Here's the basic idea:

You have a config file that contains all of your local configuration variables. It looks a lot like database.yml.

 
# config/config.yml
 
development:
  session_key: example_development
  session_secret: ESl6X3oKM1i1RRrD2QLwUUzz9jr1zxNO
  domain: http://example.com
 
test:
  session_key: example_test
  session_secret: vrwPpJTvwnMVLP1wTSgqigSl7PMI7QcE
  domain: http://example.com
 
production:
  session_key: # any string identifying your app
  session_secret: # a random, secret string at least 32 characters long
  domain: # http://example.com
  mailer: # noreply@example.com
 

You perform a little trickery in environment.rb to prefer the Heroku ENV storage of config vars (in the production environment), but you fall back to your config.yml if the config vars aren't found in ENV (in the development and test environments).

 
# config/environment.rb
 
Rails::Initializer.run do |config|
  require 'yaml'
 
  # support yaml and heroku config vars, preferring ENV for heroku
  CONFIG = (YAML.load_file('config/config.yml')[RAILS_ENV] rescue {}).merge(ENV)
 
  config.action_controller.session = {
    :key => CONFIG['session_key'],
    :secret => CONFIG['session_secret']
  }
end
 

Then, you create a rake task (rake heroku:config) that can be used to send all of the config vars for your production environment up to Heroku. This task can be invoked once to set things up, but can also be run again if you need to make any additions or changes.

 
# lib/tasks/heroku.rake
 
namespace :heroku do
  task :config do
    puts "Reading config/config.yml and sending config vars to Heroku..."
    CONFIG = YAML.load_file('config/config.yml')['production'] rescue {}
    command = "heroku config:add"
    CONFIG.each {|key, val| command << " #{key}=#{val} " if val }
    system command
  end
end
 

This way, you've got all of your config vars stored with the project (.gitignored, of course)...

 
# .gitignore
 
/tmp/**/*
/log/*
*.log
/tmp/restart.txt
/config/config.yml
/config/database.yml
/db/*.sqlite3
 

...and you can easily set what you need on Heroku, like so:

 
$ rake heroku:config
Reading config/config.yml and sending config vars to Heroku...
Adding config vars:
  session_key => example_production
  session_secret => 1WlkMkYYi5611vtF...0ZMS2G3Xl67s4lEIK4sj65
  domain => http://example.com
  mailer => noreply@example.com
Restarting app...done.
 

The result is a pretty nice, I think.

You can see the installation and deployment instructions for my open source project El Dorado if you're curious about the overall flow.

I'd love to get some feedback on this approach, but I really like it so far :)

• You're running Debian Lenny and you've got root access
• You've got a functioning apache2 installation
• You know the basics of working on the command line (i.e. how to edit files, execute commands, etc.)

If the above is true of your situation, read on to learn how to install Ruby Enterprise, Phusion Passenger and El Dorado from scratch in a sort of "one-off" setting where you've got one server and you want it to run one site.

NB: These instructions don't use git or capistrano. The instructions contained in the El Dorado README describe how to install El Dorado using those tools. Using them makes for an easier and cleaner installation. It also makes for easier scalability, upgrading and patching: I highly recommend using those tools.

1. Resolve Dependencies

The first thing you'll need to do, even before installing RE or PP, is make sure that you've got the development files for the databases that RE and PP applications use:

apt-get install libsqlite3-ruby postgresql-8.3-plruby libmysql-ruby libmysqlclient15-dev postgresql-server-dev-8.3 libsqlite3-dev

If you don't resolve these dependencies now, you'll get a message during the RE installation that prompts you to install gems for mysql, postgres, etc. and then, when you go to install those gems, you'll get an error like this:

ERROR:  Error installing mysql:
	ERROR: Failed to build gem native extension.

So just go ahead and resolve those dependencies in advance.

2. Install Ruby Enterprise

The best practice for this, as far as I know, is to install the current stable release of RE in /opt/. First, download the release you plan to use:

lana:~# cd /opt
lana:/opt# wget http://rubyforge.org/frs/download.php/58677/ruby-enterprise-1.8.6-20090610.tar.gz

Once that's down, untar it and execute the installer script:

lana:/opt# tar -zxvf ruby-enterprise-1.8.6-20090610.tar.gz
[...]
lana:/opt# cd ruby-enterprise-1.8.6-20090610/
lana:/opt/ruby-enterprise-1.8.6-20090610# ./installer

That should run, after a few tappings of ye olde Enter key, to its error-free conclusion. If, during the installation, the installer finds that you're missing software packages, the installer will bail and you'll be given some commands that fill those holes. Resolve those dependencies and finish the installation.

At the end of the installation, you'll be given some syntax that will automatically install PP. You'll use that in the next step.

3. Install Phusion Passenger

Use the automatically generated syntax:

lana:/opt/ruby-enterprise-1.8.6-20090610# /opt/ruby-enterprise-1.8.6-20090610/bin/passenger-install-apache2-module

Again, the installer will bail and prompt you to resolve dependencies if you've got any:

Installation instructions for required software

 * To install Apache 2 development headers:
   Please run apt-get install apache2-prefork-dev as root.

 * To install Apache Portable Runtime (APR) development headers:
   Please run apt-get install libapr1-dev as root.

 * To install Apache Portable Runtime Utility (APU) development headers:
   Please run apt-get install libaprutil1-dev as root.

Resolve dependencies and finish the installation.

Once it's finished, you'll be given some lines to add to your "Apache configuration file". The best file to add these lines to is /etc/apache2/httpd.conf.

Just don't forget that you added them there (as opposed to somewhere else), as you'll need to modify them if you upgrade RE.

You'll also probably want to go ahead and add the following lines while you've got the file open:

PassengerPoolIdleTime 14400
PassengerMaxInstancesPerApp 2

Those lines do exactly what it looks like they do. They're also very sensible settings to start with, as they'll prevent El Dorado from hogging a bunch of system resources, etc. right off the bat.

You can find more information here.

Finally, your /etc/apache2/httpd.conf file should look something like this:

PassengerPoolIdleTime 14400
PassengerMaxInstancesPerApp 2

LoadModule passenger_module /opt/ruby-enterprise-1.8.6-20090610/lib/ruby/gems/1.8/gems/passenger-2.2.4/ext/apache2/mod_passenger.so
PassengerRoot /opt/ruby-enterprise-1.8.6-20090610/lib/ruby/gems/1.8/gems/passenger-2.2.4
PassengerRuby /opt/ruby-enterprise-1.8.6-20090610/bin/ruby

Once you've made those changes, you're ready to begin installing El Dorado.

When it exits, the PP installer will show you some sample syntax for how to write an apache configuration file for your first application. You can ignore that for now, as we're going to come back to it later.

4. Install El Dorado

First, get the latest release of the software from Trevor's github: http://github.com/trevorturk/eldorado/tree/master

Once you've got the URL of the latest release, switch from root to a less privileged user, make a folder in your home dir for the site, download the latest release of El Dorado to that directory and untar it:

toconnell@lana:~$ mkdir example.com
toconnell@lana:~$ cd example.com
toconnell@lana:~/example.com$ wget wget http://download.github.com/trevorturk-eldorado-a37d0c71e928f605d111d5f48b5786ff613bf676.tar.gz
tar -zxvf trevorturk-eldorado-a37d0c71e928f605d111d5f48b5786ff613bf676.tar.gz

Now, get all of those files out of that big, ugly directory and into the current working directory and ditch those old files:

toconnell@lana:~/example.com$ mv trevorturk-eldorado-a37d0c71e928f605d111d5f48b5786ff613bf676/* .
toconnell@lana:~/example.com$ rm -rf trevorturk-eldorado-a37d0c71e928f605d111d5f48b5786ff613bf676*

Now, follow the instructions in the README and copy the example yml files to the places where the application will look for real, non-example files:

toconnell@lana:~/example.com$ cp config/database.example.yml config/database.yml
toconnell@lana:~/example.com$ cp config/config.example.yml config/config.yml

Now, use your favorite editor to edit the last stanza in config/config.yml so that it matches the information of your site:

production:
  session_key: example_production
  session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  # Replace these X's and make this string (at least) 32 random alpha-numerics for good site security
  domain: http://example.com
  mailer: noreply@example.com  

NB: There are "dev" and "test" entries in this default file. If you're not planning on doing anything development related with this installation, you can safely delete those entries.

Once you've edited that file, that's it, so far as the non-git installation is concerned. To get El Dorado up and running, you'll need to do some minor database tasks. Those are covered in the next section.

5. Configure the Database

Since MySQL is deprecated, I'll be using PostgreSQL for the remainder of these instructions.

If you look at config/database.yml, you'll notice that it's essentially a blank template:

development:
  adapter: sqlite3
  database: db/development.sqlite3
  timeout: 5000
  # adapter: mysql
  # database: eldorado_development
  # username:
  # password:
  # host: localhost

test:
  adapter: sqlite3
  database: db/test.sqlite3
  timeout: 5000

production:
  adapter:
  database:
  username:
  password:
  host:

First, edit that file:

production:
  adapter: postgresql
  database: example
  username: example
  password: XXXXXXXXXXXXXXXXXXXX
  host: localhost

NB: Again: once you've added your "production" entries to this file, you can feel free to delete the "test" and "dev" lines, as they do nothing and could cause confusion down the line.

Now, create the database and the user:

toconnell@lana:~/example.com$ sudo su postgres -c "createuser example"
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
toconnell@lana:~/example.com$ sudo su postgres -c "createdb example"

Next, start the postgres monitor as the postgres user and make the a few changes:

toconnell@lana:~/example.com$ sudo su postgres -c psql
Welcome to psql 8.3.7, the PostgreSQL interactive terminal.

postgres=# ALTER USER example PASSWORD 'XXXXXXXXXXXXXXXXXXXX';
ALTER ROLE
postgres=# ALTER DATABASE example OWNER TO example;
ALTER DATABASE

Now, if you've got your Postgres database configured correctly and your new user can access your new postgres database, you're ready to rake the El Dorado production database:

toconnell@lana:~/example.com$ /opt/ruby-enterprise-1.8.6-20090610/bin/rake rake db:schema:load RAILS_ENV=production

Once the database is successfully raked, all you've got to do to finish up is configure Apache.

6. Apache Configuration

The following assumes that you're doing apache the "Debian way".

If this is true, the first thing you'll do is create a symlink in /var/www/ that points at your install directory:

lana:/var/www# ln -s /home/toconnell/example.com/

Next, create a file in /etc/apache2/sites-available with the name of your site and then create a symlink to it in /etc/apache2/sites-enabled.

The file should look something like this:

#
# example.com
#
 
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin youremail@example.com
  DocumentRoot /home/toconnell/example.com/public
 
  <Directory "/var/www/example.com">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>
 
  RewriteEngine On
 
  RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
  RewriteRule ^(.*)$ http://example.com$1 [R=301,L]
 
  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteRule ^.*$ /system/maintenance.html [L]
 
  ErrorLog /var/log/apache2/example_error_log
  CustomLog /var/log/apache2/example_access_log combined
  RewriteLog /var/log/apache2/example_rewrite_log
  RewriteLogLevel 9
 
</VirtualHost>

NB: I've added some apache custom logging. Logs are good.

Once you've got the file in /etc/apache2/sites-available and the symlink in /etc/apache2/sites-enabled that points at that file, you should be ready to restart apache and get rolling:

lana:/etc/logrotate.d# /etc/init.d/apache2 reload

And that, as they say, is that. Once you reload apache, provided that your DNS is set up correctly and you haven't got any system problems beyond the scope of this document, your single instance of El Dorado should be ready for prime time.

Navigate to your site in your browser and create an administrative account: the first user who attempts to login will be the administrator. Once you've got your admin created, you're ready to start tweaking your new El Dorado site's appearance and adding users.

A note on upgrades: if you find you need/want to upgrade an instance of El Dorado that has been installed thus, consult the README. The basic gist is that you're going to want to download/copy the new source/program files over the old ones (while being careful not to erase your user-uploaded files) and then run rake db:migrate RAILS_ENV=production.

Answer: Turn off ri and rdoc installation.

Perch

Perch is a really little content management system for when you (or your clients) need to edit content without the hassle of setting up a big CMS.

Installing Ruby on Rails and PostgreSQL on OS X, Third Edition

Over the past few years, I’ve helped you walk through the process of getting Ruby on Rails up and running on Mac OS X. The last version has been getting a lot of comments related to issues with the new Apple Leopard, so I’m going this post will expand on previous installation guides with what’s working for me as of January 2008.

Thoughts on Opera Unite

Opera’s CEO Jon von Tetzchner claims that “Opera Unite now decentralizes and democratizes the cloud." I call bullshit. Opera Unite does indeed rely on a P2P-like network to function, but the big problem is that you must push all your traffic through Opera’s proxy service.

LESS - Leaner CSS

Less is Leaner css. Less extends css by adding: variables, mixins, operations and nested rules. Less uses existing css syntax. This means you can migrate your current .css files to .less in seconds and there is virtually no learning curve.

YC Company Hosting Stats

[Interesting stats and discussion on hosting.]

Rip: a RubyGems Replacement?

This makes package management as simple as passing files between friends. Email me your latest library, and I can run rip install path/to/lib. That’s it — you don’t need spec files, and you don’t need to build anything before your send me your code.

BigTable

BigTable is a fast and extremely large-scale DBMS. However, it departs from the typical convention of a fixed number of columns, instead described by the authors as "a sparse, distributed multi-dimensional sorted map", sharing characteristics of both row-oriented and column-oriented databases. BigTable is designed to scale into the petabyte range across "hundreds or thousands of machines, and to make it easy to add more machines [to] the system and automatically start taking advantage of those resources without any reconfiguration".

Opera Unite reinvents the Web: a Web server on the Web browser

[Very interesting possibilities here. Making it easier for people to serve content on the web can only lead to good things.]

tenderlove's markup_validity

Test for valid markup with test/unit or rspec

Hemlock

Hemlock is an open-source framework that combines the richness of Flash with the scalability of XMPP, facilitating a new class of web applications where multiple users can interact in real time. Games, workspace collaboration, educational tools… The only limit is your imagination.

Rip: A New Package Management System for Ruby

But why a completely new package manager? What's wrong with RubyGems? We asked one of Rip's developers, Chris Wanstrath...

Ruby at ThoughtWorks

ThoughtWorks started using Ruby for production projects in 2006, from then till the end of 2008 we had done 41 ruby projects. In preparation for a talk at QCon I surveyed these projects to examine what lessons we can draw from the experience. I describe our thoughts so far on common questions about Ruby's productivity, speed and maintainability.

[git pull] drm-next

See? All the rules really are pretty simple. There's that somewhat subtle
interaction between "keep your own history clean" and "never try to clean
up _other_ proples histories", but if you follow the rules for pulling,
you'll never have that problem.

Don't just follow the projects that you're interested in — follow other users. Here's a list of people that I'm following. They're constantly turning me on to new and interesting projects, because I get to see everything they're working on, and everything they're following.

Dig around the users that I follow, check out what they're been up to, and try it out. If you find that your feed becomes a bit much to manage, try subscribing to your personal RSS feed. There's a link on the home page when you're logged in.

Thanks, GitHub. You're the best.

Here's a quick tip I picked up here that will set your logs to automatically rotate in the test and development environments. Just add the following line to these files:

• config/development.rb
• config/test.rb

config.logger = Logger.new(config.log_path, 2, 20.megabytes)

Make sure you've got these in your .gitignore file as well:

/log/*
*.log

That will keep your log files under control, but with plenty of room for digging in if need be.

