around with the algoritms, below are a few Perl snippets that I used when writing this.

Here is the "idiotically simple" hash algorithm.

#!/usr/bin/perl

use strict;

# ihash - idiotic hash
# --------------------

# Check the command line.
die ("Usage: ihash name(s)\n") if ($#ARGV < 0);

# Show hash all arguments.
for my $n (@ARGV) {
    print ("$n: ", hash($n), "\n");
}

# The hash function
sub hash ($) {
    my $n = shift;
    my $h = 0;
    for my $c (split ('', $n)) {
	$c = lc($c);
	$h += ord($c) - ord('a') + 1;
    }
    return ($h);
}

Here's a short script to display sha512 hashes. You'll need the Perl module Digest::SHA to make this run.

#!/usr/bin/perl

# sha512 - displays the sha512 hash of all arguments

use strict;
use Digest::SHA qw(sha512_base64);

# Check the command line
die ("Usage: sha512 strings\n",
     "Displays the sha512 digest of all strings.\n") if ($#ARGV < 0);

for my $str (@ARGV) {
    print ("$str: ", sha512_base64 ($str), "\n");
}

I verified that Dutch account numbers between 000000000 and 999999999 do not collide when hashed using sha512. Here's now.

#!/usr/bin/perl

# sha-accnr-checker
# If we sha512-encode Dutch account numbers (which have 9 digits),
# will we encounter collisions?

use strict;
use Digest::SHA qw(sha512_base64);

# Make the output unbuffered
$|++;			   

# Hash of seen digests
my %used;

for my $nr (0..999999999) {
    # Pad account number to 9 positions, compute the digest
    my $acc = sprintf ("%9.9d", $nr);
    my $dig = sha512_base64 ($acc);
    
    # Stop if there's a collision
    die ("\n$acc conflicts with $used{$dig}\n",
	 "both yield sha512: $dig\n") if ($used{$dig});
    
    # Store digest since we've now used it
    $used{dig} = $acc;

    # Show a ticker so we see what's going on
    print ("\r$acc") if (! ($nr % 10000));
}

# All done
print ("\nno collisions detected\n");

European airlines to retain data

Sun, 13 Nov 11 13:33:05 +0100

Seen today on Slashdot:

[The EU] are contemplating requiring all 27 member states to collect data on airline passengers and to retain it for up to 13 years. [...] The proposal is part of an anti-terrorism package that also includes tighter laws to control hate speech and bomb-making instructions.

I find such news bits somewhat scary. Actually I find them very disturbing. For me, this is first of all an invasion of privacy. This privacy argument is unfortunately quite hard to explain to others. The counter-argument that is presented most often, is: "Why would you oppose? If you have nothing to hide, then this shouldn't bother you, should it?" My gut feeling however says something different: Why should anyone care where I travel and when?

But I think that there is an even stronger argument why one should disagree. Twelve years and 364 days from now, the European Union states will be able to check today's flight plans. Here's what bothers me.

I am to assume that the retaining of data will be in good trust, aimed at preventing terrorist attacks.
I am to assume that the retaining of data will not be aimed at good citizens to e.g. see if they travelled to their secret lover or to get some cheaper Wodka.
I am to assume the retaining of data will not be aimed at checking whether I might've flown to some medical facility in say Spain, which might indicate that I have a higher health risk of something or the other, which would mean that my health insurance policy might need reviewing. Or in the same vein, European governments will not check whether I've flown to some political meeting of some movement which is currently considered harmless, but which is frowned upon ten years from now.
I am to assume that the retaing of data will not be aimed at collecting commercially valuable data that can be sold to airlines for a few quick euro's.
I am to assume that during this whole period, my data will be rigorously protected and that no breach of privacy, leading to e.g. identity theft, will ever be possible. Meaning that:
- The EU will make sure that only properly trained and supervised personnel will manage such data. The people around the data will never ever be morons who leave e.g. back up tapes in their car. Furthermore they will never ever be susceptible to bribery, nor will they ever be otherwise criminally inclined which might also lead to the sell out of my data;
- The EU will make sure that the technological level of security is always higher than the one of potential attackers. The EU can guarantee that no technology will be developed between today and 13 years from now that could crack the security systems protecting my data.

Sorry, that's just asking too much. This regulation forces me to put trust into the European governments not just in the present time, but also in the future. Why should I concede that I will trust the government of any (European) state thirteen years from now?

How can any organisation demand today that I should trust in them in the future?

Also I wonder whether anyone has actually verified that storing passenger data prevents hate speech and terrorist attacks. I strongly suspect that the decisions are made by the people who have the time, not the people who have the talent. And of course by politicians who act on a knee-jerk reflex: "Let's put some kind of measure in place, it'll make the public will feel safer." Does this mean that the decision makers think that no-one will bother to check whether the measure actually makes sense? Decision makers wake up! We're not a flock of idiots, stop treating us as such!

Incidentally, did anyone ever bother to go over the numbers? The Dutch airport Schiphol (the largest one in the Netherlands) currently ferries some 43 million passengers per year. So only for Schiphol we'd have 43 million records a year to check. The verification systems would of course be state of the art and highly accurate - but however accurate a system is, it always yields a given percentage of false positives ('hits' that initially ring a bell, need to be further investigated to determine whether they indicate a terrorist action, and -fortunately- in the end are found harmless).

What percentage of false positives would such systems yield? Ten percent? Five percent? Let's assume that the verification systems would be so highly accurate as to yield only one percent false positives. For Schiphol Airport only that would mean 1178 false positives a day!

What will we do to battle such ridiculously high numbers? We might expand the police force to cope with such numbers. How many extra officers would we need to check 1178 records each day? What would such an officer do, run back ground checks on the passenger? That way we could easily need 500+ extra personnel just to check Schiphol. Would placing an extra 50 trained guards in and around Schiphol be just as effective - if not more?

