The caveats with the CDN are the same as if you had a v4 address; only certain ports (eg. 80, 8080, 443 , 8443, etc.) work. The output from your server is cached/proxied via CloudFlare's CDN servers. So it's not a full fix; eg. no port 22 to ssh in, but for running a web/http based service can be quite useful.

• DSA (No longer allowed by default in OpenSSH 7.0+)
• RSA
• ECDSA (OpenSSH 5.7+)
• ed25519 (OpenSSH 6.5+)

So which one to use?

In general, the best practice preference is to use ed25519 if possible, otherwise use RSA (4096 bits) due to mistrust of NIST's curve for ECDSA. Which key is chosen/created is managed by HostKeyAlgorithms in sshd.conf, and when you create a client key by running ssh-keygen. So what about the other parts of an SSH connection, and can I use an ed25519 key anywhere?

The key types are just one portion of an SSH connection; authentication. SSH connections have three major cryptographic phases, the key exchange, the authentication, followed by the negotiated symmetric encryption used by the rest of the connection. (If you want more detail, check out Digital Ocean or Cisco's explanations.)

Unlike the SSH key type, the ciphers and key exchange are decided on between sshd and ssh depending on their feature set and what is defined in their config files.

If you're running OpenSSH 6.3 or newer you can see what algorithms are supported by running one of the three commands: ssh -Q [cipher|mac|kex], or read man ssh_config.

Key Exchange

A glossed over version of the key exchange, has the client and the server share some information (eg. public keys) and use the Diffie-Hellman algorithm with a decided curve to set up the cipher (symmetric key) and the MAC (message authentication code to confirm validity) to be used for the rest of the connection.

Mozilla's recomended list of kex choices to use (specify in sshd_config) per their wiki is a great starting point. The summary being anything at least with a sha256 confirmation helps.

Encryption

The symmetric key created during the key exchange step is now used to encrypt and decrypt the rest of the connection.

Mozilla's wiki again lists the most recommended ciphers and MACs with the new chacha20-poly1305 being the first on the list.

Key Type Reference

* - disabled by default for sshd
1 - PuTTY stable only supports dsa and rsa but the latest development snapshots support ecdsa and ed25519.

TL;DR

Unless you're using CentOS 6 or Ubuntu 12.04, use ed25519 keys and Mozilla's config files to limit the preferred connection ciphers.

Other Resource Links

http://www.openssh.com/legacy.html

At the start of January, the City of Calgary made public the web page for bike counter on the Peace Bridge with promises of making more available including at least 10 more during the upcoming cycle track pilot. The Peace Bridge counter had data stretching back to April 24th, 2014 and by default was always showing the entire daily data set.

My first curiousity was whether I can could have a bookmark to just show the last week or so worth of numbers which led me to figuring out how the webapp worked. (Good ol' WebKit developer tools)

After that in tandem with some projects I was looking into for work I decided to start seeing about scrapping the data and storing it somewhere to compare numbers (different installations, averages, weather) more easily. So a big thank you for the people at the City and Eco-Counter for not telling me to "get lost and don't use things inappropriately".

As for how - the Python scripts just ask Environment Canada and the counters once a day for their last day's worth of new data (if possible) and store it in Graphite. Interacting with the data is Grafana 2 behind nginx. All hosted on a tiny instance on some publicly available free compute resources that I just happen to also manage as part of my day job. Funnily, most of the script writing was done during an all nighter at a Denny's in Kamloops waiting for 4 AM to roll around so I could swap some power cables in a maintenance window.

It's nothing fancy but it's fun to see what might come of it when data is made available.

1 - I had registered the domain last year and figured that was a good place to point until I had a better idea of how to use it.

While Linux Containers can best be thought of a super lightweight VM to run a whole VM, Docker contains a slew of other features that blur the lines between it acting like a super lightweight VM and being a full platform to build off of. Docker plays closer to the idea of a process/group of processes (application) under a chroot versus LXC's idea of a whole OS/machine in a chroot jail.

So it's misleading to think of a Docker container the same way as a LXC container. Same technology behind the scenes but completely different approaches. For Docker it's all in how you set up your container to run - you can have all the other services you normally get in a VM if you so wish.

For example with LXC setting up MySQL would consist of making the container, running the command to install MySQL and setting the service to go. You can then log in or attach and run other commands as well if necessary.