• SSH onto your VPS
• Run the following commands: "a2enmod expires" and "a2enmod deflate"

Now, open up your Apache vhost config for your Rails app. Add the following:

Then, restart Apache by running: "/etc/init.d/apache2 restart"

This will gzip your html, css, and javascript. It'll also add far future expires headers for the appropriate cacheable filetypes. There's no downside, and it only takes a second. Bang for buck.

Edit: Check the comments for some possible downsides... ;)

Trevor's Links

Email. Twice daily. No more, no less.

So, using some motivation from The Four Hour Workweek1, I opted to come back to the studio and change my behavior. That morning, I emailed my entire team and my clients to let them know that I would only be checking my email at 10am and 4pm each day.

How to Build a Popularity Algorithm You can be Proud of

Many web sites allow users to casts vote on items. These visitors' votes are then often used to detect the items' "popularity" and hence rank the rated items accordingly. And when "rank" comes into play things gets tricky...

Online communities, etc.

Anyway, I'm bored on a long bus drive and there's no real moral to the story here, just writing. I will be tuning out of the social networking sites because at the end of the day it's now doing more harm than good in the bigger picture and the experiment seems to have yielded a result. Idiots rule.

Really Simple Rails Log Rotatation

I always used logrotate Linux tool to setup log rotation for my Rails apps which has worked fine although it required finding some external config file and understanding its config options and syntax. [Great tip for development/test environments. Might not be a good idea in production?]

Instapaper bookmarklet, modified to close the current tab

I modified the bookmarklet slightly so that the tab closes immediately, without disturbing the pop-up. This way, saving something for later is one simple action, instead of two.

DeliciousSafari

Use and create Delicious bookmarks from the Safari web browser.

So, about this Shopify Platform

The Shopify platform allows any programmer to create applications that integrate natively with the administration interface or storefront. These applications can be written in any language and communicate with Shopify using our handcrafted REST API. We even provide some amazing rails generators to get started quickly.

Introducing Trample: A Better Load Simulator

Most load sim tools make requests to a static list of urls. They spawn n threads and make requests to the urls on the list in succession, in each thread. Unfortunately, though, if your applicaition makes use of any kind of caching (including your database's internal caching facilities), this kind of load simulation is unrealistic.

TOSBack | The Terms-Of-Service Tracker

TOSBack keeps an eye on 44 website policies. Every time one of them changes, you'll see an update here.

Twitter Blog: Not Playing Ball

We do recognize an opportunity to improve Twitter user experience and clear up confusion beyond simply removing impersonation accounts once alerted. We'll be experimenting with a beta preview of what we're calling Verified Accounts this summer.

cdto

Fast mini application that opens a Terminal.app window cd'd to the front most finder window. This app is designed (including it's icon) to placed in the finder window's toolbar.

Trevor's GitHub Links

quirkey's sammy

Sammy is a tiny javascript framework built on top of jQuery inspired by Ruby's Sinatra.

kabuki's heresy

Heresy is a schema free wrapper around your database, heavily inspired by both CouchDB and FriendFeed.

paulmars's seven_minute_abs

ab testing for rails

binarylogic's searchlogic at v2

Searchlogic has been completely rewritten for v2. It is much simpler and has taken an entirely new approach. To give you an idea, v1 had ~2300 lines of code, v2 has ~350 lines of code.

semanticart's is_paranoid

ActiveRecord 2.3 compatible gem "allowing you to hide and restore records without actually deleting them." Yes, like acts_as_paranoid, only implemented differently...

brynary's webrat

Webrat - Ruby Acceptance Testing for Web applications.

mbleigh's twitter-auth

Standard authentication stack for Rails using Twitter to log in.

courtenay's splam

Simple, pluggable, easily customizable score-based spam filter plugin for Ruby-based applications.

jeremy's ruby-prof

a fast code profiler for Ruby

nakajima's roleful

Generic roles for you and your objects.

37signals's wysihat

A WYSIWYG JavaScript framework

binarylogic's authlogic

A clean, simple, and unobtrusive ruby authentication solution.

joshuaclayton's blueprint-css

A CSS framework that aims to cut down on your CSS development time.

stephencelis's dots

Free progress dots for your scripts. Test::Unit-style.

wycats's merb-extlib

Ruby core extensions library extracted from Merb core.

jodosha's plugin_migrations

Rake tasks for running plugin migrations.

tcocca's acts_as_follower

A Plugin to add "Follow" functionality for models

mojodna's active_queue

A toolkit for queueing tasks and creating worker processes

Trevor's Links

Stowe Boyd launches Microsyntax.org

Stowe Boyd launched Microsyntax.org... a number of ideas for making posts on Twitter contain more information than what is superficially presented, and this new effort should create a space in which ideas, research, proposals and experiments can be made and discussed.

Amazon Payments Account Management

Amazon Simple Pay Subscriptions enables you to charge your customers on a recurring basis using a single authorization from the customer. It is for those who offer digital content subscriptions, collect membership dues on a periodic basis, or provide premium services on their website.

7 Great Reasons Not To Take VC Money

Raising venture capital for early stage start-ups seems to be the prevailing path for most entrepreneurs; however, most would-be founders should reconsider.

The importance of stupidity in scientific research

The crucial lesson was that the scope of things I didn't know wasn't merely vast; it was, for all practical purposes, infinite. That realization, instead of being discouraging, was liberating. If our ignorance is infinite, the only possible course of action is to muddle through as best we can.

When to use self in Rails models

When I started with Rails, half the words in my models were self. This wasn’t necessary. Now, when I edit code by other people, I find myself constantly deleting “self” from their code.

The random person test

Why not try to write code that future programmers will thank me for because it was so clear and obvious? Programmer skill should be measured not only in the complexity of the problems that they can solve, but in the clarity of their solutions.

Patience and hard work

There is a gaping chasm between a web app sitting on a server somewhere, and the ingredients of a business. Establishing a brand, getting the right kind of people to listen, and growing your own customer-base doesn’t happen as a by product of really sweet Javascript effects.

Google Wave: What Might Email Look Like If It Were Invented Today

Google wants other providers to adopt Wave - the protocol allows federation between independent Wave clouds. The team hopes that Wave will become as ubiquitous and interoperable as email and instant messaging, not just a Google product.

Ask HN: I'm Tired of Hacking. What Do I Do? Please Advise.

I just can't do it anymore. I hate sitting on my ass all day writing some code. My neck has been hurting for two years for spending so many hours in front of the computer. I kind of have been hating my career for a couple of years now and I have no clue about what I should do.

MacRuby, changing the Ruby ecosystem

MacRuby is an Apple-sponsored, open source, full Ruby implementation on top of Objective-C runtime. In other words, whatever code runs on Ruby 1.9, should/will run on MacRuby. Yes, you read correctly, MacRuby can/will be able to run all your Ruby code.

Mac-friendly Autotest

ZenTest’s autotest is great, but it has one drawback: In order to detect whether you have modified a file, it relies on filesystem polling. In other words it constantly traverses the filesystem and thus causes a lot of CPU and harddrive load.

Include vs Extend in Ruby

Now that we know the difference between an instance method and a class method, let’s cover the difference between include and extend in regards to modules. Include is for adding methods to an instance of a class and extend is for adding class methods. Let’s take a look at a small example.

Class and Instance Methods in Ruby

Class methods can only be called on classes and instance methods can only be called on an instance of a class. It’s simple when you understand it, but I remember being confused when I was learning Ruby. Hope this helps. If I was unclear or incorrect at any point above, let me know. [Nice, easy to follow overview.]

djng—a Django powered microframework

djng is my experiment to see what Django would like without settings.py and with a whole lot more turtles. It’s Yet Another Python Microframework.

Django tip: Caching and two-phased template rendering

We've launched user accounts at EveryBlock and we faced the interesting problem of needing to cache entire pages except for "You're logged in as [username]" bit top page. The solution ended up using is two-phased template rendering.

Assembling Pages Last: Edge Caching, ESI and Rails

[Good overview of ESI pros/cons.]

The open, social web

If I told you that the iPhone was the best example of the success of standards and open source, you’d probably laugh at me, but check it out...

Timothy's Links

Server Monitoring with Cacti + ServerStats | HostingFu

This is kind of cool: if you've got a computer somewhere on your local network and you want the laity to have access to rough stats, all you've got to do is fire this package up, tweak xinetd a little bit, and voila--your boss can look over your shoulder from the comforts of his own office.

Slicehost for Android // Slicehost - VPS Hosting

Trevor pointed me in the direction of this one. It's a neat little app--very minimalist and very Linux-y--that lets you check on your bandwidth, slice stats (e.g. mem/proc/distro name and version) and gives you the option to do a remote /sbin/poweroff or an /sbin/shutdown -h now. Very neat.

Research: Password 'secret question' woefully insecure

Let's get a movement going here: if enough Internet types spread the word that no one in their right mind or who possesses any kind of meaningful credential endorses "secret questions" and that, in fact, the research shows that they make accounts _less_ secure, maybe we can kick up enough dust to get rid of them.

Three Letters

This take on the classic joke has a sysadmin slant; guaranteed to be appreciated by everyone from Exchange rebooters in silk cravats to consolemen who live on the metal.

Here's the situation: you're the admin of a Windows domain where the Domain Controller is a Linux box serving Samba. Your problem, other than the fact that you're surrounded by Windows users, is that you've got a user who's password you don't know and, for whatever reason, you need to log onto your Windows domain as that user: a simple RUNAS won't cut it this time.

Normally, you'd just nuke his password, change it to "password" (or whatever), log on as him, do your dirty, sinful business, log off, expire his password and then send him an email telling him that his password has been changed to "password" and that he'll be prompted to change it at his next log on.

But what if that wasn't an option? What if you needed to log on to your domain as that user and it was important that he be none the wiser?

Grab the Hashes

First, use your favorite smbldap-type tool to get the current password info on the user you're fixin' to use:

frances:~# smbldap-usershow toconnell
dn: uid=toconnell,ou=Users,dc=domain,dc=com
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: toconnell
sn: toconnell
givenName: toconnell
uid: toconnell
uidNumber: 1007
[...]
sambaPwdCanChange: 1202398556
sambaPwdMustChange: 9223372036854775807
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
sambaPwdLastSet: 1202398556
userPassword: {SSHA}baSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Copy everything that's bolded and stick it somewhere safe. That dn information is going to be necessary later on, as it contains the ldap tags that you'll need to specify the record you want to modify; those hashes at the bottom are the user's original passwords and, when you want to cover your tracks later on, you'll need that info.

Now that you've got those hashes, you're free to nuke the user's password (again, using your favorite smbldap-type-tool or however else you like to reset passwords), log in as him, do whatever you have to do, and then log out:

frances:~# smbldap-passwd toconnell
Changing UNIX and samba passwords for toconnell
New password:
Retype new password:

Once you're out, you're going to want to set his password back to what it once was. This is where ldapmodify comes into play.

Kerberos

Before you can do that, however, you'll need to get a kerberos ticket. This is because you'll need to be kerberos-authenticated to make your ldap modifications stick. So, first things first, get yourself an admin kerberos ticket:

frances:~# kinit toconnell/admin
Password for toconnell/admin@DOMAIN.COM:
frances:~# 

ldapmodify

A quick glance at the man page for ldapmodify shows that the most convenient way to make changes to an ldap entry is to use the -f flag and an input file. The example in the man page for how to construct the input file is this:

 dn: cn=Modify Me,dc=example,dc=com
           changetype: modify
           replace: mail
           mail: modme@example.com
           -
           add: title
           title: Grand Pooba

So, using the data we got above, we're going to make a similar file containing the original hashes from our target user in order to change his password back to what it used to be:

dn: uid=toconnell,ou=Users,dc=domain,dc=com
changetype: modify
replace: sambaLMPassword
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
-
replace: sambaNTPassword
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
-
replace: userPassword
userPassword: {SSHA}abSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Remember to include those "-" characters and to give them their own line: if you fail to do that, you'll get mystery errors about unknown types, etc.

Once you've got your file, fire off your changes like this:

ldapmodify -f /path/to/file

And that's all you've got to do. When the original user attempts to log in with his old password, everything will look perfectly normal to him: you never saw his password in plaintext and, as far as he's concerned, none of this ever happened.

Interview with Ian Hickson, editor of the HTML 5 specification

You’ve heard it’s coming in 2012. Or maybe 2022. It’s certainly not ready yet, but some parts are already in browsers now so for the standards-savvy developers, the future is worth investigating today. Ian “Hixie” Hickson, editor of the HTML 5 specification, hopes that the spec will go to Last Call Working Draft in October this year.

The Mega RailsConf 2009 Round Up

A week ago, RailsConf 2009 kicked off in Las Vegas. As usual, it didn't fall short on drama, interesting sessions, and inspiration for the 1000+ attendees. This post is an after-event summary and long-term source of links to the best RailsConf 2009 related content found so far.

Nuts & Bolts: Campfire loves Erlang

Erlang definitely isn’t a replacement for Rails, but it is a fantastic addition to our collective toolbox for problems that Rails wasn’t designed to address. It’s always easier to work with the grain than against it, and adding more tools makes that more likely.

Tango Icon Theme Guidelines

The Tango icon theme's goal is to make applications not seem alien on any desktop. A user running a multiplatform application should not have the impression that the look is unpolished and inconsistent with what he or she is used to. While this isn't about merging styles of all desktop systems, we do aim to not be drastically different on each platform.

RightZoom Makes the OS X Maximize Button More Like Windows

Mac OS X only: System utility RightZoom runs in the background and modifies the OS X maximize behavior to fill the whole screen—perfect for readers that recently made the switch to Mac.

Railscasts - Factories not Fixtures

Fixtures are external dependencies which can make tests brittle and difficult to read. In this episode I show a better alternative using factories to generate the needed records. [I prefer Machinist to Factory Girl, but this is a particularly good episode all around.]

db/seeds.rb in Rails

Added db/seeds.rb as a default file for storing seed data for the database. Can be loaded with rake db:seed (or created alongside the db with db:setup). (This is also known as the "Stop Putting Gawd Damn Seed Data In Your Migrations" feature) [DHH]

Timothy's Links

The Security Implications Of Google Native Client

This is a really cool from Matasano about how things like ActiveX and Java work from the perspective of someone trying to execute compiled code from a remote source without giving away the whole store, security-wise. Nice pictures, very informative.

How to Add Date And Time To Your Bash History file -- Debian Admin

This is a neat one-liner for your .bashrc that just might make your .bash_history a little more searchable. Add it to your custom .bashrc lines.

Postfix main.cf analysis

Here's the setup: the one dude pastes his postconf -n and the other dude does through it, telling him what's what. Kind of a cross between a postmortem and an x-ray. Useful to test your postfix knowledge/skills.

SoS Wiki - - Split Screen Vi

If you use vi/vim and you don't do split screen, you are, in the immortal words of whatever Internet meme, doing it wrong. Study up!

Set Gmail as Default Mail Client in Ubuntu :: the How-To Geek

This is a neat little trick for writing a line or two of bash that will allow you to use gmail (via firefox) as your default email client in a gnome environment. It wouldn't take much to adapt the instructions for other desktop environments. (Props to Artie for sending this my way)

Reports: Thief holds Virginia medical data ransom

I guess, technically, that since I'm on the side of the law by virtue of my professional situation, I ought to regard this as terrifying or reprehensible or something. But you gotta admit: something about the idea of a blackhat utterly pwning someone's network to the extent of the pwnage described here is really, really exciting.

Postfix Backup MX eMail Server Anti-Spam Configuration

The English is a little messy on this one, but the conf text is right on. This is a nice little list of basic (yet above and beyond "stock") config options for reducing shenanigans and closing commonly exploited gaps.

Restore a single table from a large MySQL backup

I'm not sure that I understand the ruby syntax completely, but people are passing this link around, so this is my obligatory bump.