I'm sorry. The whole idea just doesn't make sense to me. Please convince me otherwise!

BloggEd

Sun, 13 Nov 11 13:33:05 +0100

This cannot go unnoticed. Good buddy & colleague Eddie N. (featured here a number of times!) has finally started jotting down stories that show how weird he actually is ;-)

Mostly for Dutch speakers and really worth the read: eddie.niese.net.

Wilders and Marktplaats.nl

Sun, 13 Nov 11 13:33:05 +0100

Political cartoons can be funny, and they don't even have to be drawn by professionals. If the conditions are right, humor will spring up quite naturally - even better, there's nothing you could do about it even if you wanted. Thus also illustrates the following cartoon.

For Dutch oriented people it's pretty obvious. For non-Dutch oriented folks, explaining it would totally kill it. So you either get it or not, and you either like it or not. Here's to all of you opportunistic populists who call themselves politicians. There are people who can pretty much summarize your character in a few sentences, so beware.

(This was seen in Amigoe, one of the main newspapers of Curaçao / Netherlands Antilles. Shameless rip from Geenstijl.nl.)

The goldplated Mac

Sun, 13 Nov 11 13:33:05 +0100

It seems that goldplating things is becoming quite an industry these days. I remember my parents' generation, where casting baby shoes in bronze was considered a cute souvenir - there's progress for ya, nowadays you can get anything shiny and goldplated, a sure way to catch everyone's eye.

Recently I saw these two pictures of a goldplated Mac. Is that ugly or what?

More morons

Sun, 13 Nov 11 13:33:05 +0100

Let's have more morons

Recently I watched the movie Idiocracy, a comedy around the hypothesis that the number of human offspring is inversely related to IQ - so that eventually, the world's average person will become more and more "stupid". The movie is a cute comedy, though around a theme that's too scary to think about.

The scary thing is, that I'm seeing things that already point to this direction. Here's a few things off the top of my head.

Students of the Dutch teacher's academy (PABO) come from average or above-average high schools. More than half of them could not solve the following question:
What is 20 divided by ¹/₅?
They stated that in high school they were allowed to do use a calculator, so they weren't trained for this. Their spelling skills were below standards as well.
The younger system administrators that I encounter in my daily routines are only used to "drag 'n' drop" administration. If a system doesn't have a GUI, they have a hard time understanding it and administering it. Tiny scripts that make a system self-administer itself are considered "applications", require "coding" and "developers" - while in my opinion, writing and maintaining such utilities is the core responsibility of administrators.
When planning a large project, I too often hear: "We'll need more people in the team for this". This so blandly disregards the Mythical Man Month. Why doesn't anyone come up with: "We'll need smarter people in the team for this"?
My kids go to a primary school where the development of their personal self is stimulated. Actually I'm glad that this is the case, I can see them being able to cooperate with others, solve problems, create good looking Powerpoint presentations. They are well versed in history and tell great stories about ancient peoples and generals. But the school should also teach them two basic subjects: language (reading, writing, spelling) and calculus (fractions, percentages, negative numbers). These two subjects that I think are truly "primary" are tought sub-standard.

So how are we going to turn this around? Or on an even more basic level, when is someone going to stand up and say, "this has to be turned around"?

Dilbert nails it again

Sun, 13 Nov 11 13:33:05 +0100

This was sent to me by good buddy Eddie N. It nails it -again-. Should I laugh or cry?

Rough yet funny

Sun, 13 Nov 11 13:33:05 +0100

This was sent to me by my good collegue Emiel v.R. It's rough, but in a strange way really funny. Reminds me of my old nerdish days (hey, since when are they over anyway?)

Another silly Trojan mail

Sun, 13 Nov 11 13:33:05 +0100

Received today:

And guess what, you move the mouse over the hyperlink, and it shows..

The site is in fact not cards.123greetings.com, but mail.sharknet.ch. Would that be some Chinese site?
The hyperlink is to postcard.jpg.exe. Hmmm.. If I'm not mistaken, that's a filename that designates executables on MS-DOS systems (and derivatives). You know, the type of systems that use file names to determine what can be 'executed' and what not (ugggh).

[Incidentally some bearded guys in the 70's or 80's found a better way for handling file properties (read/write/execute permissions, separately for the owner, group and world - the guys were the ones to invent Unix and lay the foundation for e.g. Linux, *BSD, and MacOSX). But MS-DOS got invented 20 years later and the guys that worked on DOS, suffered from NIHS (Not Invented Here Syndrome). So they went ahead came up with a crappy solution - albeit a novel one.]

Incidentally, the e-mail continues to present more hyperlinks, incase you miss the first one:

Guess what, the links lead to the same .exe, on the same Chinese server.

Sad thing is, I'm pretty sure that some folks will click on it and run the .exe. When is someone going to stand up and say, "Hey, we require safety belts in cars in order to protect the general public. Let's also require that OS builders stop producing crap."

So ugly it is beautiful

Sun, 13 Nov 11 13:33:05 +0100

Sometimes things are so darn ugly that in the end one ends up getting used to them, and maybe even finding them beautiful.

I recently tamed a new WoW pet, a real ugly and scarey one. It reminds me of an alien, and if I knew for sure that it's female, I would've called it Sigourney. But alas, as I'm not sure, it's just called Ripley.

It's got a real tough skin, which is good (10.000+ armor)... so it suits its purpose perfectly. Now that I've been walking around with it for a week or two, I am even beginning to like it.

Here is a nickel kid

Sun, 13 Nov 11 13:33:05 +0100

They used to have some good Holy Wars in the past. Nowadays we have only skirmishes - that is, apart from Operating System Holy Wars. Still always good fun.

"Hey that Linux laptop looks way cool.. think it would be something for me?"
"No. It's for experts."

Spy Shredder

Sun, 13 Nov 11 13:33:05 +0100

Oh great! A spy shredder!

