Planet COSI

Matt Finlayson: How an American soldier is made

Fri, 06 Nov 2009 21:50:24 +0000

Great story in photos of a soldier from high school, through deployment, to coming home and getting married. via Kottke

Matt Finlayson: Wiki | Docs / NetApp Filer, NFSv4, and Linux

Fri, 06 Nov 2009 18:05:43 +0000

Wiki | Docs / NetApp Filer, NFSv4, and Linux:

Decent howto on doing stuff with a netapp machine. Saved my ass today in a complicated VMware / Tivoli / Multi- network thing. Thanks to buzzco for that.

Matt Finlayson: Photo

Thu, 05 Nov 2009 18:18:34 +0000

Matt Finlayson: marco: World of Goo’s pay-what-you-want report has some great...

Thu, 05 Nov 2009 16:13:30 +0000

marco:

World of Goo’s pay-what-you-want report has some great statistics about the average prices people paid. This one was surprising: I expected Windows users to be the cheapest, but I didn’t expect Linux users to be the most generous.

Anyway, if you haven’t played this ridiculously good game yet, go download the demo. If you like it, buy the full version ($20, direct download, DRM-free).

World of Goo is one of the best new games I’ve played this decade. Really. It’s that good.

Max Edmands: Best possible uses for Google Suggest: Outsource your poetry

Mon, 02 Nov 2009 13:34:51 +0000

Are you an aspiring poet who can't figure out why you're not making any money? You probably should have realized that this would happen the moment you bought your first Moleskine. If you want to sell out, however, the power of Google Suggest will ensure that your poems will, at least, resound well with the public.

Just start with a word or two. Type them into your Google search box, pick the most poem-like result, and go on to the next line. Encourage sentence-style results by sprinkling a few "is"s and "are"s in your queries. To stay with a theme, make sure your next few words are related to the first few.

Not only will this get you published and rolling in disposable cash, it's also fun! Here is an example. The seed words are in [square brackets].

[how long] how long does weed stay in your system
[your system] your system is infected
[your] your baby can read
[read] read books online free
[books] books to read before you die
[you die] you die in the game you die in real life movie
[real life is] real life is overrated
[real life is] real life islamic stories
[is real] is real hair real
[are hair] are hair extensions worth it
[extensions] extensions are not enabled

Now, add punctuation and spacing for something truly professional:

How long does weed stay in your system?
Your system is infected.
Your baby can read, read books online free.
Books to read before you die.
You die in the game, you die in real life.
Movie. Real life is overrated.
Real life Islamic stories: Is Real Hair Real?
Are hair extensions worth it?
Extensions are not enabled.

Such is the awesome power of Google Suggest.

Todd Deshane: Free as in salvation

Mon, 02 Nov 2009 00:59:27 +0000

In the software world the word free is confusing. Free software doesn't mean the same thing to everybody. Let me give you an example to help you understand what I mean. There are lots of programs that are freely downloadable from the Internet with no strings attached. Now many of you may read that and consider those programs to be free software. And in one sense (in terms of cost) you would be correct. However, there is another definition of free software that doesn't count all of these programs, but only counts software that is not only free to download, but also free to modify. The free software foundation uses the word free to refer to freedom and not to cost. They believe that software should be distributable in such a way that the source code that makes the program work is also available for those that are able to make changes to it and then redistribute those changes. Making the source code available has others benefits. For example, if more people are able to see how something works, they might be able to find ways for it to work better or find flaws or security vulnerabilities etc. Some of the best examples of free (as in freedom) software are Mozilla's Firefox web browser and the Linux operating system, which was created by Linus Tovalds. There are countless other fee software projects that have had very good success as well.