Since I was interested in hardening up two Debian boxes running Lenny, I started off by taking a look at the Securing Debian Manual, this very helpful page on LQ and the results of a tiger audit.

Do this to generate a tiger audit of your server:

# aptitude install tiger
tiger -E

The "-E" gets you what's called an "explanation report", which will be useful in helping you understand what can be some fairly cryptic output.

Additionally, the package version of tiger comes with some nice default settings for the main executable and for tigercron, which, as you might imagine, runs some minor scans on a pre-defined schedule.

At any rate, once I had my audit and had picked up a few bright ideas from the SDM, I made a number of changes to all of my web-facing production machines. What follows are some things that you might want to consider doing on your Debian Lenny servers:

Users and Permissions

1. Password Audit: first, I decided to get to know my user accounts a little better. This meant running john (formerly "john the ripper", a password cracker that reads hashed passwords and tries to decipher them) against my /etc/shadow to see who was using dictionary-based passwords and who was using other types of insecure passwords:

   # aptitude install john
   # john /etc/shadow 

   This took a while to run--a little over a day, but I had it niced pretty high--but of the 10 user accounts it cracked, it was good to know which ones were using hilariously insecure passwords and which ones probably weren't going to cracked by your garden variety brute force password cracker.

NB: if you run john against your /etc/shadow and realize that you've got a problem child on your hands, there's always chroot. Here is a really good how-to on chroot-jailing a user.

2. The Prunening: odds are, if you've been living on a system for more than a few months, you've accumulated some users (either from software that you've installed and then removed or by meeting user/developer needs, etc.) that aren't doing anything. One of the basic tenets of server security is having the smallest amount of users with the least amount of access to the smallest number of programs possible.

   In some environments, you've simply got to have a bunch of users in your /etc/passwd. In most situations, however, it makes good sense to just hit all the derelicts with a userdel and only having to worry about angry users not having enough access (rather than having to worry about unauthorized users having too much access).

Keeping Script Kiddies Under Control

In my (admittedly limited) experience, the most trouble you're going to run into from script kiddies are anonymous, unfocused attacks that attempt to gain access to your machine via either a.) the /tmp directory, b.) DoS-based exploints or c.) application attacks like SQL injections, XSS or directory traversal attacks.

Since guarding against application attacks is something that programmers are supposed to be handling, I decided to focus on stopping /tmp abuse and trying to stymie DoS attacks.

1. Mounting /tmp with noexec: in this age of VPSes and shared hosting, it's more often the case than not that you won't get to decide how your machine is partitioned. If, like me, you live on Slicehost and you're running Debian, your partition scheme looks like this:

   lana:/# df -h
   Filesystem            Size  Used Avail Use% Mounted on
   /dev/sda1              19G  9.0G  8.9G  51% /
   tmpfs                 256M     0  256M   0% /lib/init/rw
   udev                  256M   20K  256M   1% /dev

   What this means is that you've got your /tmp directory on your / partition. Which partition is, by necessity, allows files to be executable.

   And that, as I have learned (the hard way), is bad news. What this means is that, you've got a directory on your / partition--the partition where all your apps and data probably live--that is writable/readable by every Li, Ivan and Harry from Taipei to Yaktusk. And if one of the thousands of bots who knocks on your door every month knows how to write to /tmp and you don't catch him right away, it's pretty much game over for your TLD or your IP Address: one day, you'll wake up and find that your info is on every spam list on the Internet because your server has been under remote control via IRC for the last three weeks and now your full time job is trying to get your info off of those lists while planning a full OS re-install.

   Ideally, you would be able /tmp its own partition and mount that partition with noexec. And while it would be optimal, it sometimes isn't an option if you're a part of the VPS set.

   And if you can't control your installation or maybe you just can't take down a production server, what you can do is warn your users/developers that you're about to cause a little temporary chaos (get it? temporary chaos?), move your existing /tmp to some place else and create a small filesystem that you can mount noexec to use as /tmp. On Debian Lenny, that would look approximately like this:

   gonzo:/# mv /tmp /old_tmp
   # dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000
   1000000+0 records in
   1000000+0 records out
   1024000000 bytes (1.0 GB) copied, 29.1302 s, 35.2 MB/s
   gonzo:/# mkfs.ext3 -j .tmpfs
   [...]
   gonzo:/# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp/
   gonzo:/# mv /old_tmp/* /tmp/.

   Et voila! You've got a 1GB "drive" that's mounted noexec at /tmp that's ready to roll out. Any attempts to execute anything on that partition will result in a bad interpreter error. Check it:

   gonzo:/# ls -l tmp/
   total 20
   -rwxr-xr-x 1 root root    37 2009-05-15 14:54 executeMe.py
   drwx------ 2 root root 16384 2009-05-15 14:51 lost+found
   gonzo:/# test/executeMe.py
   bash: test/executeMe.py: /usr/bin/env: bad interpreter: Permission denied

   All you've got to do now is add that mount info to your fstab and you're ready to start sleeping at night again:

   /.tmpfs           /tmp            ext3    loop,nosuid,noexec,rw  0      0

   NB: don't forget that /tmp wants to have the sticky bit turned on (i.e. be chmoded to 1777). Also don't forget to make /var/tmp a symlink that points to /tmp.
   Also: props to Vincent Danen's post on /tmp at TechRepublic for the idea.

2. mod_evasive to Prevent DoS: after a recent DoS experience, I decided to install Apache mod_evasive to reduce the risk of getting flat-lined/broad-sided by DoS/DDoS attacks:

   # aptitude install libapache2-mod-evasive

   The beauty of using packaged software is that that's really all you have to do: apt will copy the files, create the symbolic links and restart apache for you. Nice.

3. sysctl real-time kernel Modifications: Additionally, you might also want to use a slightly obscure command called sysctl (which modifies kernel perameters while the kernel is running, so consider yourself warned) to take a precaution against a DoS tactic called "syn flooding":

   # sysctl -w net.ipv4.tcp_syncookies=1

   This is a sort of controversial measure--apparently it defies some RFC docs for TCP/IP--but setting tcp_syncookies to False has yet to have affected any of my computers.

   There are a number of additional security features you can activate with this command; Google it and prepared to be awed by some of the features of your OS you can control in real-time with sysctl.

For the Tin-foil Hat Crowd

What follows are non-specific countermeasures and settings that, while obscure and probably unlikely to save you from becoming an unwitting member of some Russian bot master's herd, might help you feel more secure in the knowledge that even if someone does get non-root shell access, he's probably not going to be able to do too much damage.

1. Add /usr/bin/mesg n to root's .bashrc File:
   executing mesg n on log in, prevents an admittedly rare exploit through which other users can execute arbitrary code as root by sending messages to his terminal.
2. Modify /etc/inittab to Prevent Non-root Users from Rebooting the System with ctrl+alt+del. In the stock /etc/inititab on Debian Lenny, you've got this line:

   # What to do when CTRL-ALT-DEL is pressed.
   ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

   Which is hardly optimal: this lets pretty much anyone who figures out a way to execute programs in /etc/sbin reboot the system. I changed it to:

   ca:12345:ctrlaltdel:/bin/false

3. SMTPD Settings If you run postfix, you should probably check up on your relay settings and update your external blacklist providers if you haven't done it in a while. Your mail server is the world's first line of defense against everything from phishing/spear-phishing to headline-making super worms:

   smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
     reject_unauth_destination,
     reject_unauth_pipelining,
     reject_invalid_hostname,
     reject_rbl_client sbl-xbl.spamhaus.org,
     reject_rbl_client cbl.abuseat.org,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client zen.spamhaus.org
   smtpd_helo_required = yes
   disable_vrfy_command = yes
   
   smtpd_data_restrictions =
               reject_unauth_pipelining,
               permit
   

   That smtpd_help_required line might not seem like anything special, but I have a script that parses /var/log/mail.log output and, when you do get a spammer that responds to the helo request, a lot of times he'll come back with his actual domain.

   It's fun for research/study/personal amusement reasons, basically.

While some people might say that the above is overkill--that it's just not worth the time and effort to audit and harden at this level--but I'd say that this level of focus on security isn't so much "overkill" as it is "a pretty good start."

Because my thinking is that if you've got the root password, you're probably already the anxious type. And at the very least, being a little bit OCD about security on your all-important, mission-critical application servers might help you feel a little less anxious. Which is definitely worth the effort.

"Why Not?" replies the doc. "Who deserves one more?"

If you've got a Debian Lenny box out in the wild serving your email with postfix and you're not using spamassassin as a filter, you really ought to consider doing yourself a favor and throwing that spamassassin piece into the mix: it only takes a second, it will increase security for your users-- hardening up your network little bit--and make the world a slightly better place for everyone.

1. If you're OK with letting aptitude resolve your dependencies and manage your packages, all you need to do is install a single package:

   # aptitude install spamassassin

2. Once that's done, crack open /etc/default/spamassassin with your favorite editor and enable it to run as a daemon and update itself automatically:

   # Change to one to enable spamd
   #ENABLED=0
   ENABLED=1
   
   # Cronjob
   # Set to anything but 0 to enable the cron job to automatically update
   # spamassassin's rules on a nightly basis
   #CRON=0
   CRON=1

   (spamd is an old name for spamassassin: you'll notice a lot of the RHEL/CentOS/Fedora boxes out there running spamd.

3. Take a look at /etc/spamassassin/local.cf: there are some fun options that you can uncomment and enable in there. My personal favorite one is:

   rewrite_header Subject *****SPAM*****

   This does what it sounds like it does and rewrites the headers of suspicious emails: you can then easily configure your email client to recognize these headers and filter accordingly. Pretty sweet.

4. Start spamassassin:

   # /etc/init.d/spamassassin start

5. At this point, we're going to edit some postfix conf files, but we need to check on something first. Make sure SA is running, spawning children and listening on the right port:

   # netstat -anp |grep spam
   tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      11724/spamd.pid
   unix  2      [ ACC ]     STREAM     LISTENING     9096119  1717/master         private/spamassassin
   unix  3      [ ]         STREAM     CONNECTED     9757173  30093/spamd child
   unix  3      [ ]         STREAM     CONNECTED     9757172  11724/spamd.pid  

6. Noting that SA is listening on 783, tack the following on to the bottom of your /etc/postfix/master.cf:

   spamassassin unix -     n       n       -       -       pipe
           user=nobody argv=/usr/bin/spamc -f -e
           /usr/sbin/sendmail -oi -f ${sender} ${recipient}

7. Now find the SMTP/SMTPS lines in your /etc/postfix/master.cf and add the following option:

   -o content_filter=spamassassin

   Assuming you're doing SMTP and SMTPS, you'll have something like this at the top of your /etc/postfix/master.cf:

   smtp      inet  n       -       -       -       -       smtpd     -o content_filter=spamassassin
   smtps     inet  n       -       -       -       -       smtpd     -o content_filter=spamassassin

8. Reload Postfix:

   # postfix reload

And that's it: you're done.

If you can bear in mind that no spam-detection scheme is perfect, my guess is that you'll be pleased with your decision to set up SA: some spam will make it through, of course, but most of makes it through will come a.) as plaintext with escaped characters and b.) a lengthy disclaimer and an itemized spam "score":

Spam detection software, running on the system "molly", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Having trouble viewing this email? Click here! pharmacy medicine
   cabinet FSA home medical vitamins personal care diet & fitness men's SALE
   Get 80% Discount TODAY: This email was sent to you by drugstore.com. To ensure
   delivery to your inbox (not junk folders), please add drugstore@e.drugstore.com
   to your address book. [...] 

Content analysis details:   (13.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: lewdozed.cn]
 0.5 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d

...and so on.

So go ahead: do yourself a favor.

Trevor's Links

Geocities: Lessons So Far

Geocities was once called Beverly Hills Internet. The company was founded in 1994 but it wasn’t until mid-1995 that they publically offered what people now think of as a Geocities trademark: free webpages, or “homesteads”. [An article about the Archive Team trying to save Geocities content before Yahoo takes it down.]

How the OAuth Security Battle Was Won, Open Web Style - ReadWriteWeb

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too... OAuth has support, but it doesn't have a centralized authority ready to deal with problems like this. Over the next week a story unfolded as the community moved to deal with the security issue. It's a dramatic story.

Tell me your best worst joke, Reddit.

[Includes such classics as: What's brown and sticky? A stick. --- Why does Snoop carry around an umbrella? Fo Drizzle. --- and, my personal favorite: Two snares and a cymbal fall off a cliff.]

Welcome to the Anti-Pitch

We're sick and tired of hack developers ripping off naive clients. And while I'm completely disgusted by some of the horror-stories I've heard lately, clients keep asking the wrong questions. As real developers, it's our responsibility to make the tough decision to speak the truth. This is an example of what we call the anti-pitch. [Excellent. I'm using this technique next time I'm dealing with potential clients.]

What Twitter Looks Like For Twitter Employees

...hackers sent them screenshots from the site Twitter employees use to manage the microblogging service, admin.twitter.com... [It's amazing to see all of the back-end stuff necessary to run something so "simple" as Twitter.]

Honeypot filter as a Rack middleware

Our site’s suggestion box got hammered by a spambot recently, so I created this simple Rack middleware to protect our app from any requests that include a honeypot field.

Rails Edge: Implement FooController.action(:name)

Rails actions are now Rack endpoints, and can be retrieved via FooController.action(name) and called with an env.

Make your site faster and cheaper to operate in one easy step

Is your web server using using gzip encoding? Surprisingly, many are not. I just wrote a little script to fetch the 30 external links off news.yc and check if they are using gzip encoding. Only 18 were, which means that the other 12 sites are needlessly slow, and also wasting money on bandwidth.

Passenger: Command line done right

What’s really great about Passenger is that the attention to detail doesn’t end at the installer. The Linux process list is a list of programs that are currently running. Usually, programs are shown in this list by their command line name, often an indecipherable mix of letters and numbers. Passenger processes are easy to spot and easy to understand. Human readable names in a machine-centred interface.

Muxtape Pushes Play Again

Muxtape’s stock parts are highly regimented, allowing bands to express themselves with freedom, though not completely freely. Every component is 300 pixels square, and there is virtually zero layout flexibility; you can have whatever arrangement you like, so long as it comes in rows of three. What’s more, for now there are no ‘social’ components to draw upon; no commenting, no friending, no favoriting, etc. The new Muxtape platform is nothing if not regimented.

An Aspirational Twitter

Tweetie is a desktop version of an application of the same name for the iPhone which, in my limited experience, is the first time an application has migrated from the phone to the desktop. As a friend mentioned, “Platform merge in progress!” and he’s right... When I use Tweetie, I’m reminded that a maniacal attention to detail not only makes you want to reach out and touch the digitally untouchable, it describes the familiar as the new, and, most importantly, it speaks of an aspirational future.

adamsanderson's open_gem

Gem Command to easily open a ruby gem with the editor of your choice. [Awesome. See the Issues tab for detail, but you need to set GEM_OPEN_EDITOR to 'mate' in your bash profile despite what the instructions might say.]

Tweetie for Mac

You can download the free version, which is ad-supported, and try it out for as long as you want. [The only Twitter client I've been able to use, aside from Tweetie on the iPhone.]

Benchmarking your Rails tests

The first step to faster tests is knowing what is slow. Fortunately, this is dead simple with the test_benchmark plugin by Tim Connor, and originally built by Geoffrey Groschenbach. Install the plugin, and when you run your tests via Rake, you’ll see handy output showing you the slowest tests, and the slowest test classes.

Twitter Clients Are a UI Design Playground

But perhaps the most important factor that has made Twitter such a rich category for client software is that there is so little friction to switch between apps. There’s nothing to import or export, and zero commitment.