Recenty I got on a site that spontaneously started to verify how healthy my sytem is. Golly! I didn't know they could do that for free for me!

Lucky me that I should stumble upon such a great site! They found that my system isn't too healthy!

This is really my lucky day. And considering that I run Unix.. which is obviously infected with .exe's and .dll's! I need to download their free product ASAP so that I won't come to any harm in the future!

(It's done neatly, gotta give 'em that. Looks like the real thing. Still, you gotta be a sucker to fall for this kind of crap. This week the news reported that cyber crime is making more money than drugs, which is saying a lot.)

Web svn view 1.08

Sun, 13 Nov 11 13:33:05 +0100

My Easy SVN Viewer web-svn-view is out with a new version: 1.08. This all new singing and dancing viewer displays differences between versions better than the previous viewers.

If you're interested:

The package is hosted on http://public.e-tunity.com, e-tunity's site with public downloads. You'll find both the docs and download archive there.
Web-svn-view also has its Freshmeat page at http://freshmeat.net/projects/websvn/.
If you want to see it in action, browse e.g. the Crossroads SVN repository at http://crossroads.e-tunity.com/svnview.xr.

As ever, this viewer is extremely simple to install - just one CGI Perl script that queries a local SVN client and presents the output in a nicely formatted way.

Thank you, Emiel van R. and other contributors for the changes that led up to this version, which imho really improves the functionality!

Caught in THE Process

Sun, 13 Nov 11 13:33:05 +0100

Eddie N. is a colleague and good buddy who works as contractor for the same company as I do, as general trouble shooter, programmer, and what not. Today there was a request to update the "news" section on a portal page, so that customers would be informed of some important changes. Now, updating some HTML pages is in itself a very trivial task. Placing these pages onto production webservers is also very trivial, though it must be performed by another department (ITO). And all this must be coordinated by the Change Management Board, which is responsible for shipping deliverables back and forth (from developers to ITO), for logging changes, for giving all necessary aprovals, and for any or all other matters. You probably get the idea.. all this leads to a Process which seriously hampers the Product we're all working on. Here are Eddies remarks on this after a frustrating day.

L.S.,

Since 18:00 CEST the pages are finally live. I'm sorry for the delay. The delay was not due to technical reasons. Everybody was on their toes to get this done quickly however we got caught in the "change process" (again).

The "change proces" is better known as "THE process" to those who got caught but did manage to get out alive. Don't get me wrong: processes are good. Processes prevent us from falling into chaos and disorder. I do see the use and need of processes.

However "THE process" is not a regular business process. "THE process" is an autonomous organism. It takes your work (deliverables), chews on it and spits it right back at you. In your face.

Sometimes the deliverables will come out at the other end of its digestive system (in this case you are considered to be lucky). No matter what side your work leaves "THE process" you know one thing for sure: your deliverables are mutilated beyond recognition.

In some cases your binary files are transfered as text files, effectively stripping every last bit of each byte. Or linefeed characters are inserted into binary files. Bottom-line: "THE process" has no respect for your work whatsoever.

Mutilation is not the only malfunction in "THE process". Sometimes "THE process" manifests itself as a black-hole. At first you feel lucky that your deliverables are accepted so easily by "THE process". Unfortunately when this happens the deliverables are not "accepted" but "sucked into the black hole". Your deliverables (and the change to which they belong) are gone forever. No one knows where it is, nor where it went. "Was there a change?". "I don't see a change". "Where is the change?". "I don't think there was a change". "There is no change" "No change".

This is the right time to start calling people who are close to "THE process". You always feel some comfort when you get one on the phone. Later you'll realize that these people are actually the henchmen of "THE process". Sure they know that sometimes the change process doesn't work too well. They will even admit that "THE process" could be improved. However: every initiative to actually take on "THE process" is clubbed to death like a pack of cute little seal-pups looking for their Mommy. That's why they are called henchmen. "Sure it's a bad process, but it's OUR bad process and we will hang on to it like there is no tomorrow".

The henchmen try to tickle "THE process" in the hope that the black hole will release the deliverable in one way or the other. A curious pattern of redirecting you from one henchman to the other is often involved here.

You will always have to call at least five people before "THE process" is tickled. The outcome of this largely depends on who tickles "THE process" at what moment and in what area. Tickling is really the only way to get anything out of "THE process".

To get approvals out of "THE process" is as difficult as getting your deliverables out intact. "THE process" is basically a large black box (or black hole). Nobody really knows how this beast works. Why did the approval come out? Who did what to get it? Can we do this again? How do we get another approval? We did the same thing as before but this time we did not get an approval. How does this work?

And this is exactly what happened today. It's really absurd. On one side we have the company's business approval from Brian G. Meanwhile on the other side we have the techies at ITO lined up to actually perform the change. We gave them the deliverables and the instructions directly. Yes. We circumvented "THE process" for the deliverables. The deliverables are handed to ITO directly without allowing "THE process" to chew, eat and mutilate them.

When Brian gave the approval for the change the techies at ITO were ready for the change at hand. They only needed one thing: approval. So someone should say "well if business approves this change it's fine by me. I call the ITO guys and 5 minutes later the change is installed succesfully".

However doing so would circumvent "THE process". The henchmen are alert on this. No approvals without consulting "THE process". Believe me. I've called several people multiple times. Harry K. called several people multiple times. "THE process" must have had a tickling like never before however it held its ground. No approval came out of it. Sure there was some output of "THE process". Stuff like: "we disapprove this change because we never had to approve this change in the first place". But that's of no use to the ITO guys. We need more tickling. I called. Harry called. I called again. Harry called again. Tickle! Tickle it!! TICKLE!!!! TICKLE THE BEAST!!

No approval came out during the 3.5 to 4 hours of tickling. Harry finally had to take matters into his own hands and took full responsibility for any consequences of performing this change without approval from "THE process"... Harry is one brave man. We will always remember him as the brave manager who took responsibility. Who actually took a stand against "THE process". Brave enough to take matters into his own hands. Brave enough to face the consequences. "We can DO this if we bypass THE process" were his famous last words.