Quite some time ago I came up with another interesting personal analogy. Free software has some interesting analogies to Christianity. I wondered if other people had had the same thought, so I searched on Google and one of the things I found was a site called Linux for Christians with a motto "Free as in salvation" referencing the bible verse Ephesians 2:8-9, which says "For it is by grace you have been saved, through faith--and this not from yourselves, it is the gift of God--not by works, so that no one can boast." I thought it was really neat that someone had seen the same the analogy that I had. Just recently I had a conversation with Pat about technology and Christianity and I promised to write up an blog post on this topic in hopes of being included on his new website. We both agree that there is a lot of possibilities when combining technology and Christianity. For instance, we have been discussing the concept of cloud Christianity, which could be understood simply as using the cloud to spread Christianity.

In conclusion, it is fun to apply different parts of your life together in order to find interesting analogies and you never know what you will come up with. You may also be surprised that others have had the same thought. In Ecclesiastes 1:9, it says "What has been will be again, what has been done will be done again; there is nothing new under the sun." I think it is important not to take such statements out of context however. The author of Ecclesiastes is king Solomon (I wrote about this king before), who was given much wisdom from God and in this book he is trying to share some of those ideas. I don't think it should be read that you can't think of new ideas, but more in the sense that God already knows everything and we can't think up something new that he doesn't already know about. New to us, sure. That is my understanding anyway. Feel free to give your thoughts on it.

Erin Kennedy: Robo Pumpkin!

Sun, 01 Nov 2009 14:43:09 +0000

Thursday (last week) was a pretty awesome day. I had a good project status for my COSI for credit, I learnt more about LaTeX (and started to typeset my summer research paper) thanks to Zach’s presentation, and there was a pumpkin carving contest for the robotics floor!

Last year I spent a lot of time soldering LEDs and shrink wrapping them, exactly for the purpose of pumpkin decorating!

This year I did one of those ‘etching’ carves of a robot, and used my LEDs to make it more awesome!

It looks pretty cool. Maybe next year I’ll go all out and add a distance sensor and a speaker so that it can sense if something approaches it, then play creepy music/sounds

Here’s a video of the pumpkin in action…

The pumpkin ended up landing itself in COSI for the holiday Hopefully spreading the Halloween joy of computer science to everyone!

Pete Freitag: Viewing Images with Eclipse

Thu, 29 Oct 2009 14:37:46 +0000

Here's a quick tip for Eclipse users. When you double click on an image file in eclipse it typically opens up whatever program your OS has associated with that file type. You can configure eclipse to view images in the editor pane fairly easily, without installing any plugins.

Here's how:

Open Preferences from the Eclipse Menu (I think its the File menu on Windows)
Expand General » Editors and select File Associations
Click the Add button next to File Types
Enter *.png
Click the Add button next to Associated Editors
Select Internal Web Browser
Repeat for *.gif and *.jpg

Zach Shepherd: Amazon “Quadruple Extra Large” High-Memory Instances

Wed, 28 Oct 2009 21:53:14 +0000

Yesterday Amazon added a High-Memory section of EC2 instances, which included a “Quadruple Extra Large” size. According to the EC2 website, a Quadruple Extra Large instance has “68.4 GB of memory, 26 EC2 Compute Units (8 virtual cores with 3.25 EC2 Compute Units each), 1690 GB of instance storage, 64-bit platform.” As I wasn’t really clear what the 26 EC2 Compute Units would correspond to, I decided to spin one up and poke around. The results are below:

[root@ip-10-218-21-207 ~]# cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 1
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 2
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 2
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 3
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 3
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 4
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 4
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 5
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 5
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 6
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 6
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

processor	: 7
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
stepping	: 5
cpu MHz		: 2666.760
cache size	: 8192 KB
physical id	: 7
siblings	: 1
core id		: 0
cpu cores	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca popcnt lahf_lm
bogomips	: 5338.47
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:

[root@ip-10-218-21-207 ~]# cat /proc/meminfo
MemTotal:     71687580 kB
MemFree:      70139596 kB
Buffers:          4496 kB
Cached:          41520 kB
SwapCached:          0 kB
Active:          15004 kB
Inactive:        35668 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:             100 kB
Writeback:           0 kB
AnonPages:        4752 kB
Mapped:           5072 kB
Slab:             7960 kB
SReclaimable:     2176 kB
SUnreclaim:       5784 kB
PageTables:        780 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:  35843788 kB
Committed_AS:    24060 kB
VmallocTotal: 34359738367 kB
VmallocUsed:       180 kB
VmallocChunk: 34359738187 kB