Venture Capital Down 50%. It’s Not Just the Recession, Folks.

There’s a huge difference between what venture capitalists say and what they do. [VC] fell off a cliff in 2001 and 2002 and it’s falling off a cliff now.

A Painful Decision

I can’t reveal details without breaking confidences, but suffice it to say that a significant number of Rails core contributors - with leadership (if that’s the right word) from DHH - apparently feel that being unwelcoming and “edgy” is not just acceptable, but laudable. The difference between their opinions and mine is so severe that I cannot in good conscience remain a public spokesman for Rails. So, effective immediately, I’m resigning my position with the Rails Activists. [I haven't gotten up to speed with the controversy around this issue, but I can say for certain that Mike Gunderloy stepping back from his participation in the Rails community is a real serious bummer.]

Heroku - Commercial Launch

We have over 25,000 apps running on the platform today, and many of our users have been asking for pricing and paid services for some time now. So today we’re pleased to announce that we are officially out of beta and available for commercial use.

ShakeItPhoto Launches

It’s been 3 months in the making and 3 months of waiting for Apple approval, but wait no more… ShakeItPhoto is ready for download at the iTunes App store for the low price of 99 cents. Take a photo and shake it like a polaroid to make it develop!

GitHub Issue Tracker

It gives us great pleasure to announce our integrated issue tracking system! On repository pages you’ll now see an “Issues” tab in the top menu.

Phusion Passenger 2.2.0 w/ Nginx support

After spending weeks on further development and intensive testing, we’ve now come to the point wherein we have the distinct honor to announce Phusion Passenger for Nginx as an addition to the Phusion Passenger server line-up.. Our thanks goes out to Engine Yard for financially sponsoring this first release of Phusion Passenger for Nginx, as well as all the people who have in some way donated in the past for making this release possible in the first place.

Is Open Source Experience Overrated?

Just as commercial software can't possibly exist without customers, perhaps open source experience is only valid if you work on a project that attains some moderate level of critical mass and user base. Remember, shipping isn't enough. Open source or not, if you aren't building software that someone finds useful, if you aren't convincing at least a small audience of programmers that your project is worthwhile enough to join... then what are you really doing?

Rails 2.3.2 upgrade gotchas

With the latest stable release of rails out the door for about a month, we’ve had a chance to upgrade the bulk of the applications we maintain to 2.3.2.1. Here are some “gotchas”, aka issues, aka roadblocks to Strategic Enterprise Adoption that we discovered while upgrading some of them.

Draft: The problem with Project Management tools

While I agree that it’s important to release code, I think pivotal and other similar tools lead to a mindset where releasing code is in itself the unit progress. But, as any successful team will tell you, completed tickets and releases released are horrible units of progress, since unless your customers love every single thing you do (they don’t), your unit of measurement becomes the amount of features and changes deployed.

Clone TinyURL in 40 lines of Ruby code

I wrote Snip with Sinatra then deployed it up to Heroku so this is also a good excuse also to describe Heroku, a truly amazing service for the Ruby programming community. The total number of lines in Snip is actually 43, in a single file named snip.rb. including the view template and layout. [It's amazing what you can accomplish with Sinatra and Heroku.]

ruby gc tuning

In my experience, a typical production Rails app on Ruby 1.8 can recover 20% to 40% of user CPU by applying Stefan Kaes's Railsbench GC patch to the Ruby binary, and using the following environment variables...

Customer driven iteration vs Whiteboard driven iteration

Customer driven iteration takes customer validation rather than released features as its core unit of progress. It assumes that you have not accomplished anything and therefore cannot feel good until your metrics tell you that your market will use and pay for your stuff.

Can the Statusphere Save Journalism?

...the discussion shifted to deep conversation about the future of journalism in the era of socialized media with one simple question, “are newspapers worth saving?” Walt thought for no more than two seconds and assertively replied, “It’s the wrong question to ask. The real question we should ask is if whether or not we can save good journalism.”

Are Blogs Losing Their Authority To The Statusphere?

Attention is engaged at the point of introduction, and for many of us, we’re presented with worthwhile content outside of our RSS readers or favorite bookmarks. Relevant and noteworthy updates are now curated by our peers and trusted or respected contacts in disparate communities that change based on our daily click paths... Retweets (RT) and favorites in Twitter, Likes and comments in FriendFeed and Facebook, posting shortened links that connect friends and followers back to the source post, have changed our behavior and empowered our role in defining the evolution of the connectivity and dissemination of information.

jamis's safe_mass_assignment

ActiveRecord plugin for allowing (careful) mass assignment of protected attributes, separate from values provided via users of your application.

Timothy's Links

Sébastien Wains » Howto : setting up dns2tcp

For the "I can't browse from work" crowd or the "stuck behind the Great Firewall of China" set, there are any number of high-visibility, high-availability solutions: tor, your buddy's apache proxy, etc. For those who want to try an obscurity/security/proxy solution that's a little closer to the metal, there's dns2tcp via ssh which, predictably, sends your encrypted traffic from your computer out of your network as a dns request and returns it the same way: you're secure going out and you're not sending up big, "hey everybody: look at my port 80 requests!" red flags to the secret police or the sysadmin or whomever. Cool stuff.

Securing a Web server

This is a pretty good read: it's got a little too much depth to be considered a crash course, but it's too abstract to be a tutorial or how-to. A nice, mid-level view of best security practices.

Twitter + Stimulus = Conservative Stupidity

Normally I wouldn't bookmark DailyKos--that would be kind of like bookmarking HuffPo or Reddit--but this is a neat little article about social engineering / industrial espionage that involves exploiting confirmation bias among partisans. Short read. Good read.

Lifehacker - Should Comic Sans Be "Banned"? - Fonts

This made me laugh out loud. It may make you laugh out loud as well.

Convert files and data online

Supposedly this is the best online format converter. Handy in a pinch (or if you're tired of your CLI converters screwing the pooch on higher ascii and spitting out comic book character swears in place of kanji).

Testing mail servers with swaks

At first glance, this looks like a "for Dummies" tutorial for a piece of software that is, essentially, "telnet for Dummes". But swak lets you do something that you can't (easily) do with plain, old-fashioned telnet. You can, for instance, set a timeout time, specify authentication types, etc. with a commandline flag or two. Handy if you're troubleshooting that new mail server install or doing some eyeball/ball park benchmarking.

Introduction to Quality Assurance and Metrics

If you're looking for a no-bullshit crash course in QA/QC that has decent depth, look no further.

Fujitsu Develops High-Speed Image-Capture Technology for Palm Vein Biometric Authentication : Akihabara News .com

Palm vein biometric authentication? Seriously? I mean, I guess super-futuristic biometric auth devices that scan _inside_ the body for unique identifiers are kind of cool in an aesthetic sense, but they're certainly not very cool from a security sense: I thought we had agreed as a global society that physical objects, no matter how apparently unique they are, are unsuitable for secure auth because they are, at the end of the day, still just objects. And all objects can be replicated.

Skimmers: Reader Finds Card Skimmer On Bank ATM

First reaction: "wow that's totally awesome--I can't believe someone came up with this." Two seconds later's reaction: "wow, my opinion of the human race just got ratcheted down a peg or two: I can't believe it took us this long to invent the ATM card data skimmer."

The peasant mentality lives on in America

You know, three weeks ago, I had no idea who Matt Taibbi was. Then, courtesy of reddit, I got put on to his write-up of the Meltdown and I've been hooked. This guy hits hard, doesn't pull punches and walks the stylistic tightrope between the unnaturally polite tenor of expose journalism and the warbling catachresis of incendiary blogging.

What happens if I don't pay my taxes?

This is a good article because a.) it's timely and b.) is written from a hacker perspective/mentality. It starts with the question, "what is the nature of the system?" and then wonders about different methods of potentially short-circuiting it or circumventing aspects of it. Kind of makes taxes fun. Almost.

What to do when the root partition is full?

This is a good list of comments to scroll through as it discusses Linux mounting tricks, how to use LVM and, basically, lists reasons why not to panic. And, I don' t know about you, but the fewer reasons I have to panic, the better.

Thanko's Latest 4GB Necktie Camera

Yeah, it's basically just a flat camera and a necktie that's been cut open in the back, but the idea is still totally effinf awesome.

A Short Introduction To Cron Jobs

There are two reasons that introductory level, "how to" type documents for the basics of Linux administration are so ubiquitous: those reasons are that they're useful for experienced users to a.) write and b.) comment upon and they're useful for inexperienced users looking things up. This one is about cron and using crontab. And it's a great example of that.

Unfortunately, due to the constantly changing array of exploits and threats coming at your Internet-facing server from all over the world, there's no best practices manual for a security audit. This is because no one knows exactly what level of openness is appropriate/optimal on a given application server.

But you gotta start somewhere. Because if you're just blithely running an un-hardened *nix server with stock configurations for service apps like Apache and ssh, you're pretty much giving away the store.

What follows is a short how-to dealing with how to get started, security-auditing-wise. It is by no means comprehensive and is only intended to provide a "leg up" for those who feel like they ought to be auditing their servers but aren't sure where to start. I'll be using Debian systems running the current stable release (i.e. Lenny) to demonstrate the techniques, but I'll try to keep things as OS agnostic as possible: most of the packaged software I describe below can be found in your generic, mainstream fedora repo.

The methodology will be to start from the outside and work inward. I recently saw a Linux Journal article that described doing things the opposite way (or at least that's the impression with which I was left), and that doesn't make much sense to me. From where I'm standing, it seems that if you're conducting a security audit, you ought to start out by looking at your server the same way everyone else does.

Accordingly, we'll begin from the outside and from as basic a perspective as possible: scanning ports and checking for known vulnerabilities and obvious mis-configurations. Once we've got a little perspective on how our server looks to the script kiddies and botnets of the world, we'll do some web-server specific scanning to attempt to detect vulnerable plugins, apache mis-configurations and application-level security holes. After that, we'll finish by checking for rootkits and doing some internal auditing.

OpenVAS: Port Probe and All-purpose scan
The first thing to do is to scan your ports.

The odds are good that if you've got a server out there on the Internet (in the DMZ of your intranet or in a hosting company's rack, for example) that it's got a bunch of open ports. You've probably got one or two listening for HTTP requests, one or two listening for SSH requests and so on. What you probably haven't got is a good idea of how those ports look to the world.

So the first part of any security audit is the portscan. In olden times, you'd use a combination of telnet and nmap for this: nmap would handle the port scanning and tell you which ports were listening/open and then you'd use your expert knowledge of various network protocols to use a telnet-like program to check out those ports and see what sort of access and information they were offering to the world.

There are, fortunately, labor-saving apps that will do the scanning and auditing for you. A few months back, you would have been using nessus, as it was the big name in F/OSS auditing. nessus, however, has gone commercial (proprietary and closed) and a new, open project (GPL) called OpenVAS has taken its place.

For anything other than security auditing, using commercial software is probably OK. At the very least it's not always counter-productive to use non-F/OSS for non-security-related tasks. In the case of security-related apps, however, it just doesn't make any sense to take a chance on using software that isn't available for public scrutiny.

At any rate, if you're familiar with the way that nessus works, you'll be happy to know that the big ideas and the general methodology/procedure behind using OpenVAS are essentially the same. If you're unfamilar with programs like nessus and OpenVAS, here's how they work, from an administrator/auditor's perspective:

1. Set up a server
2. Use a client to tell the server to probe the target site
3. View the audit report on the client

At present, if you're using the stock stable/unstable Debian repositories, you haven't got access to the packaged version of the OpenVAS server. That being the case, we're going to go ahead and get a little bit heroic here and do this the Cowboy Way (i.e. from source).

1. Dependencies and Source Files

Make sure that you've got the following packages (some of which the openvas developers list as dependencies, some of which you'll need to compile anything from source) before proceeding:
molluska:/opt/# aptitude install libgnutls-dev libpcap-dev libgpgme11 libgpgme11-dev libglib2.0 libglib2.0-dev build-essential bison

Now that that's handled, there are four "modules" that are required to run an OpenVAS server. The openvas developers say that you've got to install the modules in the following order:

1. openvas-libraries
2. openvas-libnasl
3. openvas-server
4. openvas-plugins

So that's what wer're going to do. I like to do this sort of thing in/opt, but it really doesn't matter where this happens.

Get the files:
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/572/openvas-libraries-2.0.2.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/561/openvas-libnasl-2.0.1.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/562/openvas-server-2.0.1.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/576/openvas-plugins-1.0.6.tar.gz
NB: these URL's are for the version that was current when this was written--no guarantees that they'll be there two hours from now.

2. ./configure && make && make install

Now, we start the compilation process which, thanks to our having resolved the dependencies enumerated above, should go off without a hitch:
molluska:/opt/openvas# tar -zxvf openvas-libraries-2.0.2.tar.gz
[...]
molluska:/opt/openvas# cd openvas-libraries-2.0.2
molluska:/opt/openvas/openvas-libraries-2.0.2# ./configure
[...]
molluska:/opt/openvas/openvas-libraries-2.0.2# make
[...]
molluska:/opt/openvas/openvas-libraries-2.0.2# make install

Once you've successfully installed the openvas libraries, you'll be prompted to modify /etc/ld.so.conf by adding the line "/usr/local/lib" to it and running ldconfig to update your linker. Do that, and then repeat the steps described above (untar, configure, make, make install) in the other three folders to finish installing the OpenVAS modules.

3. Add a User and Generate an SSL Cert

Once you've got everything installed, you'll need to create two things: an OpenVAS user and an SSL certificate. Fortunately, both of these tasks have been nearly fully automated and all you'll have do to get the job done is execute a couple of binaries (which should be on your path, now that you've installed everything according to the above instructions) and follow some on-screen prompts:

molluska:/opt/openvas# openvas-adduser
[...]
molluska:/opt/openvas# openvas-mkcert
[...]

And that's it. Make a note of the paths that the openvas-mkcert program gives you at the end of the certificate creation (as you might need to specify them at some later time; you won't need them again to follow these instructions).

4. Fire it up

Once you've got all your modules installed, your certificate created and your user added, it's time to fire up the server/daemon. The smartest way to do this is to pseudo-daemonize it and tail its output while it loads plugins:molluska:/# nohup openvasd &
[1] 4508
molluska:/# nohup: ignoring input and appending output to `nohup.out'
molluska:/# tail -f nohup.out

Should get you something like this:tail -f nohup.out
Loading the plugins... 714 (out of 10558)

...and so on. Once the plugins are all the way loaded, fire off a quick ps to make sure that the server is running and maybe a quick netstat to make sure you know what port it's listening at, and that's it: you're done with the server side of things and ready to move on to the client and auditing part.

molluska:/opt/openvas# ps aux |grep openvas
root     26129  1.1  0.2  16296    76 ?        S    06:29   1:46 openvasd: waiting for incoming connections
molluska:/opt/openvas# netstat -anp |grep openvas
tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN      26129/openvasd: wai

Installing the OpenVas client is much easier.

While there is a packaged version of the OpenVAS client app, we're going to install one from source (mostly so our version of the server matches with our version of the client; this is mostly me being OCD, however, and you can probably get away with using the packaged version). To install the client, we'll follow the same steps as above, but on a different machine:

gonzo:/opt/openvas-client# wget http://wald.intevation.org/frs/download.php/575/openvas-client-2.0.3.tar.gz
[...]
gonzo:/opt/openvas-client# tar -zxvf openvas-client-2.0.3.tar.gz
[...]
gonzo:/opt/openvas-client# cd openvas-client-2.0.3
gonzo:/opt/openvas-client/openvas-client-2.0.3# ./configure
[...]
gonzo:/opt/openvas-client/openvas-client-2.0.3# make
[...]
gonzo:/opt/openvas-client/openvas-client-2.0.3# make install

NB: you may, depending on your client system, have to resolve some GTK dependencies and other build/compiler dependencies like the ones listed above: libgtk2.0-dev should solve most of your gtk problems, if you're running Debian Lenny.