Docker on the other hand involves similar steps with the flexibility of having Docker do the install and run the service when the container starts (defined in the Dockerfile). However if you want to attach to that container and run more commands you have to have set access to do that up ahead of time (eg. supervisord, runit), create a new container with that command, or try and force your way into the container. (you can try lxc-attach but if you want a new TTY and you're attaching to a mysqld instance? Not going to work)

After figuring that out - the use of Puppet in Docker started to make more sense. Have Puppet configure your image and then save/commit that state or kick off the supervisord process to keep the container "alive". Docker lends itself more to recreating/iterating whenever a new update is needed over updating settings.

In summary - LXC container is analagous to a VM, while Docker a very supercharged sandbox for running a process or group of processes. Use LXC when you're wanting a separate "server" without the extra overhead, Docker when you're wanting to run a "service".

I also recommend reading the FAQ - primarily the what Docker "adds to LXC". In the end it's left me more leery of using Docker - it's a bit of a paradigm shift I'm not ready to do just yet.

On one last sidenote, IPv6 support also looks like a lot of pain - but not any worse than LXC.

Thanks to everyone who came out.

NOTE: THE BELOW DOES NOT WORK WHEN UPDATING TO FIREFOX 8+.

Unfortunately Firefox doesn't deal with plist files like most other Mac apps (part of it's cross platform nature) so MCX isn't an option. However you can manage Firefox by either editing the Application file itself (annoying) or by installing a global browser customization extension (easy).

If you want to low down on this and to also stand on the shoulders of giants; read Greg Neagle's posts about customizing Firefox:

• Firefox Default Settings
• Firefox Default Settings Revisited
• Firefox Global Extensions
• More Firefox Customization
• Firefox global extensions, again

The quick and dirty steps to disable updates:

1. Install the Firefox Client Customization Kit: https://addons.mozilla.org/en-US/firefox/addon/2553/
2. Launch the CCK Wizard from the Tools menu
3. Create a new configuration
4. Follow the Wizard through to the Customize Preferences section (the 12th or 13th screen). Be sure to remember the Unique ID (first screen) you gave the extension.
5. Add both the app.update.enabled and app.update.autoUpdateEnabled keys and set them to false. I also lock these preferences because I update the applications using munki
6. Save your CCK .xpi. The next extra steps involved here are so the user is not prompted to install the .xpi to their local extension folder when they launch Firefox. (I figured this out on my own and then noticed it was in the comments on the More Firefox Customization post and even has it's own post.)
7. Install the .xpi file it creates on your local profile (should just be able to double click on it or just drag it onto Firefox).
8. Go to your local Profile's extension folder (~/Library/Application Support/Firefox/Profiles/SOMETHING/extensions)
9. Find the folder that corresponds to the Unique ID you gave it on the first screen of the CCK. In my case it was an email address.
10. Copy that folder to /Library/Application Support/Mozilla/{ec8030f7-c20a-464f-9b0e-13a3a9e97384} (where global extensions are stored)
11. Open up Firefox and test to see if it is installed (check the Extensions loaded or if you used that menu item see if it exists)
12. Read Greg Neagle's post on More Firefox Customization for more details.

That folder you copied to the Global Extensions Folder can now be distributed to all your computers that need the CCK applied; either as a package (ideal) or using Remote Desktop.

Of note, extra things I like to do are to disable the welcome and upgrade pages, and add an item for our home page to the Help menu (also helps verify the extension is working) but I do allow users to disable the CCK if need be (though I've yet to know one to care enough to do so)

http://chealion.ca/content/images/preghost/OutputBDDVDWeb.pdf

I do have an audio recording of the first presentation I've given since high school but have yet had a chance to listen and edit it as necessary.

I hope everyone found it useful.

For brevity I'm leaving out the exact steps to hook this up with your favourite mail client but you can find that out fairly easily as it's only changing the SMTP server (or check my post about setting up Shaw's SMTP service) and change mail.shaw.ca to smtp.gmail.com and using your Google login instead of say Shaw's in the section about changing your SMTP server).