And the results of kernbench were:

Wed Oct 28 15:30:56 EDT 2009
2.6.21.7-2.fc8xen-ec2-v1.0
Average Half load -j 4 Run (std deviation):
Elapsed Time 114.174 (0.646939)
User Time 356.632 (0.178802)
System Time 76.702 (0.189394)
Percent CPU 379.2 (2.16795)
Context Switches 38541.4 (379.793)
Sleeps 75838 (83.7735)

Average Optimal load -j 32 Run (std deviation):
Elapsed Time 65.466 (0.375673)
User Time 362.856 (6.58352)
System Time 84.936 (8.6855)
Percent CPU 542.4 (172.06)
Context Switches 62848.3 (25625.2)
Sleeps 88501.2 (13376.4)

Average Maximal load -j Run (std deviation):
Elapsed Time 65.036 (0.0260768)
User Time 364.585 (5.8557)
System Time 87.3113 (7.78531)
Percent CPU 597.333 (159.682)
Context Switches 64255.9 (20651.1)
Sleeps 83271.7 (13178.6)

Justin Bennett: The Big 2-2

Sat, 24 Oct 2009 02:15:16 +0000

Today I turned 22. I have neglected this blog for quite some time and figured today would be as good a day as any to post.

There are two main reasons for today’s post. The first is that I have been trying to come up with an idea for a new project to work on. I’d like to do something web-related but can’t think of any good ideas that I see a need for. After our wedding I thought perhaps a universal gift registry site would be neat. A place where items from any store/website could be added with some sort of system for keeping track of what has/hasn’t been purchased. That idea didn’t last long since a quick Google search revealed several similar websites (none of which I particularly liked, but that’s beside the point). So I decided I’d post my desire for a project here, perhaps one of the 5 people that reads this blog has a good idea for a web application that I could work on. On a side note, I was recently taking a look at the Yii Framework for PHP development and I thought it might be interesting to try employing it in whatever project I take on.

The second reason is that I’ve been thinking of trying to take this blog in a more technical direction and possibly trying to post on a more regular basis. It seems that the technical problems I run into and solve on a weekly basis at work would be good content for blog posts and may possibly draw others here who are facing similar issues. Some of the topics I’ve considered include kernel compilation, ethernet interface bonding using the bonding kernel module (including an overview of the different bonding modes offered), hardware watchdog, diskless booting over a network, creating an automated install procedure using a Linux-based boot CD, and probably some others that are escaping me at the moment. Some of those are less advanced than others, but each represent a different task/problem I’ve run into at work over the last few months. If you are reading this and you have any ideas, please let me know in the comments.

The third reason (did I say two?) is to promote the COSI IRC server. If you’re a COSI member, past member, wannabe member or otherwise you should definitely check out comm.cslabs.clarkson.edu. Take a look at the wiki page for information on how to connect and say hello.

The fourth reason is to say you should check out openinternet.gov. There are several Internet Service Providers in existence that are experimenting with internet plans that restrict access to certain lists of websites, charging customers more for further or unrestricted internet access. Take a look at the website and educate yourself on Net Neutrality and how it may impact you.

That’s all I have to say about that.

Pete Freitag: Howto Require SSL for ColdFusion Administrator

Fri, 23 Oct 2009 18:03:00 +0000

A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.

Require HTTPS on Apache 2

<Location /CFIDE/administrator>
	SSLRequireSSL
</Location>

Just add the above to your httpd.conf file, just make sure it appears below LoadModule ssl_module. Restart Apache, and you should get a 403 Forbidden response on http and it should work over https. I tested this on Apache 2.2, I think it should work on prior versions as well, but I have not tested them.