Run people... RUN!! "THE process" is coming for you next... He's coming for all of us... RUN!! RUN!!! And don't look back. Keep running!!

After this cynical rant I would like to wrap things up with some science. According to the first Theorem of Ludicrus this change process is a complete waste of time. It's not flexible. It can't cope with many kinds of changes. No one really knows how this process works. Who is supposed to do what to get the desired result? The amount of effort that this process requires to get anything done outweighs any possible positive side-effects by far. Applying the first theorem of Ludicrus to this process will proof its utter futility.

"First theorem of Ludicrus:
Any process that requires more effort then getting a woman to sleep with you will render itself useless over time."

This actually makes sense. Why waste so much effort on this process while less effort gets you way more satisfaction...

Kill "THE process" before it kills you.

Kind regards,
Eddie.

Stupid Trojan attack

Sun, 13 Nov 11 13:33:05 +0100

Yesterday I received a pretty stupid e-mail with a too obvious Trojan attack:

From: 
To: 
Subject: Re:
Date: Mon, 20 Aug 2007 15:45:41 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="windows-1252";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4927.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200

Well you showed me yours, I guess I better show you mine, hehe.
check out my pics. http://220.131.38.189/

The URL to 220.131.38.189 yields another too stupid page:

HTTP/1.1 200 OK
Content-Type: text/html
Server: nginx/0.5.17
Date: Mon, 20 Aug 2007 23:04:11 GMT
X-Powered-By: PHP/5.2.1

If you do not see the Secure Login Window please install
our Secure Login Applet.

Let's see who the sod is who distributes such crap (whois output):

inetnum:      220.129.0.0 - 220.143.255.255
netname:      HINET-NET
country:      TW
descr:        CHTD, Chunghwa Telecom Co.,Ltd.
descr:        Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr:        Taipei Taiwan 100
admin-c:      HN27-AP
tech-c:       HN28-AP
status:       ALLOCATED PORTABLE
changed:      hostmaster@twnic.net 20030611
mnt-by:       MAINT-TW-TWNIC
source:       APNIC

Ah, a range. It'll be an ISP. Most likely one of their customers was infected previously with this Trojan and now is propagating it.

Now to fall for this, you would have to do two or maybe even three stupid things:

Click on the URL in the mail, which is specified by just an IP address;
In the browser, truly "download an applet" which is an exe;
In most cases the browser will warn you, and you need to click away the warning.

Given the fact that this is just one of such obvious attacks that I've seen lately, there must be some people who follow the above steps. Otherwise such attacks wouldn't propagate. In previous situations I would try to contact the ISP of such an infected system. Nowadays I don't even try, I've found ISP's nonresponding at best.

Still it's pretty sad to see that anyone should fall for such simplicity. Maybe these people are all newbies.. What's humanity coming to?

Back in 1994

Sun, 13 Nov 11 13:33:05 +0100

Aah, the sweet old times. It all used to be so fun. Accidentally I came across an article on the First Dutch International Symposium on Linux, which I co-organized back in 1994.

Me and a few colleagues (Frank Brokken and Piet Plomp) had decided to organize this because Linux (at that point kernel 1.2 or similar) was such great fun - especially when one was used to the IBM RT series. The symposium was held in the Amsterdam "Rai", a huge congress center where we had a hall. The entrance fees were very low; all we needed was to pay for the hall - and for one airline ticket. Linus Torvalds came over, but had no money for the fare. There was a panopticum of cool speakers and talks, of which I remember Matt Welsh (porting to Linux), Remy Card (ext2) and of course Linus himself, who opened and closed the two day symposium.

A huge group of speakers and visitors went into the city that night to have dinner and check out the sights. It was an amazing experience to meet the core of the Linux movement that day.

If you like to read some more, see http://www.linuxjournal.com/article/1026, an article by Michael Johnson of the Linux Journal. He had a talk too - about the way the journal affected Linux distribution.

Matt Welsh and Linus Torvalds

A girly iPod

Sun, 13 Nov 11 13:33:05 +0100

Some time ago while kidding around, I told my family that iPods were way cool and that I wouldn't mind walking around with one, even if it were bright pink.

This weekend was my birthday, and guess what... I'm walking around with a bright pink "girly" iPod. And it's a great gadget, just what I'd wanted: easy to use, it does what it's supposed to do, no extra "features" that no-one would ever use, no moving parts (yes, I really wanted a diskless portable music player). Simply great. Color's a bit odd, but hey, it stands out.

Crossroads for RDP connections

Sun, 13 Nov 11 13:33:05 +0100

Today I received a very nice mail from Jase McC:

I just wanted to say that Crossroads is a really nice application.
As a VMware guy, I'm always looking for a way to get more for less.
Connection Brokers, which are basically RDP/ICA load balancers
typically cost a fair amount of money.  I wrote an article on how
to use Crossroads as a Connection Broker for RDP connections.

Feel free to check it out my article at:
http://www.jasemccarty.com/blog/2007/08/free-load-balancer-possible-connection.html

Thanks for a great app.

Much appreciated Jase! A great pleasure to get your mail and to read your article!

Firewall art

Sun, 13 Nov 11 13:33:05 +0100

Pioni-Sensei, aka Bart (son of my business partner Harry) created a way cool image of a firewall. I've heard that it will be used by a Thai magazine! Kudos, Pioni-Sensei! As far as I know, this is the first time that one of his pictures is used in publishing. Way to go!

For more, check out his site at DeviantArt.

jpeginfo

Sun, 13 Nov 11 13:33:05 +0100

I frequently batch-convert jpeg images to smaller size, e.g. to use on a web page. I've been Googling for a small and fast command line tool to tell me per image what the current size is, and haven't been able to find one! How odd.

