In E4X (for actionscript 3), the “greater than” symbol is not always XML encoded as “>”.  However, the “less than” symbol is encoded.  While this looks odd, it’s actually valid according to the XML spec.

var bar:String="< wokka >";
var xml:XML =  <foo value= {bar} > The value is unbalanced </foo>;

trace(xml.toXMLString());

/*
<foo value="< wokka >">The value is unbalanced</foo>
*/

http://www.w3.org/TR/REC-xml/

The ampersand character (&) and the left angle bracket (<) MUST NOT appear in their literal form, except when used as markup delimiters, or within a comment, a processing instruction, or a CDATA section. If they are needed elsewhere, they MUST be escaped using either numeric character references or the strings ” & ” and ” < ” respectively. The right angle bracket (>) may be represented using the string ” > “, and MUST, for compatibility, be escaped using either ” > ” or a character reference when it appears in the string ” ]]> ” in content, when that string is not marking the end of a CDATA section.

In the content of elements, character data is any string of characters which does not contain the start-delimiter of any markup and does not include the CDATA-section-close delimiter, ” ]]> “. In a CDATA section, character data is any string of characters not including the CDATA-section-close delimiter, ” ]]> “.

I’m creating another blog to show some of my technical side-projects and research. This covers everything from programming, to robotics, number theory, optics & lasers, circuit design, polymer chemistry, physics, psychology, economics, simulations, data visualization, and random experiments ala mythbusters.

Those who know me find these entertaining.  I figure that these random adventures should be shared.

At present, the design is not finished - I’m adding some content before we tweak it.  It’s also a lower priority than client work. But I expect it to be launched this month.

When it’s ready, it will be at http://labs.lizakowski.com

I’m trying to use multiple iTunes accounts on my mac.  Some things, like music, I want to purchase with my personal iTunes account.  Other things, like work-related apps, I want to purchase with my business account.  I only want one desktop, so these two iTunes accounts must work on the same desktop / mac login.  Some googling found conflicting advice on how to do this, but I think I’m close to arranging it.  Here is what I have so far.

iTunes only allows one account to be associated with a library.  However, if you hold down the alt key when starting iTunes, it let’s you select or create a new library.  I created one library for personal and one for work.

The next step is to associate each library with a different account.  This does seem to work.  However, my initial finding is that itunes tends to stick with one or the other.  So, for now, one has to logout as the first user and then login as the other user.

I’d like to see if I can get it to remember the association of library->account.  However, the situation does seem workable.

One caveat is that an iPod can only be associated with one account.  If you leave it plugged in and open the other iTunes library, it offers to nuke the contents and sync with the other library.  You can make the message go away, and I’m guessing you could undo the erasure by syncing with the original iTunes library.  In fact, that might be handy - if it works that way.  I’m not quite ready to try this, as I’ve only had the iPod touch for a couple days, but it’s on my list for experimentation.

On Kubuntu (and other distros), there is a program called RSIBreak.  It works like a screensaver, monitoring how much you type or use the mouse.   If you don’t stop for a break occasionally, per a schedule of breaks, then it reminds you to relax for 20-60 seconds.  As a result, the breaks are not based on a fixed times, such as every 10 minutes, but are dynamic and depend on your natural usage.

It really works well, and stays out of the way more than I expected. It turns out that I take a lot of breaks anyways, usually while reading a webpage, so it only needs to remind me when I’m deep in coding or typing a long email.  Usually when it tells me to stop, I can tell that I need a break anyways.

If you don’t observe the popup, it optionally dims the screen and gives you the option to cancel or lock.  Often, if I’m “in the flow” while coding, I won’t notice the popup, and the dim screen is actually useful.  If you cancel, you can go back to working.  If you press ‘lock’, it locks you out for the prescribed number of seconds.  I believe you can also configure it to forcibly lock the desktop for every break without a cancel option, if you need the extra persuasion.

The keyboard and mouse fail to work under a certain kernel.  For whatever reason, the kbd and mouse drivers don’t load, and logging in becomes difficult.

Until a fix is sent during the beta testing, the secret is to boot with a different kernel.  Instead of the default, which was the server kernel for me, I just used the generic kernel, which was the third option (on a fresh kubuntu install).  Then everything works fiine.

If you are trying to get google calendar working with thunderbird email invitations, it seems there are a few tricks to get it working.  Here are some quick notes that might be helpful:

Install lightning .9 or later.  If you are on x64, select ‘other systems’ and you’ll be lead to the x64 version of the XPI file.  Firefox will offer to install this, but it’s a lightning plugin not a firefox plugin.  Ignore that and save to your hard drive, and install from lightning’s addons page instead.