Require HTTPS on ISS

Open up IIS Manager Console
Right click on the CFIDE/administrator/ directory
Click Directory Security Tab
Under Secure Communications click Edit
Enable Require secure channel (SSL)

Pete Freitag: Use MySQL? You need Maatkit

Fri, 23 Oct 2009 15:26:00 +0000

Maatkit is a pretty useful set of utilities for MySQL. From their site:

You can use Maatkit to prove replication is working correctly, fix corrupted data, automate repetitive tasks, speed up your servers, and much, much more.

One of the first things you can do after installing the toolkit (which may already be installed if you are running CentOS or Debian) is to run the mk-audit utility. It will give you a nice summary of your server, as well as point out potential problems in your configuration.

Here's a list of all the utilities included in Maatkit:

mk-archiver Archive rows from a MySQL table into another table or a file.
mk-audit Analyze, summarize and report on MySQL config, schema and operation
mk-checksum-filter Filter checksums from mk-table-checksum.
mk-deadlock-logger Extract and log MySQL deadlock information.
mk-duplicate-key-checker Find duplicate indexes and foreign keys on MySQL tables.
mk-fifo-split Split files and pipe lines to a fifo without really splitting.
mk-find Find MySQL tables and execute actions, like GNU find.
mk-heartbeat Monitor MySQL replication delay.
mk-kill Kill MySQL queries that match certain criteria.
mk-loadavg Watch MySQL load and take action when it gets too high.
mk-log-player Split and play MySQL slow logs.
mk-parallel-dump Dump sets of MySQL tables in parallel.
mk-parallel-restore Load files into MySQL in parallel.
mk-profile-compact Compact the output from mk-query-profiler.
mk-query-digest Parses logs and more. Analyze, transform, filter, review and report on queries.
mk-query-profiler Execute SQL statements and print statistics, or measure activity caused by other processes.
mk-show-grants Canonicalize and print MySQL grants so you can effectively replicate, compare and version-control them.
mk-slave-delay Make a MySQL slave server lag behind its master.
mk-slave-find Find and print replication hierarchy tree of MySQL slaves.
mk-slave-move Move a MySQL slave around in the replication hierarchy.
mk-slave-prefetch Pipeline relay logs on a MySQL slave to pre-warm caches.
mk-slave-restart Watch and restart MySQL replication after errors.
mk-table-checksum Perform an online replication consistency check, or checksum MySQL tables efficiently on one or many servers.
mk-table-sync Synchronize MySQL tables efficiently.
mk-upgrade Execute SQL statements against two MySQL servers and compare the results.
mk-visual-explain Format EXPLAIN output as a tree.

Matt Finlayson: Setting up raindrop on Ubuntu Jaunty

Fri, 23 Oct 2009 01:07:48 +0000

Just a quick howto for getting raindrop running on Ubuntu. For added points this server is ‘in the cloud’.

Couch DB

apt-get install automake autoconf libtool help2man subversion
apt-get install build-essential erlang libicu-dev libmozjs-dev libcurl4-openssl-dev

svn co http://svn.apache.org/repos/asf/couchdb/branches/0.10.x/

cd trunk
./bootstrap
./configure
make
sudo make install
adduser —system —home /usr/local/var/lib/couchdb —no-create-home —shell /bin/bash —group —gecos “CouchDB Administrator” couchdb

chown -R couchdb:couchdb /usr/local/etc/couchdb
chown -R couchdb:couchdb /usr/local/var/lib/couchdb
chown -R couchdb:couchdb /usr/local/var/log/couchdb
chown -R couchdb:couchdb /usr/local/var/run/couchdb

chmod -R 0770 /usr/local/etc/couchdb
chmod -R 0770 /usr/local/var/lib/couchdb
chmod -R 0770 /usr/local/var/log/couchdb
chmod -R 0770 /usr/local/var/run/couchdb

sudo -i -u couchdb couchdb -b

Raindrop Pre-reqs

sudo apt-get install python-twisted python-dev python-setuptools

wget http://launchpad.net/paisley/0.1/0.1/+download/paisley-0.1.tar.gz
tar -zxvf paisley-0.1.tar.gz
cd paisley-0.1
sudo python setup.py install

wget http://python-twitter.googlecode.com/files/python-twitter-0.6.tar.gz
tar -zxvf python-twitter-0.6.tar.gz
cd python-twitter-0.6
sudo python setup.py install