So anyway, I decided to cook one myself, after I got fed up searching. It's on this server too.

Good People

Sun, 13 Nov 11 13:33:05 +0100

Just returned from a week's holiday in Scotland. I know I know - had loads of holiday time this year, lucky git.

Anyway, while in Scotland, me and the family met up with Internet buddies that we've known for a few months in the virtual world. It's the first time that I've met virtual friends "irl" and I was quite nervous about it. The mental image of someone is often radically different from the real thing!

I shouldn't have worried. Our virtual friends appeared to be simply great people, who took us in, showed us around, lend us waterbottles, maps and other hiking accessories, and were just fantastic.

So there are still Good People around. And they live in Scotland. Cheers, Pagann, Skiffle and Xack!

The Real Crossroads

Sun, 13 Nov 11 13:33:05 +0100

Sent to me by my buddy and former boss-colleague Frank Brokken. The "real" Crossroads is at the Kerkstraat ("Church street") in Groningen. They don't serve software balancers, but sandwiches, coffee and the like...

BBC Documentaries in the Netherlands

Sun, 13 Nov 11 13:33:05 +0100

I just got back from a beatiful two weeks' holiday in Spain. The weather was just gorgeous, the sea was great, the company was fantastic, the food and drink marvellous.

Back in the Netherlands, the weather's all rainy and it's way too cold for summer. And to top it off, one of the first news bits to reach me is that one of the Dutch TV channels has sensored BBC documentaries to suit their purposes. Richard Attenborough's beautiful nature documentaries were stripped from references to evolutionary effects. The TV channel company is -of course- EO, the Evangelists' channel. (If you're interested: Dutch texts are available on http://evolutie.blog.com/).

Aaaaarghh! I'm seriously contemplating moving to a different country. And no, not the US of A - it looks like here in the Netherlands we're experiencing some of the worst influences from across the Atlantic.

No problems with Crossroads so far

Sun, 13 Nov 11 13:33:05 +0100

Some time ago I mailed with Joern F., concerning a support request for Crossroads (see the original request). Today I received a very nice mail from Joern:

As promised some weeks ago, here one more report of our experiences
with your software. The conlusion is: It works great! We still use
version 1.44 and did not notice any problems since our last contact.

Thanks for your cool software!

Always very nice to hear. Joern is using Crossroads as a front end for 5 MySQL database servers. Here is the run report after a few weeks of activity.

FYI - our status:

lxcross2:/etc/init.d # crossroads status
Service      : mysql, 146 live connections, last backend 0
  Backend  0 : ffm241 is available, 37 live connections
    Stats    : 26 failures out of 101234 connections
               usage 14762h12m10.09s, 726.74Gb
  Backend  1 : Ffm180 is available, 37 live connections
    Stats    : 8 failures out of 104824 connections
               usage 14940h42m53.84s, 718.88Gb
  Backend  2 : Ffmm229 is DOWN, 0 live connections
    Stats    : 1 failures out of 80527 connections
               usage 11748h2m23.93s, 554.81Gb
  Backend  3 : Ffm191 is available, 36 live connections
    Stats    : 0 failures out of 102600 connections
               usage 14969h36m25.69s, 722.84Gb
  Backend  4 : Ffm240 is available, 36 live connections
    Stats    : 33 failures out of 100306 connections
               usage 14419h11m46.20s, 713.77Gb

Glad that it works, Joern!

Politically correct ad nauseam

Sun, 13 Nov 11 13:33:05 +0100

Lately I've been encountering a very curious perversion of grammar use. It mainly occurs in 'serious' articles, and it has to be inspired by the necessity to make such articles politically correct beyond any doubt.

Let me illustrate.

"Thus, if an individual does so-and-so, she has nothing to worry about."

Mind you, this is not about specifically men or women - it's about people in general. Since when is "an individual" a feminine idiom for "human"? A few years ago we could all enjoy the rise of the "they" form, as in "Thus, if an individual does so-and-so, they have nothing to worry about." Personally, I find this almost as unnatural as the "she" form. There's a weird singular/plural transition here that doesn't belong.

It looks as nowadays everyone needs to outdo that form to be even more acceptable. Is the need for political correctness so compelling that we need to circumvent grammar rules and invent gender switches just to be able to say, "hey, my article is written in such a way that you need to take it seriously"? Political correctness ad nauseam - or translated, that makes you puke.

Why can't all the correctness-junkies out there just come to terms with grammar? "Man" is a masculine gender word, even when used in "mankind", or in a phrase like "Man has existed for thousands of years". Yes yes yes - so have women. I know. Get a grip and move on.

Want to know something really shocking? The German word for girl, "Mädchen", is neither masculine nor feminine - it's neutral. My prediction: In a few years such sentences will use the neutral "it", as in "thus, if an individual does so-and-so, it has nothing to worry about." Next, all neutered cats will go ape and demand a different phrasing.

Waka Waka Poem

Sun, 13 Nov 11 13:33:05 +0100

The Waka Waka Poem is very old indeed. I remember seeing it back in the eighties where ancient newsgroups like alt.humor would feature it at least once a week. I haven't seen it for a few years now - so just to make sure that this classic doesn't slide into oblivion, here it is again. One of my all time favorites.

<> !*''#               Waka waka bang splat tick tick hash,
^"`$$-                 Caret quote back-tick dollar dollar dash,
!*=@$_                 Bang splat equal at dollar under-score,
%*<> ~#4               Percent splat waka waka tilde number four,
&[]../                 Ampersand bracket bracket dot dot slash,
|{,,SYSTEM HALTED      Vertical-bar curly-bracket comma comma CRASH.