Install google calendar provider 5.1 or later.

Add a new calendar, from the network, using ‘google’

Grab the ical link for private calendars on the sharing tab of your calendar’s properties page (I also tried xml but ical seemed better).

Check the error console if you have issues.

modification_failed:  due to wrong timezone in lightning.  If tz list doesn’t appear in the preferences, go to advaced config editor and blank out the timezone setting (it was set to ‘floating’ in my case)

You need to set enablecalendarinvites option to true in the advanced options editor.  I also set the auto refresh timeout to 15  The default was 3, and the internet connection was slow (not sure if this helped)

To see updates, reload the remote calendars in lightning, then click the refresh link in google calendar.

Make sure that your thunderbird email account is selected in the properties for the local calendar.  You might also want to disable all calendars that are not google.  Otherwise, it’s easy to see an event that’s actually on your local non-google calendar, and then wonder why it’s not syncing.  Don’t just hide the calendar, actually disable it temporarily.

And, after much testing and trying, it finally worked.  It seemed that the specific recipe had been tested more than once, and only succeeded eventually.  Ditto on my windows laptop, which worked much better after chilling for 24 hours.

Some say you can make it work with just calDav.  That seemed to have too many issues when I tried it.  You don’t need all of this if you just want bi-directional calendar edits.  These extra steps are for enabling email invitations to be received and reflected both locally and on google.

Apparently the blackberry simulator can’t handle a GPS simulation speed of around 2700 m/s.   The simulator crashed as soon as the setting took effect.

After having the Blackberry Storm for a few weeks, and it’s time to build some apps.

To get started, you need the JDE (which is essentially Eclipse). Java may be cross platform, but the JDE for the storm is not. The JDE and simulator only runs on windows, and while they offer a plugin for eclipse, it was easier just to install the prepackaged eclipse that has the plugin already configured.

A good resource for getting started is this document.

BlackBerry_Java_Development_Environment_getting_started.pdf

Also, make sure to set your PATH variable, or the compiler will fail to find javac. I expected that to be done as part of the install process, but it has to be done manually.

The tutorial below has a good description of the steps required:

getting-started-with-the-blackberry-java-development-environment-jde/

If you want to find nearby restaurants, gas stations, or hotels, in a Rails app, and if you want to sort by distance, you can use a custom sql query in Rails.  This will give better performance that trying to do it through ActiveRecord methods.

I profiled Active Record & Rails last year, and found that most of the application’s time was spent loading in *all* columns from the database, and parsing the values.  By only grabbing the necessary columns, and by pre-filtering with sql, this boosted performance by an order of magnitude.  As of early 2008, it was also faster to push the math calculations into sql.  With the new Ruby, Rails, and Merb combo coming out soon, these performance values will change.

The code below will create an array of Location objects.    First, it creates a bounding box, and limits record that fall within that rectangle.  Then, for remaining records, it calculates the sum of the squared differences to sort by distance.  The Sqrt isn’t necessary for sorting purposes.  If you want the distance, you can just take the sqrt of that value as needed.

The performance of this query will vary by database type, and it can be optimized further.  But this was sufficient for the app we were building.

This code expects variables called lat, lon, and offset_degrees (which is the search radius to limit results)

search_results=Location.find_by_sql(
[
"SELECT
loc.id, loc.name, loc.address, loc.city, loc.postalcode, loc.lat, loc.lon,
( pow((lat - :testlat),2) + pow((lon - :testlon),2)) AS dist
FROM locations AS loc
WHERE (lat< :maxlat AND lat > :minlat AND lon < :maxlon AND lon > :minlon #{kwclause})
HAVING dist<:maxdist
ORDER BY dist
LIMIT 15;",
{ :maxlat=>(lat+offset_degrees), :minlat=>(lat-offset_degrees), :maxlon=>(lon+offset_degrees),
:minlon=>(lon-offset_degrees), :testlat=>lat, :testlon=>lon, :maxdist=>(offset_degrees**2)
}
])


no such file to load -- net/ssh (LoadError)

If you get that error, you might need to add  ‘require rubygems’

I received this error while trying to do a deployment without capistrano.  Cap was mostly undocumented, and now might be unsupported, so I’m trying to see if one can do the same with net-ssh directly.