Get Skype4py from http://sourceforge.net/projects/skype4py/
tar -zxvf Skype4Py-1.0.32.0.tar.gz
cd Skype4Py-1.0.32.0
sudo python setup.py install

sudo apt-get install python-feedparser

The Rest

https://wiki.mozilla.org/Raindrop/Install

Bryan Clark: Raindrop

Thu, 22 Oct 2009 21:28:56 +0000

Today Mozilla Messaging released the Raindrop project

Raindrop is an experiment in the design of a new messaging platform in the open.

What I like most about Raindrop is our process. We started with some simple designs, created a couple iterations and now we’ve opened up the whole process to share. This isn’t another email client or a twitter client, we have been designing for the way people communicate on the web today. And we’re looking to make it awesome.

If you’re a developer or just have lots of patience you could grab the source code, follow the instructions and get raindrop up and running. But that’s not what we’re launching, we’re launching the next version, the one that we design and develop in the open. Read that again, there is no download.

Design

Starting today, new raindrop designs will be uploaded into the Raindrop Design flickr group for discussion and review. As designs are ready to be implemented we’ll be blogging about them in the Raindrop Design Blog.

Develop

Discussion of code and extension development takes place on the Raindrop Development Google Group. We’re currently built on CouchDB, Python, and JavaScript. (if you’re trying to get raindrop up and running make sure you read the INSTALL doc carefully)

Extend

From the ground up Raindrop was built as a set of extensions on top of extensions. This architecture was a design choice so that others could easily continue extend on top of our work.

There are places to add Data Miners which can search messages for regular expressions and User Interface Extensions which can modify the layout and design of messages presented.

Check out James’ video on Raindrop Software Components for more on the extensions system.

Pete Freitag: You May Need to Reapply CF Security Hotfix CVE-2009-1877

Thu, 22 Oct 2009 15:42:00 +0000

Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.

When the hotfix was released I tested it, and found that they didn't fully fix the issue. I reported this back to Adobe, they confirmed that the hotfix was not complete, and came back with another hotfix for me to test within a few days. I confirmed that it was fixed, and waited for Adobe to issue another security bulletin.

Two months go by, and still no bulletin, so I emailed the Adobe security team last week to get a status update. They told me that they updated the hotfix on August 20th. The APSB09-12 page made no mention of this update in the Revisions section. They quickly updated that to show that hotfix was updated, I suggested that they release another security bulletin for the folks that installed the update right away, but they let me know they have no intention of doing that.

To make a long story short, if you installed the security hotfixes when they first were released you need to reapply Hotfix CVE-2009-1877.

If you aren't sure when you installed it you can use my free Hack My CF service to test your server. It will let you know you need to apply Hotfix CVE-2009-1877 again.

Links for hotfix CVE-2009-1877 can be found here:

Pete Freitag: ColdFusion Server Security Scanner

Wed, 21 Oct 2009 20:55:00 +0000

My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.

The site generates an email report detailing what security issues were found, here's an example:

I would love to hear your feedback!

Pete Freitag: Prefix Serialized JSON in ColdFusion

Tue, 20 Oct 2009 23:07:00 +0000

When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.

Why would I want to prefix my JSON?

The reason this setting exists is to prevent a hack called JSON hijacking. Services such as GMail, and twitter have suffered from JSON hijacking.

It works by embedding a script tag pointing to the JSON url on the attack site, eg hacker-site.com:

<script src="http://bank.example.com/account-info.json">

Now if you have recently logged into bank.example.com your authentication cookies will be sent in the script tag request to bank.example.com and your account info will be returned. Now the tricky part. In order for hacker-site.com to read the JSON data they can attempt to override the JavaScript Array constructor (which doesn't work on modern browsers) or on some browsers the __defineSetter__ (works on firefox) method.