Voyage of the rubber ducks

Sun, 13 Nov 11 13:33:05 +0100

Sometimes one will find an article that fires the imagination in an unexpected way. Seen today on The Daily Mail:

"Thousands of rubber ducks to land on British shores after 15 year journey

They were toys destined only to bob up and down in nothing bigger than a child's bath - but so far they have floated halfway around the world. The armada of 29,000 plastic yellow ducks, blue turtles and green frogs broke free from a cargo ship 15 years ago. Since then they have travelled 17,000 miles, floating over the site where the Titanic sank, landing in Hawaii and even spending years frozen in an Arctic ice pack. And now they are heading straight for Britain. At some point this summer they are expected to be spotted on beaches in South-West England."

The story also mentions one researcher Curtis Ebbesmeyer, who has devoted loads of time to this subject. Oh one can only wish for such a job. How cool would that be, to be able to say at a party, "Yeah, well, I study the trek of rubber ducks.."

The On Off Switch

Sun, 13 Nov 11 13:33:05 +0100

Today we had a blackout at the e-tunity.com server. It appeared that the hosting provider had replaced some power component during the last night, so that the power had been off for a little.

The server is a great looking rack unit, with loads of lights and tiptronic switches in the front panel. Works way cool, except.. when the power is off, you have to touch the on button to start the server.

Not a very smart design for a rack based system. Whatever happened to the oldfashioned switches that would just have two positions, on and off, and would go clang when you flipped them? The advantage was that once they were in the on position, they would stay that way!

It seems to me that this is one of the situations where a modern design with bells 'n' whistles is a bit overdone. My primary interest in server's design is that I just want it to be resilient as hell. I want to be forced to go to that rack on as few occasions as possible. And I don't care how the front panel looks; I'm even pretty sure that the folks at the hosting company don't care either.

No free lunch

Sun, 13 Nov 11 13:33:05 +0100

In search of a motto for the next week, I think I'll go for

Timeo Danaos et dona ferentes

(Translation: There's nothing like a free lunch. Actually this is Vergil's version of the Aeneas, where an advisor to the king of Troy states: "I fear the Greeks, even though they're bringing gifts." He meant to say: "Let's leave that damn horse outside the city gate, or better yet: burn it right here at the beach... cuz there's gotta be a downside here, there's nothing like a free lunch." The king should've realized this too.)

Crossroads web interface

Sun, 13 Nov 11 13:33:05 +0100

It took me a while, but finally there's a web interface to Crossroads. It's in the package as of version 1.46. The web interface can report on the status of back ends, and you can toggle the status - e.g., from available to down to take a back end offline.

Here's a screen dump.

Blinkenlights

Sun, 13 Nov 11 13:33:05 +0100

An oldie goldie. Instructions: Print out in a large font, and stick it onto the front panel of all running servers.

-------------------------------------------------------------
  ACHTUNG! Alles touristen und non-technischen peepers!

  Das machine control is nicht fur gerfinger-poken und
  mittengrabben. Oderwise is easy schnappen der springenwerk,
  blowen fuse, und poppencorken mit spitzensparken.
  Der machine is diggen by experten only. Is nicht fur
  geverken by das dummkopfen. Das rubbernecken sightseenen
  keepen das cotten picken hands in das pockets,
  so relaxen und watchen das blinkenlights.
--------------------------------------------------------------

There is no silver bullet

Sun, 13 Nov 11 13:33:05 +0100

I've spent a few years in software development, and I've very often encountered folks who are frantically looking for the Solution to All Problems, Once And For All. Or they're on the lookout for the next software develpment methodology, that will Solve All Problems, Once And For All. Or they're waiting for the next whatever thing to Solve All Problems (you get the idea by now). In short, they want the Silver Bullet.

Recently Jos Visser forwarded me an article by Daniel M. Berry, titled The Inevitable Pain of Software Development: Why There Is No Silver Bullet. The article has a nice theoretical background on why having a silver bullet isn't possible. And from personal experience, this all sounds soooo true. Plus, it's very interesting reading, in a nerdish sort of way.

The article is rissef.painpaper.pdf. Happy reading!

(Dan Berry's restriction is that the paper may be downloaded only as a whole. His personal page is http://se.uwaterloo.ca/~dberry/.)

Motto of the week

Sun, 13 Nov 11 13:33:05 +0100

As for my motto of the week for the upcoming management meetings: I've decided upon the following.

Ceterum censeo Carthaginem esse delendam.

(Or translated: Besides, I think we should use more Open Source components in our application infrastructure.

Historical note: Cato, one of the Roman senators, used to nag the Senate with this sentence, stating that in his opinion, the city of Carthage should be destroyed. After some years the senate sent an army and destroyed the city, and along with it, an entire culture. They probably did so to get rid of the nagging and not because Carthage was a threat. So - if I keep nagging as well, will I have my way too?)

Do not feed the troll

Sun, 13 Nov 11 13:33:05 +0100

Seen today on the Apache user's mailing list:

"I noticed someone was using a CONNECT xxx.xxx.xxx.xxx http command against Apache. I was wondering how to disable the CONNECT command from executing on Apache. In a couple of entries I noticed a connection from Seattle that might be a spammer so I want to disable the CONNECT command from running successfully."

Being a good Samaritan I replied with a few tips. But later I couldn't help wondering: is this a troll who's hoping for a response like, "Yeah, we have that at www.oursite.org as well", just to get a new address of an open proxy?

Or is this a valid question on a list of an Apache self-help group? Am I being paranoid? Do I have reason to be?

Which programming language are you

Sun, 13 Nov 11 13:33:05 +0100

Sunday afternoon, it's rainy, and I've got too much time on my hands. So I take the quiz "Which programming language are you?". And the results...

Aargh!
(Click (on the image (above)) if you want to try (the (same) test))

Crossroads support request

Sun, 13 Nov 11 13:33:05 +0100

I recenty received a support request for Crossroads from Joern F. His company runs Crossroads to balance database requests to a farm of MySQL servers. After describing the bug, he writes...

But anyway - and this must be mentioned - crossroads is a rocksolid
piece software! Easy to handle, fast and tiny. Thank you for writing it!