Authentication with Distributed version control systems (DVCS) poses a challenge not seen with centralized systems.  Centralized systems can enforce simple password checking, and you can trust the identities if the system is configured correctly.  Distributed systems lack the ‘identiy oracle’, and cannot securely enforce simple password checking.  Many systems allow you to specify any string as your username and email address without any verification.  This has some obvious security holes - They need to use signatures.

Mercurial and git currently lack inherent cryptographic signatures on commits.  One can optionally sign code, but if one commit is lacking a signature, the scheme fails.  The system needs to be automatic.

The solution is to have an optional mode where every commit is automatically signed using GPG or an equivalent, and branches with unsigned commits in their history are not allowed to be merged.    For open source, this would be sufficient just to log identities (which can still be anonymous).  To limit usage to a set of known keys, one could use an authorized_keys file to limit the acceptable signatures.

Signatures provide a very limited definition of identity. You don’t know who is really behind the keyboard, or if that person has multiple keys. But, if you trust that person, you can decide to trust whatever they sign, and trust that they will keep good control over their keychain.

Hey everybody. Thanks for giving Mike and I the time to speak to you all. Here is a list of websites and resources you may find useful. Some I mentioned in class, some I just found today.

Design / Media

AfterEffects video tutorials - http://www.videocopilot.net/tutorials/
Flash video tutorials - http://gotoandlearn.com/
List of Photoshop video tutorials - http://www.smashingmagazine.com/2008/03/28/adobe-photoshop-video-tutorials-best-of/
List of Illustrator video tutorials - http://www.smashingmagazine.com/2009/01/04/50-excellent-adobe-illustrator-video-tutorials/
Corel Painter video tutorials - http://www.corel.com/servlet/Satellite/us/en/Content/1171405215200

Coding

ASP.NET video tutorials - http://www.asp.net/learn/videos/
Actionscript video tutorials- http://gotoandlearn.com/
PHP video tutorials- http://www.phpvideotutorials.com/free
PHP code samples, functions, etc. - http://www.php.net/
CSS / web design video tutorials - http://css-tricks.com/video-screencasts/
CSS and Javascript (more) tutorials - http://www.w3schools.com/

By Pete Klein

I found my second compiler bug in flash today.  The first involved an obscure combination of a switch statement and a few other statements in a particular order.  I submitted the fix, including demo code, to adobe last year.

The new bug involves the following error messages:


1046: Type was not found or was not a compile-time constant: Boolean.
1046: Type was not found or was not a compile-time constant: String.


Unlike most compile issues, this one does not provide a line number, so you don’t know where to find the offending code. This fact, combined with not being able to locate internal types, leads me to call this a compiler bug.

The cause appears to be a naming conflict. I had an .as file with an object that is the same name as a movieclip in the library.

The file was intended as a mock object to replace a movieclip that didn’t exist in the test Fla. The as file was located in the root of the app’s directory structure, which worked for testing. The conflict occurred because the main app, which already had the movieclip in the library, saw the .as file in the root and imported it.

The offending one-line .as file is as follows:
var moviename:flash.display.DisplayObject;

When I add or remove that file, the bug appears or disappears.

The compiler should flag this as a naming conflict, possibly pulling up the line of code in the as file.

I’m thinking of switching over to Mercurial for our source repositories. The benefit of a DVCS in our situation is that we can continue work when we don’t have connections to the server.  This adds another way to survive a server crash, and a means to work without wifi.

However, we need a centralized repository for collaboration purposes.  It should be possible for each developer to push changes to the server without intervention from a project owner.   The repository should also enforce permissions and prevent any user from corrupting or toasting the repo.  The users are sometimes 3rd party contractors, hired by the client, and I don’t mind them changing code as long as there exists a secure log of their changes, and a means to back them out.

I first tried setting up hg-admin-tools.  I had some trouble getting ssh-agent working properly, and the tools didn’t install per the suggestions of several tutorials.  Then, I decided to try hg-ssh.

Hg-ssh is a script that you execute from ~repo_owner/.ssh/authorized_keys.  Each developer places their keys into the file, along with some parameters that run all requests through hg-ssh.  This script simply checks that the parameters are for a valid repo, then allow the incoming command to proceed.  This provides authentication and also protects the repo (and server) from improper commands.

The steps:

1)  Make a user on the server to own the repos, let’s call it hg.  You may want to disable logins.