Once the GUI client is installed, start it up:

toconnell@gonzo:~$ sudo aptitude install openvas-client
[...]
toconnell@gonzo:/opt/openvas-client/openvas-client-2.0.3/bin$ ./OpenVAS-Client &

Connection Screen, OpenVAS GUI Client

Once your client is connected with your server, you're ready to fill in the blanks and start your first round of tests. This is fairly self-explanatory and, honestly, you wouldn't be reading this if you couldn't figure out simple GUI interfaces: specify your target (i.e. the server you're auditing), make sure that all the plugins are enabled and then click the life preserver to start the "Scan Assistant" and execute the scan. Follow the on-screen prompts: easy as apple pie.

The best thing to do, once your scan starts, is probably to go do something else and come back in a little bit: in my experience these scans can take anywhere from 15 to 45 minutes, depending on your server and your pipe: my server is an old Linksys NSLU2 and my pipe is a consumer-grade Speakeasy residential connection, so I'm used to waiting close to an hour for the scan to finish. Using corporate resources will result in less idle time.

OpenVAS scan results report

Once the scan is done, you're treated to a report view. This is what we've been after all long. In it, you'll see a full run-down of what ports on your server are open and what open ports are listening for what. Additionally, you'll be treated to helpful recommendations about how to close security holes. And while closing those holes is beyond the scope of this article, I will say that almost every recommendation I've gotten from an OpenVAS report has been sane, been sensible and lead to a harder server.

nikto: Web-server Specific Auditing
The second thing to do, in order to perform a robust audit of your system, is to hit it with nikto (http://www.cirt.net/nikto2).

nikto, unlike OpenVAS doesn't require a server/client hook-up: just install the client with apt and fire off some tests, writing the output from those tests to plaintext files:

molluska:/# aptitude install nikto
molluska:/# nikto -h newathens.org -p 80 -output nikto_na80 && nikto -h newathens.org -p 443 -output nikto_na443

You'll get helpful output that points you towards an obvious solution like this:

+ mod_ssl/2.2.9 appears to be outdated (current is at least 2.8.30) (may depend on server version)

And you'll also get put on notice if you've got paths/folders/files with names that automatic exploiters and scripts tend to look for:

+ OSVDB-3092: GET /login/ : This might be interesting...

...to script kiddies and Chinese botnets.

You'll also get put on notice if you've got too much of your software's installation defaults hanging out in the open:

+ OSVDB-3233: GET /icons/README : Apache default file found.

Server-side Checks

chkrootkit
There are a few utilities that allow you to perform quick server-side audits of your security situation. Some of them, like rkhunter will run daily (like logwatch or apticron) and tell you if they've identified any new chinks in your armor. The first one to install and run is chkrootkit.

molly:/# aptitude install chkrootkit
[...]
molly:/# chkrootkit

This is a great place to start your internal audit because it'll tell you if you've picked up any known bugs and whether anything weird, filesystem-wise, appears to be going on with your computer.

The best use for this app is to give you a very quick idea of what sort of shape you're in. If you've got a system littered with suspicious files, odd-looking binaries, etc., you know exactly where to start plugging holes.

rkhunter
While we're on the subject of checking for root kits, let's do rkhunter:

molly:/# aptitude install rkhunter
[...]
molly:/# rkhunter --update
molly:/# rkhunter --check

This gets you a quick check of all your important binaries (to make sure they look like they're supposed to look, i.e. that they haven't been replaced by scripted exploits or an intruder with something that opens a back door) and a quick scan for known exploits of the rootkit variety. You'll also be told whether you're running inetd/xinetd (which tends to open ports in a manner whose security can be less than "ironclad") and other fun facts about potential vulnerabilities.

The best thing to do with this report is think long and hard about what ports/resources/pathways you actually want to make available to the Internet and then start disabling services. Once you've spent some time with that, you're pretty well on your way to having an idea of exactly how hard your server is and how much work you've got to do to keep it safe.

If anyone has any ideas about other utilities or techniques for security auditing, please feel encouraged to share them in the comments.

Sure, I'll mess around on the CentOS box under my desk on the production RHEL servers at work a little bit, but Red Hat is largely terra incognita for me and Debian is where I'm comfortable doing my admin thing and managing packages. I know apt. I am comfortable with apt. And while I wouldn't describe using yum as something that makes me uncomfortable, when I do have to use it, I find myself spending more time Googling and forum-searching than I'd like.

I'm beginning to accept that this is no one's fault but my own.

And so the purpose of this article, therefore, is not a.) to point fingers, b.) to compare apt to yum or c.) to explain yum from the perspective of someone who is accustomed to doing things the Debian way. The Internet is littered with stuff like that like the intersection of Paradise and Tropicana are littered with advertisements for escorts.

In this post you'll find some novice-level trouble-shooting tips, reminders and pointers for the casual yum user that are intended to help reduce the occurrence of forehead-slaps and to decrease the amount of time spent tailing logs and Googling obscure error messages.

1. Preemptive Troubleshooting.

It's not in the documentation, but I have noticed that a lot of dependency issues and version consistency problems are resolved by tossing off the following yum command and then trying again:

 # yum clean packages

It has become my general practice to do this before I do anything else. It's a nice preemptive step.

I've noticed that it's generally not the advice of performance-minded (read: impatient) admins to do the more scorched-Earth yum clean all, as this empties caches, dbcaches (i.e. sqlite files) and can causes longer check-update times.

2. filelists.xml.gz Download Times out.

Let's say you're doing a yum update or a yum upgrade and you get some output like this:

filelists.xml.gz          100% |=========================| 1.4 MB    00:01
filelists.xml.gz          100% |=========================| 1.3 MB    01:48
http://apt.sw.be/redhat/el5/en/i386/dag/repodata/filelists.xml.gz: [Errno 4] Socket Error: timed out
Trying other mirror.

There are good odds, especially if you're using non-standard repositories, that you copied/pasted some text into your yum.conf from somewhere out there on the Internets. If you did, there are even better odds that the text you copied includes something about using GPG to authenticate the repo. If you've got lines like that, you'll need the repository's key.

Generally speaking, you can navigate to a repository's http site and find the URL for their public key. Once you've got that, all it takes to import it is one of these:

# rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

3. Know your repositories

You can save a lot of backtracking/head-scratching time if, before searching for a package on a machine you don't visit that often, you toss off a quick yum repolist. This handy feature will spit out the names and statuses of all of the repositories in all the files in your /etc/yum.repos.d/ directory and prevent you from doing that thing where you don't realize that you've only got the default CentOS repositories enabled but can't seem to figure out why the eff your yum search for htop just turned up a big goose-egg.

4. Automatic Notifications

If, like me, you're coming at yum from a Debian perspective, one of the first things you'll do when you start administering an RPM-based system is to install the apticron-equivalent known as yum-updatesd (# yum install yum-updatesd.noarch). Something you might forget, however, is that the default behavior of yum-updatesd is to not send emails.

Don't forget to edit /etc/yum/yum-updatesd.conf such that

mit_via = dbus

looks like

mit_via = email

or you won't get those all-important package update emails.

And that's about all that's coming to mind right now.

If anyone else can think of some things that you consistently forget--and then suddenly remember, 20 minutes later--to do when you're working with yum, feel free to leave a comment.

I already know that if you want to alter the default settings for all profiles that will be created by a given Firefox installation in the future, you add the line for the preference that you want to effect those profiles to the file FIREFOX_ROOT/defaults/profile/prefs.js.

Similarly, I already also know that if you want to push a preference to all currently existing users on the machine, you add the line for that preference to FIREFOX_ROOT/deftauls/pref/firefox.js.

The caveat there, of course, is that if the user of the profile have already changed a preference in his personal prefs.js (i.e. the one in HOMEDIR/.mozilla/firefox/RANDOMALPHANUMERICS.USERNAME/prefs.js) and it conflicts with your preference in the (global) firefox.js, then you (the admin) are SOL, because the program will defer to the user's personal prefs.js file.

Which brings us to the question: is there a way (short of writing a script to parse individual user's personal prefs.js files and modify them as needed) to push a preference to all users of a given Firefox installation?

Full disclosure: I'm posing this question for two reasons. The first reason is that I'm sort of passive-aggressive with Firefox: ours is a very love-hate relationship. The second reason is that I honestly don't think that what I'm describing--i.e. adding a preference to one, "master" preferences file that effects all users of a given installation, regardless of their personal prefs.js file--can be done.

Am I missing something? Maybe even something truly forehead-slap-worthy that's at the top of all the documentation? Or is this a real limitation of the program?

Scarling

I've heard there's a big migration of ruby people to scala, and so the first thing I would say to the ruby people is that this is no panacea. It's not ruby on a JVM; it's an entirely new langauge, with much stronger java roots than any other language, so familiarity with java is probably more helpful than python or ruby. On the other hand, if ruby whetted your appetite for functional programming, scala has more of that than ruby and python combined, and seems to live up to its promise of exposing the wonders of java's scalability and rock-solid virtual machine and garbage collector.

20 Rails Development No-No's

Rails programmers: what's an example of one thing you find in other people's Rails code that you (almost) always consider to be wrong?

github's jquery-relatize_date

jQuery version of technoweenie's relative date js library.

PragDave: Twitter Should Move Away from Ruby

Oh dear. The chattering classes are at it, talking about how the Twitter folks are dissing Ruby by announcing the replacement of some Ruby code with Scala code. [Don't miss the comments!]

Building Sites Around Social Objects

Define Your Object. Define Your Verbs. Make the Objects Shareable. [I like the first 3 of these 5 principles.]

soundamus

A personalized feeds of new and upcoming music releases. [Amazing!]

Behind the scenes of EveryBlock.com

Adrian Holovaty, co-author of the Django web framework, takes you under the hood of EveryBlock.com, a Knight Foundation News Challenge startup which rounds up local news and information, and is powered 100% by Python and Django.

Posterous Co-Founder Sachin Agarwal

Garry and I both went to Stanford and majored in Computer Science. When I graduated, I worked at Apple on Final Cut Pro for 6 years which was all the way up to starting Posterous. I was building the real-time playback engine and effects architecture. That didn't have a direct impact on the formation of Posterous, except that we're definitely Apple people at heart, and we want to be the Apple of blogging. We want to make the simplest, most beautiful site out there, and make it accessible to the masses.

iPhone on Rails and ObjectiveResource

ObjectiveResource is an Objective-C port of Ruby on Rails' ActiveResource. It provides a way to serialize objects to and from Rails' standard RESTful web-services (via XML or JSON) and handles much of the complexity involved with invoking web-services of any language from the iPhone.

Slicehost iPhone App

A simple tool for managing your Slicehost account.

auto_html

auto_html is a Rails plugin that let users embed HTML by providing URL of links, images, youtube, vimeo, deezer,...

ricardochimal's taps at master

A simple database agnostic import/export app to transfer data to/from a remote database.

Timothy's Links

War (1/3) | ncomment blogspam

This is awesome.

Fox News Boycott -

This is mostly a solidarity bookmarking, but the site is actually useful, insofar as it contains a list of corporate sponsors of Fox News.

Dealing with impossible crises

Generally speaking, I skim life advice links from Reddit, chuckle to myself about how such a self-absorbed community of self-declared geniuses, free-thinkers and savants consistently manages to recommend self help 101 articles about basic life skills as if they were the original wise sayings of the Lord Buddha and move on. But this one's got two cherry pieces of advice and a fun anecdote about how you can +1 your fast talk skill: 1.) stay calm and polite, 2.) go into all conflicts assuming that you have already lost. Resolving oneself to failure and thus resetting the criteria for success according to your own rules is the original life skill.

How To Set Up A Postfix Autoresponder With Autoresponse | HowtoForge - Linux Howtos and Tutorials

This is a sweet little CLI autoresponder app for use with postfix that you can set up for all users on your box and modify at the line or via email. Effin' sweet.

Android tethering apps pulled from Market

While totally unsurprising, this is still mildly infuriating. The only thing that makes it less than intolerably annoying is the fact that Google is kind of on the level about it: T-mobile's TOS (which I agreed to obey at some point, I'm sure) forbid certain kinds of tethering, so Google had to pull the app. But the tether developer makes a good point: does this effect the whole market place? Or is market place going to be restricted by service provider in the future?

Associated Press Seeks More Control of Content on Web

Well, I guess that's it for the AP, then. It's probably for the best: they were really making a nuisance of themselves lately anyway (with that whole "Hope" poster biz) and we'll certainly be better off without them.

AdFreak: Viagra always has such wonderful gift ideas

There's nothing I love more than when Madison Avenue just straight goes for broke on a Mega Corp account and puts out an ad so utterly inane and puerile that you want to tell everyone you know about it. Call it a consciousness hack. And consider my private system exploited.

Schneier on Security: Who Should be in Charge of U.S. Cybersecurity?

This, for the record, is the ultimate talking point on Internet security: it's a network everyone uses that depends on an infrastructure managed and maintained by everyone and it is therefore everyone's responsibility to improve the quality and security of the network and its users. And this is why BS says the NSA shouldn't be Obama's go-to agency for "cybersecurity". They keep secrets. Secrets ruin the Internet. Don't believe me? Consider Microsoft's legacy of pissing in the pool in misguided and stupid attempts to deliver security through obscurity.

I'm not sure where I originally came across this concept, but I think it's worth sharing again anyway. I'll even give it a name this time. Time Bomb Tests: easy cheesy reminders you can put into your test suite. They'll sit there like little time bomb reminders - exploding only when you need them to.

 
# test/integration/time_bomb_test.rb
 
require 'test_helper'
 
class TimeBombTest < ActionController::IntegrationTest
 
  test "stuff to do with next rails upgrade" do
    flunk if Rails.version != '2.2.2'
    # rename application.rb to application_controller.rb
    # etc...
  end
 
  test "stuff I'm putting off today, but really should do eventually" do
    flunk if Time.now > Time.parse('5/1/2009')
    # optimize that thing marked HACK in the user model
    # etc...
  end
end
 

Update: Check out jeremymcanally's deprecate, which appears to have been partially inspired by this post. It allows you to deprecate (primarily) test code after a certain date, version, or other arbitrary condition is met.

Twitter on Scala

...it has been such a success that our plan for the long run is to move more and more of our architecture into Scala. The vast majority of our traffic is API requests, and we want most of those to be served by Scala, either at an edge cache layer or a web application layer. Hopefully by the end of 2009 the majority of users’ interactions with Twitter are going to be Scala-powered.

Twitter: blaming Ruby for their mistakes?

In conclusion... is Ruby a bad language for writing message queues in? Yes, there are much better choices. Message queues are a particularly performance critical piece of software... but message queues aren't something you should be writing yourself. This speaks much more to Twitter's culture of NIH than it does to Ruby as a language... Is Ruby a bad language for writing long-running processes? Absolutely not. JRuby provides state-of-the-art garbage collection algorithms available in the JVM to the Ruby world. These are the exact same technologies that are available in Scala. JRuby addresses all of their concerns for long-running processes, but they don't bother to mention it and instead just point out the problems of the de facto Ruby interpreter. [Very interesting comments.]

Obie Fernandez: My Reasoned Response about Scala at Twitter

I'm glad that Twitter is working to resolve its scaling issues. It's a service that I love and use on a daily basis and from which I have benefitted immensely. As far as I'm concerned, Twitter is a case-study in how Ruby on Rails does scale, even in their hands... My interest in the question of Ruby vs. Scala at Twitter had mostly consisted of curiosity and amusement, at least until last night.