It would be a great favour for us if you find the time to analyse this.

How could I refuse? (Well actually I'd have bugfixed Crossroads anyway. It works the other way 'round - Joern, thanks for reporting this!) Still, it's very nice to read.

Bokito glasses

Sun, 13 Nov 11 13:33:05 +0100

There has been a tragic incident in the Netherlands where an alpha male gorilla jumped a fence in a zoo and attacked a lady. Fortunately she survived, though she was badly hurt.

Though in itself this is a sad incident, the fun soon started. The analysis as to why the ape attacked, was: the lady was smiling at Bokito (the ape), and not averting her eyes - so in fact she was provoking him. The proper way to be in the company of Bokito is to avert your eyes, and never to show your teeth..

Upon which some smartpants came up with an idea: why not distribute glasses to zoo visitors that make your eyes seem to look the other way? The purpose would be that the apes don't feel observed. This was actually featured in a newspaper, I shit thee not.

There's just one answer that remains: where the heck do I get those glasses? I really need those for my upcoming work meetings...

Update: I had a photo here of the glasses in action. Apparently I shouldn't have published that... more info to follow... In the mean time, if you want to see the photo, google it.

Apache mod_proxy balancer description

Sun, 13 Nov 11 13:33:05 +0100

I'm trying out Apache 2.2.4's mod_proxy for balancing purposes. The guys at Apache rock!

The text in http://httpd.apache.org/docs/2.2/mod/mod_proxy.html is however slightly off. If you want to enable cookie stickiness, then you'll need something like the following:

    # URI /app goes to the balancer, and it's sticky by cookie CellColor
    ProxyPass		/app balancer://purple/app \
			stickysession=CellColor

    # The balancer with two worker, each having a route color
    
        BalancerMember	http://localhost:9001 route=red
        BalancerMember	http://localhost:9002 route=blue

Now for the sticky cookie. There are two things involved:

The cookie is named CellColor,
The routes are red and blue.

The workers at http://localhost:9001 and 9002 will now have to inject cookies named CellColor, having the value balancer.red or balancer.blue. Don't ask why balancer must occur in the cookie value, I wouldn't know. If there must be a prefix before red or blue, then I would've expected the balancer's URI, in my example purple. Or I wouldn't have expected a prefix at all, it's pretty redundant IMHO.

Anyway, injecting the cookies is trivial:

# Red balancer member at port 9001
Header add Set-Cookie CellColor=balancer.red

# Blue balancer member at port 9002
Header add Set-Cookie CellColor=balancer.blue

A ticketnumber is not support

Sun, 13 Nov 11 13:33:05 +0100

My collegue & buddy Eddie is planning to start an awareness campaign, using the following slogans:

TICKETNUMBER != SUPPORT
SOURCECODE == SUPPORT

The plan is to spread the word on banners, pens, stickers, buttons, posters, t-shirts, mugs, ties.. and what not. Then there's to be a t-shirt with

"I called tech support & all I got is this lousy ticketnumber"

Brilliant, or what? I'm all for. Let's do it Eddie!

403 Hammertime

Sun, 13 Nov 11 13:33:05 +0100

Here's a great page that I shamelessly ripped from uncyclopedia. It's a webserver error page for code 403, Temporarily unavailable..

HTTP Error 403: Can't touch this!

Cute, or what?

Playground Fun

Sun, 13 Nov 11 13:33:05 +0100

This is a somewhat odd picture taken at a Belgian playground. It's been circulating the 'net for some time now...

Ascii man

Sun, 13 Nov 11 13:33:05 +0100

Remember the old days when ascii art was still an item?

This is a pretty old image. I remember seeing it about two years ago, and it had already slipped my mind. But only almost. Now I saw it again, and it caught my eye again, so I thought I'd give it a place where I could find it again.

Cannot find the damn server

Sun, 13 Nov 11 13:33:05 +0100

Here's an alternative to IE's builtin 404 page. I think it has great potential.

(This was sent to me by Fred D., a valued collegue. Thanks FD!)

The BFG200

Sun, 13 Nov 11 13:33:05 +0100

Ah, a faint echo from the past. This is actually a gun in World of Warcraft, and it's got some fancy name. But most of all it reminds me of the world famous "BFG 2000" gun of Doom, which could just zap anything. So big that the player should actually tip over when holding it.

(This is me, Klinky, and the pet white tiger in Steamvaults.)

Crossroads Top User

Sun, 13 Nov 11 13:33:05 +0100

There's another top user of Crossroads on the block. I received this nice mail the other day.

Service      : wwwhttp, 10 live connections, last backend 2
 Backend  0 : www1 is available, 3 live connections
   Stats    : 0 failures out of 2747362 connections, 2747362 sessions,
              usage 0.00s, 1.30103b
 Backend  1 : www2 is available, 5 live connections
   Stats    : 0 failures out of 5486943 connections, 5486941 sessions,
              usage 0.00s, 87.5869b
 Backend  2 : www3 is available, 2 live connections
   Stats    : 0 failures out of 5488705 connections, 5488702 sessions,
              usage 0.02s, 19.74Kb

running realy great :)
(4 days ~ 14 mio sessions => 3,5 mio per day)

Now that is the sort of news to make my day...

Crossroads Usage

Sun, 13 Nov 11 13:33:05 +0100

Today I received a short mail message with a remark and a question concerning Crossroads (which aren't relevant here) -- but anyway, it also stated the load that Crossroads handles at a given site.

At that site, Crossroads serves more than 2.500.000 (two and a half million!) requests per day at that site. Now if that were a flat day usage, I'd arrive at 104.000 hits per our, or 2.083 hits per minute, or 28 per second. It's safe to assume that the distribution over the day is in fact not flat, so just guessing.. the peaks may well range to 140 - 280 per second. Maybe even more.