#make user
sudo "useradd -m hg"

#lock account so no password-based logins are possible
sudo "usermod -L hg"


2)  make a subdirectory to hold the repos (optional), let’s call it repos

3)  create a repo in that directory, such as “hg init testrepo”

4)  Download hg-ssh and place the script in ~hg, and chmod u+x

wget http://www.selenic.com/repo/hg-stable/raw-file/tip/contrib/hg-ssh
chmod u+x ~hg/hg-ssh

5)  Each developer uses ssh-keygen to make a key, if they don’t have one yet

6)  Append all the developer keys to ~hg/.ssh/.authorized_keys

7)  For each key, add the following permissions before the key:

command="~hg/hg-ssh ~hg/repos/testrepo", no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa.....

Note: don’t forget to add the hg user to AlllowUsers in the sshd config, if you are restricting by username.

8)  The developer can then clone the repo using

hg clone ssh://hg@servername.com/repos/testrepo

If you use non-standard ports for ssh, just add the port after the domain name:

hg clone ssh://hg@servername.com:007/repos/testrepo

I was browsing the web, and came across some interesting details about the SSH compromise back in the first part of 2008.  I had heard about a vulnerability, but assumed it was something obscure - the kind of bug that requires tricky math and is hard to implement.

It turns out it was easily exploitable.  According to the site below, someone commented out a couple lines of code in openssh that were causing valgrind to complain.  Unfortunately, those lines of code were capturing entropy.  After that edit, the only randomness in generating keys was process_ID and distro/architecture.  Since there’s 32,768 pids, there were 32,768 possible keys (and likely far less).  So, if you created 32.768 ssh keys, you could gain access to any debian-based system who’s keys were generated in 2007 or 2008.

http://www.metasploit.com/users/hdm/tools/debian-openssl/

Yeah, that’s a bug.  Any SSH keys from that time are suspect.  Anything transmitted or encrypted with those keys are suspect.  So is any server that relied upon it for security in lieu of passwords.  The list goes on…  They keys may have been fixed since then, but the effects could linger.  Even if nobody knew about it at the time, data is forever.  People could crack old snapshots of encrypted files years after the vulnerability is patched.

I think this makes an argument for multiple layers of security, where possible.

I finally got around to trying Shoulda.  Installation had a few unspoken assumptions.

The Gem should be reference in your environment.rb file.

gem 'thoughtbot-shoulda'

or, depending on rails version

Rails::Initializer.run do |config|
  config.gem ‘thoughtbot-shoulda‘, :lib => ‘shoulda/rails‘, :source => “http://gems.github.com“
end

It also should be referenced in your Rakefile.

begin require 'shoulda/tasks' rescue LoadError end

After adding it to the Rakefile,  you can see a list of tests in textual form, using

rake shoulda:list

On friday, I was updating a server, one that we recently took over for maintenance, and noticed that there was unusual activity in the bash history.  Someone logged in as root, went to a directory called .ICE, and ran a program.

Piecing together the story, it appears that the server was hacked by a bot network, using romanian software.  Then, someone in taiwan issued a UDP flood attack on half a dozen TOR nodes.

If you have a .ICE directory in ~root, you might want to check it out.  The rootkit scanners did not find the offending software, but they did find two users with superuser privilieges (UID 0), named “security”, and “sec”.  The root password had also been reset, and the “security” user didn’t appear to be used.  Idiots.

Inside the .ICE directory, there were programs named  “smurf”, “stealth”, “flood”, and “killer”.  It also
appeared to install a chat server of some kind.  According to the chat logs,
one of the users has an IP address from Taiwan.  I found a list of 15k ip addresses, which could be other bots in the network. There’s also some software with comments in Romanian, and after some googling, I found a website in romania with the same code.  There, the software is in a directory called “beast”

Tonight, Friefox crashed while I had a lot of tabs open.  I’m talking about a hundred tabs, and some were important.

So, when firefox started up again, it asked if it should restore all the tabs.  I said yes, and watched as it opened all 100+ pages simultaneously.

Firefox immediately slowed to a crawl and stopped responding.  I thought I might be able to sneak in and close some tabs before it became stuck, but It was frozen and chewing up memory.  When it eventually crashed, the same process would repeat on startup.

So, I unplugged the ethernet cable.

Suddenly, firefox unfroze, all the tabs were responsive, and I was able to close a lot of pages.  I then plugged the ethernet back in, refreshed the remaining pages, and was rolling.

I had suspected it was javascript or flash videos causing the problem, but it seems to be something about how it blocks when communicating.

first post!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!