Mending The Bitter Absence of Reasoned Technical Discussion

Social media (blogs, community news sites like Reddit and Hacker News, Twitter and such) have swept in to fill a vacuum between peer-reviewed academic journals and water cooler conversation amongst software engineers... in theory, we should be more informed as a professional than we ever have been... In practice, the conversations that are most widely heard in the tech community are full of inaccuracies, manufactured drama, ignorance, and unbridled opinion. In discussing these Internet-spanning debates with non-technical friends, comparisons to Hollywood tabloids come first to mind. It’s a time sink for an industry that should be a shining example of how to use the newest of media for constructive debate.

Chax

Chax is a collection of minor modifications and additions that make using Apple's iChat more enjoyable.

PyCon Keynote

Reddit's Steve Huffman and Alexis Ohanian. [They briefly discuss the infamous "gst" user around 15 minutes in.]

on url shorteners

URL shortening services have been around for a number of years. Their original purpose was to prevent cumbersome URLs from getting fragmented by broken email clients that felt the need to wrap everything to an 80 column screen. But it's 2009 now, and this problem no longer exists. Instead it's been replaced by the SMS-oriented 140 character constraints of sites like Twitter.

The Real World: A video of David's talk at FOWA Dublin - (37signals)

Execution and Perseverance are the keys to running a successful business.

The State of the Stack: A Ruby on Rails Benchmarking Report

New Relic helps more than 1500 organizations manage their Ruby on Rails applications. This gives us unique insight into how thousands of applications are deployed. Many of our customers have opted in to have their performance data shared with the Rails Core Team to aid in their ongoing work on the platform. In addition to that data we also aggregate information on the versions of OS, Ruby, and Rails used and the various plugins deployed.

DiggBar Launches Today!

Starting today, we’ll begin rolling out a new product we are calling the DiggBar. Before we dive into the details, check out this short video overview...

Google uncloaks once-secret server

Google is tight-lipped about its computing operations, but the company for the first time on Wednesday revealed the hardware at the core of its Internet might at a conference here about the increasingly prominent issue of data center efficiency.

Five Founders

Few know this, but one person, Paul Buchheit, is responsible for three of the best things Google has done. He was the original author of GMail, which is the most impressive thing Google has after search. He also wrote the first prototype of AdSense, and was the author of Google's mantra "Don't be evil."

Follow-up on "Get Satisfaction, Or Else..."

Customer support is my job, and I take it very seriously, and I am very, very good at it. To have another website undermine that job which leads to a customer with 1) a bad experience, 2) a bad impression of our company, 3) a bad impression of my work…well, it’s infuriating. Not only was I angry on the customer’s behalf, I was angry on behalf of our company to see our name and logo plastered all over a site we had never known about until then.

Ambient Intimacy

“Ambient intimacy” is a good term to describe how Twitter, Flickr, blogs, and other modern communications technologies keep us in touch with one another. The term I’ve been using for this is “passive communication.”

Hacker News on Daring Fireball's Complex

We advise startups to launch when they've added a quantum of utility: when there is at least some set of users who would be excited to hear about it, because they can now do something they couldn't do before.

stevenberlinjohnson.com: Old Growth Media And The Future Of News

...there are really two worst case scenarios that we’re concerned about right now, and it's important to distinguish between them. There is panic that newspapers are going to disappear as businesses. And then there’s panic that crucial information is going to disappear with them, that we’re going to suffer as culture because newspapers will no long be able to afford to generate the information we’ve relied on for so many years.

Get Satisfaction, Or Else...

We shouldn’t be forced to scour the internet finding sites that claim they are doing support for us when they’re not. It’s not fair to us and it’s not fair to customers to make something look like an official support site when it’s not. This should be entirely opt-in for a company and it’s not. In fact, it’s worse than that because if you don’t opt-in, they make negative claims about your company’s commitment to customers. [See also: http://news.ycombinator.com/item?id=540540]

2009 Rubyist's guide to a Mac OS X development environment

My hard drive kicked the bucket recently. From scratch, here’s how I quickly got my Ruby web development environment into ship-shape form The Thoughtbot Way. Many of these instructions are specific to Mac OS X 10.5 (Leopard). Some of them are opinionated (Vim over Textmate). Pick-and-choose what you need but this is everything that I use happily day-to-day right now.

redirect_to HTTP POST

...the problem is that redirect_to doesn't seem to preserve the HTTP method. This is ok for the faked-up methods eg using "_method=delete" but if the URL a person asked for was a POST it fails miserably with a routing error... [Checking out some of these solutions, but for now I'm just working around it by only storing the original request if it's a GET request.]

Timothy's Links

HugeURL

This is a triumph of the human spirit if I ever saw one.

Ron Carmel explains 2D Boy by the numbers

2D Boy's Ron Carmel opened up this year's Independent Games Summit hoping to somewhat demystify the process of starting your own indie studio (which he summarized with the following three steps: "save money, quit your job, and make a game"), and in doing so divulged their own by-the-numbers breakdown of how their goo-built world was formed.

Tuning the Toad

As we wrote just over two weeks ago, Hoptoad was having a hard time keeping up performance when certain websites were submitting thousands of errors at the same time. Fixing this became out highest priority and, as I promised then, we will outline the changes we made that have helped us to be able to weather the error storm.

Most Time Management Is Rubbish. Here Are Ten Things That Work for Me.

Over the last few years, I’ve read a ton of time management books and tried out literally hundreds of systems and standalone ideas for maximizing the effectiveness of my time, particularly in terms of my work.

Now is a Great Time to Be a Media Maker

The distance we’ve come in the decade and a half since I was driving newspapers over highway 17 in a VW Bug is astonishing. I look at the tools available to media makers today and can hardly imagine a more ideal environment. So why is it that all we hear about the media industry is doom?

TwitterAuth: For Near-Instant Twitter Apps

The public beta of Twitter OAuth support has been released and I’m excited to introduce a new library that I’ve been working on called TwitterAuth. TwitterAuth is a Rails plugin that provides a full external authentication stack for Rails applications utilizing Twitter. Think of it as “Twitter Connect” for Rails, letting you create an application that may be logged into using only Twitter credentials.

How to handle exception while developing api in ruby on rails

If the request was made for an html page then rails will handle the exception and will show the appropriate error page depending on if you are running in development or production mode. However for .xml there is an issue. If it is an API request then ,in the case of an error, you still need to send an xml response with the error message. Question is how to handle exception in a generic way.

The Three20 Project

Last week I released my first iPhone open source project, Facebook Connect for iPhone, and today I'm ready to start talking about the next one. Five months ago I talked about open-sourcing as much of the Facebook iPhone app as I could, and as you can see by the delay, that has turned out to be easier said than done.

Why Facebook has never listened and why it definitely won’t start now

Let’s say you’re walking down University Ave. in Palo Alto, California in a couple of years (or, really, any street in the world) and you’re hungry. You pull out your iPhone or Palm Pre or Android or Blackberry or Windows Mobile doohickey and click open the Facebook application. Then you type “sushi near me.” It answers back “within walking distance are two sushi restaurants that more than 20 of your friends have liked.”

Why Small Payments Won’t Save Publishers

Meanwhile, back in the real world, the media business is being turned upside down by our new freedoms and our new roles. We’re not just readers anymore, or listeners or viewers. We’re not customers and we’re certainly not consumers. We’re users. We don’t consume content, we use it, and mostly what we use it for is to support our conversations with one another, because we’re media outlets now too. When I am talking about some event that just happened, whether it’s an earthquake or a basketball game, whether the conversation is in email or Facebook or Twitter, I want to link to what I’m talking about, and I want my friends to be able to read it easily, and to share it with their friends.

Ruby’s Biggest Challenge for 2009

When new developers come to the Ruby world, lets greet them with Ruby 1.9.x. In the long term, doing so will improve our growth as a community more than any marketing effort ever could (and the two efforts are not mutually exclusive either). Ultimately, Ruby’s biggest challenge may just be our greatest opportunity to improve.

Newspapers and Thinking the Unthinkable

With the old economics destroyed, organizational forms perfected for industrial production have to be replaced with structures optimized for digital data. It makes increasingly less sense even to talk about a publishing industry, because the core problem publishing solves — the incredible difficulty, complexity, and expense of making something available to the public — has stopped being a problem.

Timothy's Links

T-Mobile "My Account" App

This another of those "it should have come out with the launch of the phone, but what they hey--now that it's out, all's forgiven" kind of apps. Basically, it's your complete T-Mobile account data in application form. Very Apple-like.

The politics of the command line

Pass this along to friends and family who need a primer in F/OSS, GNU, etc. Tell them that taking 10 minutes to read it carefully is easier than watching an hour long Stallman documentary. For a number of reasons.

Fox News Pictographic Synopsis

Normally I try not to think or care about infotainment--I just sort of hope Jon Stewart and Bill O'Reilly will cancel each other out and the whole phenomenon will un-happen--but this is too good a compilation of Fox News screencaps to leave it un-bookmarked.

Teleportation, the last battle, and the Creator talks: How the world ends inside an online game

This is a fun blurb from CT on "eschatology as a design challenge" that, unlike good sci-fi, suggests an interesting idea, hangs just enough metal on it to make it run and then walks away from it without beating it to death.

Op-Ed Contributor - Dear A.I.G., I Quit! - NYTimes.com

lolcano. Nice try, PR guys, but if a heartfelt resignation letter full of dubious logic, apple pie cliches and evasive non-facts is the best you can do by way of laying out a decoy and deploying chaff, then you have, once again, failed utterly to succeed.

Election Fraud in Kentucky

Normally I wouldn't bookmark a Schneier post, but this one is kind of special. Using clips from other articles, he basically makes the point (in a very reductive, minimalist, Bonsai-gardener kind of way) that the security "industry" is 90% sales, 5% hype and 5% actual security solutions: there's a lot of talk about the implications of this, the vetting of that and what it boils down to is the fact that the entire commercial edifice is just an elaborate front end for one poorly designed user interface.

Core Duo Vista Powered Super Famicom

I'm pretty sure that this is a modern computer inside a Super Famicom case. Which, I'm also pretty sure, makes it the coolest case mod I've seen in a long, long time.

Hitachi Settles Price-Fixing Case for $31 Million

In case you didn't know, Korea's LG, China's Chunghwa and Japan's Sharp constitute something of a cartel. Not unlike the old-timey RAM cartel, these Mega Corps work as a sort of monopoly of convenience, setting (i.e. fixing) prices on LCD's in everything from phones to monitors in order to maintain a balance between profitability and existential security (too much freedom in the marketplace, while potentially good for consumers, isn't in the best interest of government-subsidized Mega Corps whose business models depend on anti-competitive legislation in order to maintain profitability). Add Hitachi to the list.

gcalcron

This is a fun kind of "get your toes wet with linux" type of project that you could suggest to your "I want to learn about linux, but I'm not ready to junk my MacBook just yet" friends. The gist is that you "install" this cat's .py script on your remote machine and this script acts as an interface between the box and a Google calendar you set up. You enter bash commands into the calendar entries and it uses the times you set with the gCal interface to tell cron when to pop them off. What it lacks in simplicity (by being an incredibly convoluted "work around" for spending 10 minutes with the cron man page) it makes up for in colorful, user-friendliness.

 
class Photo < Asset
 
  has_attached_file :image, :path => ":class/:attachment/:id_partition/:basename_:style.:extension"
 
  before_create :randomize_file_name
 
private
 
  def randomize_file_name
    extension = File.extname(image_file_name).downcase
    self.image.instance_write(:file_name, "#{ActiveSupport::SecureRandom.hex(16)}#{extension}")
  end
 
end
 

That would, for example, change an uploaded image named "DS_100.JPG" into:

http://example.com/photos/images/000/001/204/e15f64f5e7gjdo3e4ae58f4ed9j925f5.jpg

That makes it effectively impossible to guess the location of an image, provided that you don't allow people to browse around the directories on your server. This is the same method of privacy protection that Flickr uses, and it ought to be enough for most non-governmental privacy needs :)

Twitter OAuth Ruby Example

This is the first of what I hope to be several examples of using OAuth as a developer. Our OAuth server implementation is in open beta and I want to show an example of how to use it. As the implementation is still in beta, feedback is appreciated as you begin your integration. If all goes well I'll post on using OAuth from other languages in the future.

The Great Rails Refactor

Yehuda Katz at Confreaks: MountainWest RubyConf 2009.

Google Reader hacks

I've come up with a system that seems to work for me on OS X, at least for extensive testing purposes...

smartly save stashes in git

I seem to be using stashing more and more, and I’ve found that seeing the stash list output looking like this isn’t very helpful...

3 Simple Guidelines for Contributing

I promise you that if you do these three things each time you contribute to a project, your changes will not only get pulled in faster, but you will become a more rounded and skilled programmer.

Timothy's Links

I left a linux machine online with ssh open for a day. It dropped incoming login attempts after the username. These are the usernames tried. : reddit.com

I know it's kind of weirdly meta and redundant to bookmark a reddit, but this one has a list of names that might be useful in creating a security policy for linux user names on Internet-facing boxes.

NSLU2 Debian Lenny Upgrade - solving the possible network problem

I'm bookmarking this because it taught me something I managed to not learn in spite of having had a slug on my home network for over a year now. To wit: if you bork your network setup, reboot your slug and find that you can no longer dial in with SSH, simply power it down, pull the USB drive you're using as /, slot it up in another machine and edit your slug's conf files in your favorite editor. Nice.

timocratic's test_benchmark

Rails plugin (and/or ruby gem) for benchmarking your test::units. [This has to be one of the best gems I've come across in a while. A+++]

Slow tests are a bug

Most Rails projects I’ve worked on have ended up at around 3,000-15,000 lines of code, with a roughly as many lines of test code, and most have test suites that take a minute or more to run. Our test suite for Tumblon, for instance, churns along for 2.5 minutes. This is a too slow. And slow tests are a problem for at least two reasons: they slow down your development and decrease code quality. [Note the awesome plugin linked in the comments!]

Sinatra block parameters

The latest master Sinatra now supports optional block parameters. It captures any parameters in the URL and passes them into the block that defines the action.

When Overusing self Turns Into self.pity

Wow, so simple. Much easier on the eyes, and the intention is clear right from the start. My rule is simple: When assigning to an instance variable, use self, calling a method on the other hand should stand all by itself. Now, you could argue, that assigning to an instance variable using its accessor is also a method call, but if you really want to argue about that, you should really read this blog entry again.

Temporarily disable ActiveRecord callbacks

I was recently working on a client project and I had to create a rake task to import a large set of data from a spreadsheet. One of the models that was being imported had an after_save callback that sent out an email notification. I didn't really want 3500 emails to be sent out whenever this rake task was ran, so I needed to disable the callback while the import task was running.

Readability

Reading anything on the Internet has become a full-on nightmare. As media outlets attempt to eke out as much advertising revenue as possible, we're left trying to put blinders on to mask away all the insanity that surrounds the content we're trying to read.

state_machine

After 2 1/2 years... I’m finally officially announcing a project I’ve been quietly working on: state_machine... This is a project which has undergone many rounds of rewrites, but which has finally met its goal, in my opinion, to become the easiest, sexiest, yet most powerful state machine library for the Ruby language.

The size of social networks - Primates on Facebook

Several years ago an anthropologist concluded that the cognitive power of the brain limits the size of the social network that an individual of any given species can develop. Extrapolating from the brain sizes and social networks of apes, Dr Dunbar suggested that the size of the human brain allows stable networks of about 148. Rounded to 150, this has become famous as “the Dunbar number”.