Best thing ever is that the Linux system that runs Crossroads is on the average 95% idle. During busy hours that number is around 87%. (So still basically that system has a lot of spare time.)

Currently this site is Crossroads' top consumer, hitwise. Maybe I should send them a bunch of flowers or something?

The guy with the dark motorhelmet

Sun, 13 Nov 11 13:33:05 +0100

Some time ago I was at the railway station, preparing to get on a train somewhere. It was one of the first nice and sunny days of the year, and as I was early, I sort of lingered around outside the station entrance.

The peace was suddenly disturbed by the sound of very loud exhaust pipes. I, as many others, turned to see where the sound came from -- it turned out to be an approaching motorcycle. The driver was a big mean looking fellow: he wore a motorcycle helmet with dark visor, which totally obsured his face, a leather suit, and one of those cut off Jeans jackets where the sleeves were removed. On the back side of the jacket was a faded logo that had become unreadable.

The guy drove up sidewalk near the station entrance and revved his huge engine, which was a true Harley. An uncommon sight in the Netherlands, and especially so with the pipes that were custom made to produce the roar. I'm sure that he enjoyed the noise and the disapproving looks of all bystanders.

One of those bystanders was a little kid, no more than 8 years old. In total admiration, with his mouth slightly open, he gawked at the cycle and its driver. Then, very slowly, the motorcycle driver turned off his hellish machine, dismounted, and slowly took off the helmet. Contrary to my mind's image he turned out to be sixty-ish, with grey hair and a trimmed beard. The boy who so admiringly observed, couldn't hold it anymore, shouted, "Grandpa!", and ran to him to be caught in a big bearhug.

It dawned on me that my mind's image of a Hell's Angel preparing a train robbery might've been off. I observed the scene for a bit, turned away, and entered the station to buy my train ticket. Later, while waiting for my train, I saw grandpa and his grandson one more time. I also overheard a snippet of their conversation; grandpa saying that he had sooo looked forward to going to the zoo again with his grandson, and he wondered whether that old fat rhino would still be there. But even better than overhearing this, was the look on their faces: the grandson, glowing with happiness, admiration and anticipation, and the grandfather, glowing even more.

That day was a good day.

The Process and The Result

Sun, 13 Nov 11 13:33:05 +0100

Professional life in a corporate environment never ceases to amaze me. Over the years I've however detected a sort of Grand Scheme to which everyone seems to adher and which constantly seems to stalk me around, however I try to escape from it.

The Grand Scheme is: Never mind the result, as long as the process is OK.

How in name of insert-favorite-deity is it possible that we all think this way, like the proverbial lemmings that follow the tail in front of them, even when it leads to catastrophe? It's a true mystery for me. A great example is support contracts. Big companies pay tons of cash for support, and they even continue to pay when the support is below standard. They don't even mind when the support doesn't deliver!

And what to think of a support contract that states that the maximum reaction time is 4 hours? That means that the ones who are supposed to be the experts must call within 4 hours and say, yeah, hey, we got your message, and we issued you a ticket. A bleeding ticket isn't support! Support should be about the result, not the process to get there!

As for me, I can only think of one reason for this. The manager who arranges the support contract does this so that they can tell their boss, yeah, I got it all managed - so where's my christmas bonus. Their motive for getting the support in place isn't about the result at all. And of course the party that provides the support is more than happy to get away with a 4 hours response time, who wouldn't.

For me, there's just one lesson here: during every conference, at every decision moment, ask all who are involved: how does this help the product, or is it just window dressing for the process? When I try this, people look at me in a pretty strange way..

Quotes attributed to Jos

Sun, 13 Nov 11 13:33:05 +0100

I've had the privilege of working with Jos Visser for well over a year. In a corporate environment where procedures are discussed before results, he made a few very noteworthy remarks. They may be somewhat paraphrased, or not entirely his by origin -- but noteworthy nonetheless. If you have more, let me know! (And as soon as I can think of some more, I'll add them..)

Your ass is grass, and I'm the lawnmower. Spoken during a teleconference where he got somewhat agitated.
Forget about operational excellence. Lets strive for operational mediocrisy. He wasn't always too fond of the IT Operations procedures.
We're up the proverbial creek without a paddle to row. Remarked during a large scale black out of our systems.
I'd like to make a movie, called the Corporate Hooligan. He liked to envision himself as a corporate Jackass actor, storming into lunch meetings, grabbing food, and stuffing it into his mouth, just to piss off people. (Well, it was funny at that time.)
There is no silver bullet. Often remarked during meetings when a totally new approach or application was presented that was sure to solve all our software-related problems.
If you can't impress them with excellence, dazzle them with bullshit. Often used against vendors who present their product and talk the newest and hippest techno talk (and fail to camouflage how shallow their product is, if you listen carefully).

A really nice comment about Crossroads

Sun, 13 Nov 11 13:33:05 +0100

Today I received a great e-mail from GS, one of the people who use Crossroads on a regular basis. After he'd helped me find a fault in Crossroads and after I'd made a fix, he wrote back:

Thanks for this quick fix (again)!

By the way: just yesterday I talked with an colleague about crossroads and your support and we both agreed that the speed and quality of support from your side is extra-ordinary. We both couldn't come up with something comparable, neither with opensource projects nor with paid support for proprietary software (and believe me, this company pays quite a lot for support to various other companies...).

This being said, I'll start testing 1.30 right away. :-)

Now is this rewarding or what? Thanks again GS, for the truly nice comment.

Kubat in the air

Sun, 13 Nov 11 13:33:05 +0100

How odd can things get? It would appear that there's a Kubat marker in the Dutch airspace, to be more precise: in the Northern part of the Netherlands, near Groningen Airport.

Thanks, Frank Brokken (good friend and former collegue) for letting me know.

(Incase you're dyslexic: the Kubat marker is in the 048 degrees direction from EHGG, in the top right hand corner of the image. It's right on the Dutch border; beyond Kubat starts Germany.)