So this brings us back to our question Why would I want to prefix JSON?. When you prefix with // it effectively makes the script evaluate as a comment, and these exploits won't work. Google takes a more nasty approach, they use while(1); as their JSON prefix, this will put the victim's browser in an infinite loop.

How do I enable a JSON Prefix in ColdFusion?

ColdFusion 8, and 9 added a setting in the ColdFusion administrator called Prefix serialized JSON with: which allows to to enter a prefix (the default being //.

It can also be toggled on in the Application.cfc by adding the following inside the cfcomponent tag:

<cfset this.secureJSON = true>
<cfset this.secureJSONPrefix = "//">

And finally you can enable the prefix within a cffunction call using the secureJSON attribute.

Will this break my code?

It might, if you are only using this feature with ColdFusion's ajax tags then it will automatically remove the prefix for you. If you are calling remote methods with returnformat=json using your own JavaScript then you need to remove the prefix before parsing the json.

The prefix will also be added when you call the SerializeJSON function. There is currently no argument in SerializeJSON to toggle this behavior, I have filed an enhancement request: 80423 for such as setting.

Examples, References:

Checkout Phil Haack's blog for more info about these vulnerabilities.

Pete Freitag: FCKeditor Access Denied

Thu, 15 Oct 2009 19:12:00 +0000

I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet Error: 403 Access denied.

It turns out that hotfix (hf801-77218) will actually block any CFM request matching /fckeditor/editor/filemanager/ anywhere in the URI.

To bypass this feature you need to add the JVM argument: -Dcoldfusion.fckupload=true to your JVM arguments. This is found in the ColdFusion administrator under Java & JVM settings on Standard, or in the jvm.config file on Enterprise.

In general I think this is a good feature, though it probably will cause an issue with anyone who uses FCKeditor as outside of cftextarea.

Make sure when you enable FCKeditor's file connector that you do so in a secure manner. For example, don't just set config.enabled = true do something like this:

config.enabled = IsDefined("session.isAdminUser") AND session.isAdminUser;

Todd Deshane: Changing Hearts vs. Changing Minds

Thu, 15 Oct 2009 03:22:17 +0000

I wonder if too much emphasis is placed on the idea of changing people to think just like we do or to get people to stop doing the things that they do or the way that they do them. Trying to change people in this way is probably not a good idea. Instead, I think we should focus on changing hearts. How? Through our actions. For example, by loving, or caring, or listening. I don't think that everyone should have to agree on everything and things shouldn't be forced on people. Maybe people forget about the importance of the freedoms that we have, especially here in the United States. Having the freedom of speech, freedom of religion (or lack of religion, if we so choose) should be protected. Even if you agree with some policy of the government, doesn't mean that it needs to be forced on others.

Let's consider a specific example. Should "In God We Trust" be printed on all of our money? Does that really matter that much? If individually we trust in God shouldn't that simply show itself in our actions? Conversely, if we don't trust in God that could also show. Does it send a false message to both the world and also to (potential/hypothetical) future generations that might dig up the remains of our civilization and find it on our money? I think it is much more important to live a God-trusting life than to try to force others to even when they choose not to. Arguing close-mindedly against ever removing the phrase from our money probably hurts theism and Christianity more that it helps. Stopping to understand, stopping to think critically, and stopping to be open-minded is bad practice.

The concept of changing hearts doesn't simply have to apply to politics or religion or the like. Changing hearts can also apply to our lives in a general sense, regardless of our goals, mission, vision, or causes. If we simply argue based on ideals and don't actually live up to them or have a character that supports the types of things we support, then we won't be likely to change hearts or minds. People need to see something different before they can ever think about changing their mind on something. Even if they never change their mind on something, they may be able to have a change of heart toward specific situations. Persistence is one key to success. Let's take an example from the Bible. In Luke 18, verses 1 through 8, we find the parable of persistent widow. It reads:

"Then Jesus told his disciples a parable to show them that they should always pray and not give up. He said: "In a certain town there was a judge who neither feared God nor cared about men. And there was a widow in that town who kept coming to him with the plea, 'Grant me justice against my adversary.' "For some time he refused. But finally he said to himself, 'Even though I don't fear God or care about men, yet because this widow keeps bothering me, I will see that she gets justice, so that she won't eventually wear me out with her coming!' " And the Lord said, "Listen to what the unjust judge says. And will not God bring about justice for his chosen ones, who cry out to him day and night? Will he keep putting them off? I tell you, he will see that they get justice, and quickly. However, when the Son of Man comes, will he find faith on the earth?"