1. Set up a Google Account. If you have one you're good to go.
2. Log into Gmail
3. Go to Settings (link is in the top right)
4. Go to Accounts and Import
5. Under "Send mail as:" section click "Send mail from another address"
6. Enter your email address you want to use (eg. username@shaw.ca) and press Next
7. Choose to use Gmail's servers, press Next and choose Send Verification
8. Click on the link in the verification email. This will verify the email address so you can move onto step 9. You may need to check your Junk Mail folder.
9. Back at the "Send mail as" section (you may need to refresh the browser) click the "make default" link for the email address you set up and be sure that below it "Always reply from default address" is selected.
10. Now be sure to change your SMTP settings on your computer/mobile device accordingly. This varies from device to device as to the steps but is the most important step. If not set correctly (eg. not turning off other SMTP servers on an iOS device) will make everything we've done for naught.
11. Send an email to yourself to test and reply to it and make sure it gets to the right address. The only times I've ever seen an error here is if the SMTP wasn't set up correctly, step 9 wasn't followed or the carrier's SMTP server was enabled again (yes it's repeated because it accounts for 99% of errors I've seen).

Not difficult, but something I can grab when writing an email on how to do it. :-)

Please join me in welcoming Shaw's new feature of actually allowing Shaw email users to send email while travelling without resorting to webmail or trying to find the local ISP's SMTP server address (or seeing that Telus' mobile SMTP server is blacklisted AGAIN marking all your email as spam). This is of course ignoring that I don't recommend anyone actually use their ISP provided email address but instead use something a bit more dedicated like your own domain or an actual email service. It's still better than an AOL address.

Previously I'd been setting clients up to use a Gmail account as their proxy sending address when they have a Shaw or Telus email address - this makes it easier for Shaw clients. It's also a lot simpler than the Gmail approach (which I have yet to post here).

Coles Notes

1. Turn on Mobile Access using the new Webmail beta: https://wmbeta.shaw.ca
2. Change your SMTP settings to point to mail.shaw.ca using port 587, STARTTLS, and use your username and password as the authentication

More elaborate instructions

Setting Up Shaw's End:

1. Sign into https://wmbeta.shaw.ca
2. Click on Preferences (right side of screen - it’s a text link beside Feedback)
3. Click on the ‘tab’ that says ‘Mobile Access’
4. Set it to Enabled (click the radio button beside it)
5. You may need to change your password to meet their new security requirements.
6. Press Save. It will say “Preferences saved” in a small yellow box at the top of the page if it’s successful.

Thunderbird:

1. Go to the Tools menu and choose Account Settings
2. On the left side on that window click on “Outgoing Server (SMTP)”. You may need to scroll as it’s always the last item.
3. There should be an item associated with the Shaw account you just turned on. Whichever account you turned on Mobile Access for and click on it and then click the button that says “Edit...”
4. In the window that appears change the server name to mail.shaw.ca instead of shawmail or shawmail.cg.shawcable.net that it was set to. The port number should be changed from 25 to 587 and the Connection Security to STARTTLS. Authentication: Normal password and then enter your username
5. Press OK
6. If you did not change your password when setting up Shaw then press OK and you’re done. If you did change your password when setting up Mobile Access the next time you check email it will ask you for a new password and you can enter it.

Mail.app:

1. Go to the Preferences and click on the Accounts section
2. Click on your Shaw account on the left side
3. Where it says Outgoing Mail Server (SMTP): click on the drop down menu and choose "Edit SMTP Server List".
4. Find the Shaw SMTP server in that list and click on it.
5. Change Server Name to mail.shaw.ca
6. Click on the Advanced tab
7. Check off Use Secure Sockets Layer
8. Change the Authentication drop down menu to Password
9. Enter your username and password and then press OK.
10. Close the accounts preferences window and say yes to saving it if necessary.

Shaw's already provided instructions on setting up an account anew for iOS, Android and Blackberry devices: https://wmbeta.shaw.ca/doc/offnet-device-instructions.html

The hint? Just do a search for # HTTP request. Keep only GET, POST, HEAD for any version of AWStats.

Of note, as of the published date AWStats 7.0 does not count the files viewed correctly. I'm not sure why.

My primary reason for the extra work is that Google Chrome will not recognize a .mov file as a valid wrapper for video in HTML 5's <video> tags.

Using Compressor

You need to make your Compressor preset using x264 as a normal QuickTime movie preset (use the table below to help with settings if necessary). You'll then want to grab the script from GitHub and add it as a script to your preset.

Scripting Compressor isn't very straight forward, while you can use AppleScript or launch a script using Compressor they fail to mention that the script must be saved as an application and the file is accessed by using on open.

Helpful Table of Limitations

Android information is rather limited. Official Android information is near non-existent.