The 5 P's of Twitter's runaway success

Actually, I think we enjoy claiming we can’t describe what Twitter is, yet a closer inspection of it yields not only a better understanding of it but also why it’s become so prevalent in the media lately. And when that kind of inspection occurs, it’s not surprising to the inspector why Twitter is where it’s at today.

Twitter = YouTube

YouTube now gets more searches than Yahoo, Google's closest search rival. YouTube was the single fastest growing new form of search on the Web, and Google pretty much outflanked (and outspent) everyone to buy it. Not to get into video monetization, per se, but to harvest and control the most important emerging form of search. In short, Google could not afford to NOT own YouTube.

Timothy's Links

Monsanto is Putting Normal Seeds Out of Reach

This week's "Rage at the Mega Corps like Lear on the Heath" post is about Agricultural Goliath, Monsanto. Monsanto, a Mega Corp whose operational expenses are almost fully subsidized by our federal government here in the States, has gained much notoriety for sabotaging independent farming operations and, more importantly, running anyone who doesn't farm their brand of genetically modified corn out of business by installing puppet legislators in important positions or simply using its powerful lobby to write its own legislation and have dupes (like Illinois' own Michael Madigan) push it through.

contxts - mobile sms business cards

This is my gadget/widget par excellence du jour: basically, you give their database your basic contact info and then, if anyone SMSes your username to 50500, they get your contact info back. Nifty.

High Performance Web Sites

This is a good checklist to run through whether you're working up a framework from scratch and need to keep optimization principles on a front burner or whipping up a quick, stop-gap kind of ap that needs to work lickety-split with a minimum of fuss.

7 Badass Cartoon Villains Who Lost to Retarded Heroes

What else can you say about cracked.com? They're on focus, on message and on point.

Secure deletion: a single overwrite will do it

This article has some simple stats that supposedly debunk the urban legend that you've got to write zeroes (or whatever) over the whole disc to securely delete a HDD. It doesn't so much debunk, however, as it makes a point not unlike PGP's point: the obscurity provided by a single over-write is /pretty good/, but not perfect. Your best bet is still the Gauss rifle...I mean degausser.

Wildwood Survival - Fire Basics

The original survival skill is, of course, making fire. You can never know too many different ways to a.) start or b.) build a fire: file this under "urban, suburban and rural survival tips"

24 Samsung SSDs get strung together for supercomputer fun

This is an article with still pictures (instead of moving ones) that outlines the viral video sweeping the Interwebs in which a plucky admin wires 24 flash drives into a single, desktop-size case.

10 common mistakes using robots.txt

This is totally rudimentary--it's written more for the copyeditor/SEO enthusiast in your shop, not for the cowboy/console man--but it's a good reminder of syntax for ye olde robots.txt file. Remember: there's no notification if your robots.txt file doesn't parse right...except for deprecated levels of your site showing up in Google.

Mdadm Cheat Sheet | MDLog:/sysadmin

This will be utterly useless to anyone who isn't experimenting with software RAID on 2.26 kernels. For those of you who are just getting your feet wet with mdadm (e.g. YT), this crib-sheet is a nice resource. That might just point out some things you would otherwise have to plumb the dreaded man page for.

I helped out with the clicking backend for the site. It's a disgusting mess of PHP and MySQL, or else I'd share the code... :P

It's amazing to think that this thing just under 3 million clicks!

We've caught a few people cheating, and sparked some debate on Hacker News. Still, it looks like a lot of people really love to click the stupid thing. There's just something about it...

Nick has been doing some awesome screencasts about productivity and some other stuff... You should go check them out if you're into GTD or Merlin Mann.

After you watch the video - GO CLICK THAT BUTTON!

I posted it over on the Paperclip Google Group, which is a friendly and active place to hang out if you're a Paperclip user.

Here's an example using Test::Unit, which is still my favorite way to test :)

 
require 'test_helper'
class PhotoTest < ActiveSupport::TestCase
  setup do
    Photo.any_instance.stubs(:save_attached_files).returns(true)
    Photo.any_instance.stubs(:delete_attached_files).returns(true)
    Paperclip::Attachment.any_instance.stubs(:post_process).returns(true)
  end
 
  # tests...
end
 

The really important bit is stubbing out the post_process method. That took my unit tests down from 51.77 to 15.14 seconds. That's a HUGE win, especially if you consider slow tests to be a bug.

I'm not sure what kind of impact this has on test coverage, so you may want to consider not stubbing out the Paperclip internals in every case. I've got some separate "remote" tests that I run before deployments that make me feel warm and fuzzy enough. Let me know what you think about it. I've had really good results so far!

Thunderbird can't connect securely to because the site uses a security protocol which isn't enabled.

So, naturally, I whipped out T-bird's about:config, grepped the list for "ssl" and made sure that most of the contemporary ciphers were enabled (i.e. set to true). And once I was satisfied that things were on the up and up with my client, I decided to go have a look at the server.

Tailing mail.log, I noted this sort of thing happening over and over:

Mar 10 13:06:31 lana postfix/postfix-script[18701]: starting the Postfix mail system
Mar 10 13:06:31 lana postfix/master[18702]: daemon started -- version 2.5.5, configuration /etc/postfix
Mar 10 13:07:27 lana imapd-ssl: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This message sort of blew my mind: I was essentially being told that my client, a Debian (Lenny) workstation running Thunderbird, shared no openssl ciphers with my email server, a Debian (Lenny) box out in the wild.

Not being the sort to ignore log warnings, I decided to verify. From the client:

gonzo:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

A fairly robust list. From the server:

lana:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Same cot-damn list.

"So what gives?"

I Googled around a bit and learned about "s_client", an argument for the openssl tool that lets you debug an SSL exchange. I ran the following on my client:

gonzo:/# openssl s_client -connect mail.XXXXXXX.com:993 -ssl3

It showed me that the port was open, but that there were handshake problems:

26282:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
26282:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

From that cryptic output, I decided that it was time to dig into the SSL conf files over on the server.

After a little preliminary troubleshooting--a quick scan of /etc/postfix/main.cf and /etc/postfix/master.cf to check for obvious shenanigans--I decided to have a look at /etc/courier/imapd-ssl and found the source of my new SSL auth problem: I had, in my recent efforts beef up security, managed to overwrite my previous /etc/courier/imapd-ssl with a vanilla version of that conf file that had a big 'ol she in front of the argument that determines exactly which ciphers the IMAP daemon will use to authenticate requests: TLS_PROTOCOL was commented completely out, as was TLS_STARTTLS_PROTOCOL.

I took a quick look at the surrounding comments in the conf file and set both of them to "SSL23":

TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23

I then reloaded postfix, attempted to connect with my client and, to my dismay, saw this roll up in the mail.log:

Mar 10 13:55:34 lana imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

This message, while cryptic enough to send me off to scratch my head and pore over comments on OsDir and the Ubuntu fora, was one that I eventually figured out. It turns out that those two TLS protocol directives do not want to be identical.

So I chaged the file thus:

TLS_STARTTLS_PROTOCOL=TLS1

And, once I had reloaded the IMAP daemon and postfix, voila: a clean log-in!

Mar 10 13:56:52 lana imapd-ssl: Connection, ip=[::ffff:XX.XXX.XXX.XXX]
Mar 10 13:56:52 lana imapd-ssl: LOGIN, user=admin, ip=[::ffff:XX.XXX.XXX.XXX], port=[42130], protocol=IMAP

Letting things go

When you don’t have time for the things you really feel passionate about, look around yourself. What things are you hanging onto out of a false sense of obligation? Look beyond your assumptions, and you might be surprised at what can really go.

Rubular

Rubular is a Ruby-based regular expression editor. It's a handy way to test regular expressions as you write them. [A+++]

SoundManager 2

By wrapping and extending Flash 8's sound API, SoundManager 2 brings solid audio functionality to Javascript.

The 5 P's of Twitter's runaway success

Actually, I think we enjoy claiming we can’t describe what Twitter is, yet a closer inspection of it yields not only a better understanding of it but also why it’s become so prevalent in the media lately. And when that kind of inspection occurs, it’s not surprising to the inspector why Twitter is where it’s at today.

Twitter = YouTube

YouTube now gets more searches than Yahoo, Google's closest search rival. YouTube was the single fastest growing new form of search on the Web, and Google pretty much outflanked (and outspent) everyone to buy it. Not to get into video monetization, per se, but to harvest and control the most important emerging form of search. In short, Google could not afford to NOT own YouTube.

Procrastination and the Bikeshed Effect

This is one reason why I'm so down on architecture astronauts. I find that the amount of discussion on a software feature is inversely proportional to its value. Sure, have some initial discussion to figure out your direction, but the sooner you can get away from airy abstractions, and down to the nuts and bolts of building the damn thing, the better off you -- and your project -- will be.

Last Rites

The death of the newspaper is a depressing thing to absorb, but what’s much more disappointing to me is that I feel like news itself has been devalued. There’s an oversupply of news-”ish” information on the web, and people have decided — usually without realizing it — that free “news snacking” is a better value proposition than paying for in-depth reporting.

Database Versioning

Migrations bother me. On one hand, migrations are the best solution we have for the problem of versioning databases. The scope of that problem includes merging schema changes from different developers, applying schema changes to production data, and creating a DRY representation of the schema. But even though migrations is the best solution we have, it still isn’t a very good one. [Nice comments on this one, too. Especially mine :P]

Rack as a Transformative Figure

In the next few months, Merb and Rails will be making their routers a shared Rack component, and the same is true for a number of smaller elements, like parameter parsing.

Merb 1.1 roadmap, Merb & Rails3 news

If we want to make every single application, a potential mountable app, we need to namespace our applications. This is something we already do with slices, but currently generated applications are not namespaced. We are planning on doing that for 1.1 (backward compatible) to make mountable apps easier.

Offline Gem Server RDocs

Get Sinatra, Rubygems, and Passenger working for offline RDocs? Count me in. I saw this and new I had to have it. I’ve been on some long plane rides recently and I frequently find myself wanting to look up something from a gem’s documentation while I’m coding. You can use the gem server command but that’s just such a pain to do every time you want to look something up.

Timothy's Links

Microsoft Skull-fucks Iceland’s Economy, Contracts Syphilis

Ignore the inflammatory title of this article, memorize the talking points and have them ready for your next family gathering or office meeting. This is a fantastic summary (in plan language) of the micro- and macro-economic strategery of MS coupled with a healthy dose of intelligent outrage.

Scanwiches

What can I say? I found this enlightening and humorous. Images of scanned cross-sections of sandwiches. Simple. Elegant. Sandwich-y.

A Quick Look at Quick Uninstall

As John mentions, "Quick Uninstall" for your Android phone will live about as long as it takes for Google to recognize that what it provides is a basic functionality and integrate it into the Android trunk. Until then, however, this software is must-have if you (like me) are constantly downloading and uninstalling.

Debian Lenny PXE Installation on Dell PowerEdge 1950/2950 servers: bnx2 annoyances | MDLog:/sysadmin

WARN: Lenny's installer no longer supports Broadcom's NetXtreme II. Seeing as how this NIC (or one of its family members) is in pretty much every Dell manufactured in the last five years, this is an important "gotcha". Especially if you're dumpster-diving in Corporate America's dustbins for your hardware like me.

The Cadbury Creme Egg McFlurry - Slashfood

Sick.

Apple: Cosmetic Damage Keeps Us From Replacing Your Battery!

This is not marked because I consider it significant: anyone who has ever dealt with the "Genius Bar" knows that Apple's repair/replacement arm is about as interested in helping you out as Apple's retail arm is interested in charging you a reasonable rate for their products. What /is/ significant about this article is that there are, evidently, still people in the world who don't know this from experience. Like, until I saw this, I was convinced that everyone already had a wealth of Genius Bar horror story anecdotes. You could not have argued with me. I was certain. And then I saw this...

Firefox Tip: Prevent Firefox from Hogging Memory When Minimized

This is kind of key: LifeHacker writes about the about:config entry that lets you prevent FF from continuing to use memory when minimized. This is key: particularly if a.) you're minimizing it (instead of, e.g. giving it its own desktop) or b.) you have a nasty habit of leaving tabs open to websites that either automatically refresh or host flash media, etc.

The White House - Cyber review underway

Mostly I'm bookmarking this because its use of the term "cyberspace" as the one word summary for "communications and information infrastructure" made me laugh. And reminded me of William Gibson's cameo on Oliver Stone's "Wild Palms" where Kim Catrall introduces Wm Gibson with something like, "William invented the term 'cyberspace'" and the Gibber respondes, "And they won't let me forget it" before sauntering awkwardly off camera.

Wordpress mod_rewrite rules taking over mod_status

This is an interesting write-up of what happens if you've got a Wordpress install at the same TLD where you keep your Apache server-status page. Basically, Wordpress (quite correctly) ignores http requests for http://tld.com/server-status and dude shows you a sample apache rewrite for how to exempt requests for that specific URL from WP's automatic request redirection. Nice.

Why The New Watchmen Movie Will Bomb

I'm bookmarking this pretty much for the sole purpose of being able to come back to it next week and point out why thoughtful, delicate prognostication and careful made predictions are but a candle in the sunlight of enormous budgets. This movie will "succeed" commercially because it is massively over-funded. End of conversation.

The Authors Guild Sets Sights on Speak and Spell

So, here you've got a mildly derisive lampooning of the Author's Guild which, in the habit that the RIAA/MPAA have forced advocates of free expression/thought to become accustomed, seeks to portray the AG as a cartel and to represent their recent success in limiting the capabilities of the Kindle 2 as unfair or anti-competitive. And it's kind of funny. But it makes the wrong point. The AG, for sure, is in the moral/ethical/political/social/historical wrong. But the real point--the relevant point--is that the Amazon's desire to accommodate Mega Corp DRM schemes has finally been manifested in a design decision. That's the story here. Amazon put out a device that anti-DRM folks called flawed. Now we have a flaw to which we can point.

How FriendFeed uses MySQL to store schema-less data

After some deliberation, we decided to implement a "schema-less" storage system on top of MySQL rather than use a completely new storage system. This post attempts to describe the high-level details of the system. We are curious how other large sites have tackled these problems, and we thought some of the design work we have done might be useful to other developers.

Fit to be used

We tend to think of usability as applying only to interfaces. But it’s so much more than that. It’s about delivering something that’s fit to be used. That means it’s about writing copy that’s understood the first time. It’s about requests that are as easy to accomplish as possible. It’s about manuals that are one page instead of 40. It’s about code that you can paste in and works right away. It’s about putting yourself in the other person’s shoes. It’s about looking into the future, foreseeing any potential obstacles, and removing them. And that’s a great way to get people on your side.

Keywurl

Keywurl adds simple way of performing searches in Safari by letting you type short keywords as queries. Type a keyword and a query in the address bar, and it will be expanded into a predefined search.

4 Reasons to Prototype Rapidly

Here are 4 reasons for prototyping applications first. By prototyping, I mean an emphasis on building working applications rapidly.

CouchDB and Me

In this talk from RubyFringe, Damien Katz explains what drove him to create CouchDB, why he chose Erlang and more. [More personal than technical, but definitely worth watching.]

How to write a clean Ruby DSL - Part 2: Learning from Machinist

So, that’s how machinist works. It extends ActiveRecord to give the #blueprint and #make methods, then inside those methods makes a calls a method on the lathe class, which makes a new lathe object which deals with autogenerating attributes that we didn’t specify in make.

Net::SSH, Capistrano, and Saying Goodbye

I’m ceasing development on SQLite/Ruby, SQLite3/Ruby, Net::SSH (and related libs, Net::SFTP, Net::SCP, etc.) and Capistrano. I will no longer be accepting patches, bug reports, support requests, feature requests, or general emails related to any of these projects.

Batched Find in Edge Rails

Batched finds are best used when you have a potentially large dataset and need to iterate through all rows. If done using a normal find the full result-set will be loaded into memory and could cause problems. With batched finds you can be sure that only 1000 * (each result-object size) will be loaded into memory.

Building and Scaling a Startup on Rails

There are a bunch of basic functional elements to building out a popular Rails app that I've never really seen explained in one place, but we had to learn the hard way while building Posterous. Here's a rundown of what we've learned...

Startups in 13 Sentences

One of the things I always tell startups is a principle I learned from Paul Buchheit: it's better to make a few people really happy than to make a lot of people semi-happy. I was saying recently to a reporter that if I could only tell startups 10 things, this would be one of them. Then I thought: what would the other 9 be?

Timothy's Links

Portable toaster

Ho-lee-shit. If this is real--"this" being a ceramic device with carbon nano tubes that can summon enough heat to toast bread but which does not require batteries--then there is no price under $150 that is unreasonable.

Mini Oreo's being dunked in milk cup on Flickr

This is a cupcake--a real, life, edible cupcake--with a small cairn/navel/depression on its top that allows the user to fill the cupcake itself with milk. Must see.

HOWTO: Create a USB Debian Installation flash drive

This is a drop-dead-simple guide in the plainest possible language to creating a bootable USB drive that will install Debian. Knowing how to do this is an important part of eliminating socially, environmentally and politically irresponsible RO media from the world.

Why is the DOS path character "\"?

Thanks Reddit! If you've ever wondered why all the paths on Windows machines are wrong, why the escape character on Windows is "^" and so on, please read this little piece.

Marvell: Plug Computing

This is a computer in a wall wart. And that is about the greatest thing ever. Visions of an entire server farm only slightly larger than your average UPS are dancing through my head...

lenny-backports started

Just a friendly reminder (to myself, mainly) to update those sources.list files to include the new Debian backports information: better now than in a head-long scramble to resolve a BS dependency six weeks from now.

Henry Rollins on Iron

I...wow. Just...wow.

Things we can ban instead of videogames

This article, which encourages people to reassess the risk posed by videogames in light of the risk posed by other, equally ubiquitous and multifarious social phenomena, reminds me of those Schneier articles where he harps on the fact that more people die in car crashes every month than have been killed by terrorists in the entire history of humanity.

Watching Hard Drive Activity With iotop

Have you ever suspected that disc I/O on your RAID card was shitty? Wanted to verify that those mysterious, seemingly read/write related errors were, in fact, related to poor disc I/O? Watch your array crash and burn in real time with iptop!

Clutter: Declutter Your Home with a Detailed Inventory

I would hesitate to call this a revelation, but it does harp on a basic point of preparing to move (or help a loved one move): before you start packing, go through the place and eliminate redundancy. It seems obvious...until you're unpacking your third hardcover copy of _Paradise Lost_ and thinking to yourself, "Jesus--I can't believe I just drove 30-some-odd pounds of John Milton across the country."

AdFreak: Get these guys for your next videogame ad

So, some indie filmmaker/fanboy types whipped up this Halflife fan fiction video, it went viral and now they're trying to parley (what I'm sure they could insist on calling) their success as viral marketers into startup capital. And while I don't see nothin' wrong with turning your DIY/homebrew viral media project into a pay check, I think this is definitely going to come up the next time someone tries to convince me that the whole "viral" thing didn't jump the shark years ago.

Read me first: Why do IT systems use insecure passwords?

Schneier with a very brief piece on why sysadmins need to be the standard-bearers for the charge to convince users to a.) create better passwords and b.) stop trying to circumvent security measures for the sake of "convenience". I've been doing my fair share of evangelism. Have you?

NSA offering 'billions' for Skype eavesdrop solution • The Register

Courtesy of Schneier: apparently Skype is the go-to for secure voice communications. Good to know.

Untitled Document Syndrome

...the key is that it minimizes friction. There’s little friction to create a new note, and little friction to search for existing ones. And you never have to explicitly save anything.

GitHub at Startup Riot 2009

What went wrong? So many things. I could blame our market research or our promotional site, or our target demographic, but really it’s our fault. We weren’t in love with FamSpam – we never were. We thought it was a great idea, and maybe it was, but it was a great idea for our parents. For our families. For other people. Not for us. It wasn’t a site I would check every day. It wasn’t something my friends would use ever. I’m going to continue, but to me this is the most important point so far. The biggest failure. I wasn’t in love with the company I was trying to build.

Twitter creator Jack Dorsey illuminates the site's founding document

It was really SMS that inspired the further direction -- the particular constraint of 140 characters was kind of borrowed. You have a natural constraint with the couriers when you update your location or with IM when you update your status. But SMS allowed this other constraint, where most basic phones are limited to 160 characters before they split the messages. So in order to minimize the hassle and thinking around receiving a message, we wanted to make sure that we were not splitting any messages. So we took 20 characters for the user name, and left 140 for the content. That’s where it all came from.

Stars

The problem with rating systems in general is that only people who feel very strongly about something will take the time to rate it. For a five star scale, that suggests mostly one and five star ratings.

A Virtual Unknown: Meet 'Moot,' the Secretive Internet Celeb Who Still Lives With Mom

In this way, Poole's problem is the problem of the entire Internet, which is built on wireless connections and a lot of "theoretically." It's where people spend time, make friends, play games, get news -- and yet despite all of that philosophical worth, the smartest minds in the country still struggle with how to make even the most successful sites profitable.

QSB

Google Quick Search Box is an open source search box that allows you to search data on your computer and across the web. This app is very experimental, but through it you will be able to see many of the areas we are exploring: contextual search, actions, and extensibility. It is by no means feature-complete, but is a very good indication of things to come.

What will Web 3.0 be?

I’ve been researching CouchDB this week, and I’m getting more and more excited by it the more I learn. It combines data storage, REST-based APIs, scalability and data propagation through replication, and even application hosting. It’s actually a lot like Google’s internal infrastructure, but in an open and modular form.

The Law of Leaky Abstractions

The law of leaky abstractions means that whenever somebody comes up with a wizzy new code-generation tool that is supposed to make us all ever-so-efficient, you hear a lot of people saying "learn how to do it manually first, then use the wizzy tool to save time." Code generation tools which pretend to abstract out something, like all abstractions, leak, and the only way to deal with the leaks competently is to learn about how the abstractions work and what they are abstracting. So the abstractions save us time working, but they don't save us time learning.

Timothy's Links

WIPO: Jackass.com owner a real jackass, but can keep domain

This is just funny. It's an Ars story about a judge who confirms the right of a no-name squatter to his ownership of the jackass.com TLD in the face of claims from Big Media that they ought to be the owners of the domain because...well...just BECAUSE! OK!? God!

Updating to Debian Lenny - upgrade hangs during LDAP

This is another "read this if you're upgrading to Lenny now that it's finally stable" article. Contains a good warning about potential problems with LDAP.

Linux Tips: bash completion: /dev/fd/62: No such file or directory

This happened to me. If you manage virtual computers that live on xen servers, it could happen to you.

Keeping violent media away from boys could be a bad idea

To most sane people, the idea of keeping violent media out of the hands of impressionable children is as patently absurd as all other forms of censorship: the idea of raising children on strictly non-violent narratives means that you lose most of, if not all of the books that we regard (in the West, at least) as canonical. Bye-bye Iliad! Holler back, Star Wars: you will be missed. See-you-later, Old and New Testaments! This article from Ars describes the efforts of an author so dense that she actually feels the need to make the case _in favor_ of allowing children to consider violent media, lest they grow into extremely maladjusted adults who are utterly unprepared to make their way in a world in which violence is not only "the supreme authority from which all other authority is derived", but also the implicit means and end of most pursuits in which they will find themselves engaged.

41% of museums don't know how dogs actually walk

This is a (weirdly) interesting article on a.) how dogs walk and b.) how to correctly represent that in various media. Kind of a ship-in-a-bottle piece, but still a good read.

Magenta Ain't A Colour

Like optical illusions? Click here!

Hacks: Mario/Princess Road Sign

I bookmark'd a link to hack-a-day or some other hacker site a while back about how to reset passwords on these things and program new messages. Now I am proud to bookmark this picture of one such hack.

Draconian DRM revealed in Windows 7

Just switch already. They're eventually going to stop supporting the last functional version of Windows (i.e. Win2k) and then what? What will you do? Just bite the bullet, buy the MacBook and switch already.

Sharpen the Vim saw

More vim tips/tricks because you can never read too many vim tips/tricks pages. That is a fact.

Microsoft SharePoint Uses Hand Crafted GUIDs

On the one hand, it was kind of cheering to learn that some lowly MS coder hand-translated these URI strings into l337-sp34k . On the other hand, it was depressing to remember that people are actually using Sharepoint in their daily lives.

Canonical URL Tag

The announcement from Yahoo!, Live & Google that they will be supporting a new "canonical url tag" to help webmasters and site owners eliminate self-created duplicate content in the index is, in my opinion, the biggest change to SEO best practices since the emergence of Sitemaps.

Is the Relational Database Doomed? - ReadWriteWeb

Recently, a lot of new non-relational databases have cropped up both inside and outside the cloud. One key message this sends is, "if you want vast, on-demand scalability, you need a non-relational database". If that is true, then is this a sign that the once mighty relational database finally has a chink in its armor? Is this a sign that relational databases have had their day and will decline over time? In this post, we'll look at the current trend of moving away from relational databases in certain situations and what this means for the future of the relational database.

git pull with rebase

Users of Git are hopefully aware that a git pull does a git fetch to pull down data from the specified remote, and then calls git merge to join the changes received with your current branch’s work. However, that may not always be the best case. You can also rebase the changes in, and that may end up being a lot cleaner. This can be done simply by tacking on the --rebase option when you pull

Dead simple task scheduling in Rails

Despite having only a one line mention near the bottom of the page, I decided to check out rufus-scheduler, and it turned out to be exactly what I was looking for. There was no database table, queueing mechanism, or separate process to manage. Just a simple scheduler to call out to your existing ruby code.

What webhooks are and why you should care

While there’s a lot of value in webhooks today, it’s the future that really interests me. Webhooks are composable. You’ll point a webhook at a site that will call other webhooks. It might process the data, record it, fork it off to multiple webhooks or something stranger still. Yahoo Pipes tried to do this, but ultimately you were limited to what Yahoo Pipes was designed to do. Webhooks can be integrated and implemented everywhere. They piggyback the fundamental decentralized nature of the web.

The Russian Doll Pattern: Mountable apps in Rails 3

One of the hottest new features in Rails 3 is the ability to embed a Rails application in another Rails application. This allows the development of components that range from user authentication to a fully featured forum. These components can then be distributed as gems and fully integrated with another application. In fact, user private messaging could be a stand alone app, which is then mounted into a forum app, and finally mounted into your own custom app.

Receiving emails in Rails using Gmail & IMAP, while staying efficient and RESTful

For a recent project I had a need to receive emails (actually MMSs, but that’ll be the subject of a future post) in a Rails application. My requirements for the solution were: Shouldn’t require root access. Shouldn’t require firing up the Rails stack for every incoming email. Can be scheduled to run automatically.

Where data goes when it dies and other musings

The web is a fragile place it turns out, in spite of its redundancy and distributed design.

The Elephant in the Room: Google Monoculture

Now that Stack Overflow has been chugging right along for almost six months, allow me to share the last month of our own data. Currently, 83% of our total traffic is from search engines, or rather, one particular search engine: Google.

On fixtures and first-time testers

But what I’ve never understood is why fixtures are actually easier for a noob than just creating the model in Ruby.

The Lie

I do agree with Francis on about everything else though: Fixtures do suck, and testing is really fucking hard. By the time you realize you’re getting into Fixture Hell, moving your monstrosity of an application off fixtures is a daunting task. My solution (and currently the ENTP way): Machinist.

A Twitter Decision

When I look at Twitter, I see three early essential decisions about how Twitter allows you to craft a community. I believe much of Twitter’s continued success is due to definition and execution of these decisions.

Timothy's Links

Moto Android-based eBook reference design

Boo-yeah: this is my shit, this is what I'm talking about. The Kindle isn't a bad idea in and of itself, but closed software and tamper-proof OSes are the original bad idea and cancel out whatever promise that eBook might have held. Just wait until dudes get Android up and running on a Kindle-like device and watch the market for eReaders EXPLODE.

Firefox (In)Security Update Dynamics Exposed

Courtesy of Schneier, this is a (rather formal, white) paper that presents some research on just how up to date the majority of Firefox and Opera users are on any given day. If you're like me, you're running beta software (shit, probably alpha) when it comes to your browser, but you're responsible for the care and feeding of users running stable builds who might or might not have authority to patch/update them. This piece adds useful data to the conversation about either fact.

Official Google Reader Blog: What we did on our winter break

If you live and die by Google Reader (like I do), you probably need to make some changes in your life--display some fucking adaptability, as the Bard advised--and stop being so utterly dependent upon a service that is entirely beyond your control. But until that happens, if you're like me and you're one of the thousands of people who subscribe to the RSS of the Reader team's blog, then it will be old news to you that they've made substantial improvements in recent days. If you're not like me, however, you might be interested in reading up on what they've done in recent times. Who knows--you might just ditch your current reader for the Good (or at least your mobile one).

1Cast Home

Apparently 1Cast (TV newsfeeds on your smartphone) is coming to Android. In a matter of moments. Can't say I'm super-excited myself--I prefer the written to the moving image--but it's nice to see the diff between iPhone apps and Android Marketplace get another line knocked off of it.

AndroidAnki - Anki Wiki

This is the page for the only project I know of that is attempting to "port" anki to Android. Doing a good job so far, IMO.

11 Embarrassing Server Meltdowns that Cost Companies Millions - Web Hosting Unleashed

This is a good one to read if you've recently broken the website and are feeling kind of shitty about having caused massive outages: there's no way your fuck-ups could ever be as bad as these.

Source: Apple asked Google not to use multi-touch in Android, and Google complied » VentureBeat

More grist for the rumor mill. This idea, i.e. that Apple made some kind of political or corporate power play to keep multi-touch (i.e. "pinch") out of the Android OS, has been a scandal since before the release of the G1. I'm not sure if this makes me believe the conspiracy theories, but I think it's clear at this point that there were definitely some shady, backroom dealings going on at some point.

shell_sink

So this is this utility that, after some software installation (mostly just some script copies) and an easy-peasy registration, adds a feature to your Google applications that records and indexes your command line usage. I'm trying it out for now--what could possibly go wrong with keeping an infinite bash history?--and it seems promising.

Google turns on Exchange for iPhone and Windows Mobile users - Ars Technica

There is officially no reason to use a Microsoft program any longer. Thanks Google!

In the Ad Wars, Apple Still Has Microsoft’s Number

This is a nice "status of forces" kind of report about how Apple and MS are still squaring off in the international marketing arena for the hearts and minds of people who don't care about computers. It's useful if, like me, you live in a bomb shelter of booze, Linux and uppers so deep beneath the surface of the Earth that not even the mighty Crispin Porter + Bogusky have developed a bunker-buster powerful enough to penetrate.

App Review: Useful Switchers

Useful Switchers creates shortcuts to some of the most frequently toggled system settings on the G1 (thus fixing the UI design failure of having to open the menu, press "Settings" and then navigate down two or more menus to find what you were looking for). Hot shit.

Debian Package of the Day » vnstat - a console-based network traffic monitor

These guys continue to provide a quality service: I'd say a full 50% of the "pacakges of the day" they describe are ones I've never heard of before and which I will one day use again. vnstat is a utility for long-term (i.e. survives reboots) bandwidth usage monitoring. It may even help you kick your DIY bandwidth monitoring to the curb.