Thanks to:
- http://www.proactiveinteractive.com/software/compressor/index.php

The video codec for H.264 is: avc1.YYYYXX where YYYY represents the profile, while XX is the level (multiplied by 10 and turned into HEX):

Profile     Value   
Baseline    42E0
Main        4D40
High        6400
Extended    58A0

Level       Hex Value   
3.0         1E
3.1         1F
4.1         29
5.1         33

Now when I visit with an iPhone 3G it loads the baseline version, while my iPhone 4 and iPad both load the Main Profile version. For my current project I use video for whenever Flash isn't available and it does leave a gap for Firefox and Opera users who don't have Flash but according to our web stats they don't actually exist.

It's also important to note that Android users are also left in a lurch because any version lower than 2.0 doesn't support <video>, and those that do can't handle a <source> element having a type value like above. To top it all off it isn't able to play or show controls on a video on it's own. You have to add some JavaScript to your page in order to play to pass the click event and tell it to play.

The fix: Make sure "Always Insert Attachments at End of Message" is checked off (preference key is AttachAtEnd - boolean for you MCX minded folk) and you can now attach inline as you would normally want to without having Outlook eat your message.

Thunderbird will display the text correctly, but you'll lose it and it will only appear as an attachment once that email is forwarded or replied to: (Part 1.1.3 is the text "There's an attachment"). You'll also notice the horizontal rule separating between the different HTML portions of the email.

What program completely falls flat on it's face is Outlook; it just puts all attachments off to the side and you have no idea what's in the those ATT documents and your client sure as hell isn't going to read them. So you've sent the email, the email was successfully sent, the text will be visible on their webmail systems, on their mobile device (Blackberry or iPhone), and even visible in other mail clients but because it's technically an attachment Outlook won't display it inline by default. (For the same reason they won't show images by default in emails - the cookie tracking and that it's a great attack vector)

Of note, this only occurs when sending from Mail.app. Outlook can attach items inline and have no issue as it attaches the images at the end of the email.

Correct view:

Why would I want comments on my site? They provide a relatively frictionless (provided no registration is required) way for a reader to respond to something I have written to power Google's index.[^2] This includes developers responding to my criticisms of their applications, or some method of feedback. The feedback is part of the reason I even write comments anywhere else. It's still very possible to get a large volume of feedback relevant and helpful to the article/essay/what-have-you without detracting from it. (eg. Coding Horror as an example - not always, not perfect but on a whole a decent example) Comments at one time also help differentiate the "new media" from the "old media", it promoted the idea that the reader could be involved instead of just a a passive listener.

Why do I think I should remove comments from my site? Spam and focusing on the content. I don't like being required to run Akismet, or remembering the issues of using Moveable Type 2.x and the necessity of MT-Blacklist. Erasing the spam issue is definitely enticing, especially with some many other avenues of feedback.

Additionally once comments grow beyond a certain quantitative threshold they simply become drive by soapboxes or discussion boxes with little to no control of their direction (unless heavily moderated) and relevance to the whole point of the page's existence. If you really want people to discuss with each other about something you've put forward as a conversation piece? Consider setting up a proper forum[^3] for the thread control so it doesn't feel like a discussion has been shoehorned into something that doesn't quite fit correctly. Personally the whole point of my corner of the web is not to make conversation pieces but to showcase something I actually want to broadcast more widely to the world.

But wait. Why should I even care if they're on or off? Be practical - for many comments are your first way to get feedback without the roadblocks (registration, emailing, etc.) that are necessary to keep the volume manageable for higher volume sites. Comments don't scale with the purpose of a blog, website, whatever you want to call your little corner of the world wide web. If you're small enough they don't exist, if you're big enough they overshadow or fail completely miserably at being either a way to leave a note for the author or as a discussion board. So in the big picture - the choice doesn't matter. What matters is whether they are a positive or a negative impact to you, the moment it's negative kill it - there's no saving the signal when the noise gets too loud. If it's positive, keep it.

Don't sweat it and focus on writing (or doing your thing).

[^1]: RIP daringfireballwithcomments.net - it was hilarious and a perfect example as to why Gruber should keep his site just the way it is. [^2]: My traffic consists of 3 people who follow using RSS and about 30 people a day from random search terms. [^3]: This doesn't have to be proper forum software such as phpBB and such but they do offer the more advanced features one would want when dealing with diverging threads of discussion.