So, even though the judge didn't fear God or care about men, he appeased the women so that she would stop bothering him. Being persistence in our love or actions can make a much bigger impact than simply stating a case for something (and then not even bothering to live it out).

Rouslan Solomakhin: Coffee is what separates us from the zombies

Wed, 14 Oct 2009 23:23:00 +0000

Cool coupon

Jacob Torrey: Introduction to Mnesia I

Wed, 14 Oct 2009 18:56:31 +0000

Today in my Advanced Concepts in Operating Systems class I led the discussion on the Mnesia paper from PADL’99, while this paper has numerous typos it does do an excellent job highlighting the features and advantages of Mnesia. For those of you who are unaware, Mnesia is a distributed, fault-tolerant object DBMS written in Erlang. One thing about Mnesia that I have found to be lacking is a tutorial written for the lay person from the ground up, this gap I intend to try and fill. This multi-segment tutorial assumes you have knowledge of Erlang, and the basic concepts of manipulating data with DBMSes, other than that, I hope to provide enough information and code to demystify a fairly complex system. However, I still am on the road to mastery, so if I make any errors, or you have any tips for improvement, I’d be happy to add them in.

To get started, start up the Erlang shell (erl) with a name, I will use -sname foo in the following examples. Below is a transcript of starting up and creating a disk-based

ranok@orion:~/Desktop$ erl -sname foo
Erlang R13B01 (erts-5.7.2) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]

Eshell V5.7.2  (abort with ^G)
(foo@orion)1> mnesia:create_schema([node()]).
ok
(foo@orion)2> mnesia:start().
ok

The most important call made here, create_schema, takes a list of nodes to replicate the schema table to on disk. You can add additional disk-based nodes or ram-based copies later (we’ll get to the details later). After you’ve created the schema (this will make a folder for all the Mnesia table data), you can start the application with the start function.

Now that we have the database running, we need at least one table to store the data in, we will start with a very simple record to just store simple key/value data. The nice thing about Mnesia, is that the data we store can be pretty much anything, from a simple atom to a function. We will start learning the basics from the mnesia_test module, which I have uploaded here.

The first few lines of the module start off like any Erlang code, a module declaration, what functions to export, including the QLC (Query List Comprehensions) include file (you may need to find it for your system) and a record definition:

-record(data, {key, value}).

Which will define our record for the table also named data. In the function setup_and_start/0, we tie in what we already went over with the create_table function, which in our case looks like

mnesia:create_table(data, [{disc_copies, [node()]}, {attributes, record_info(fields, data)}])

The create_table function has a number of options, the most basic of which we will deal with at the moment: the name of the new table, where and how the table will be stored and what fields the table has (this code used the record_info() function to pull those out of the data record for us). Now that we have our table, we need a way to get the data in and out of it.

Many databases provide the ability for multiple queries to be joined into one transaction to be executed atomically. Mnesia is no different, but for the most part, all queries are executed through the transaction manager (there is a dirty interface which will be discussed later), this makes working in a distributed environment much easier. The way to perform a transaction in Mnesia is to pass a fun to the mnesia:transaction() function that will atomically run.

The actual function to enter data (both insert and update) is write(Record). We wrap this into the mnesia_test:insert(Key, Val) function displayed below:

insert(Key, Val) ->
Record = #data{key = Key, value = Val},
F = fun() ->
mnesia:write(Record)
end,
mnesia:transaction(F).

To now retrieve this data back from the database, the read function is now used, the read function takes two arguments: the table name (in this case, data) and the key to retrieve. The mnesia_test retrieve function wraps this nicely for us, and is shown below:

retrieve(Key) ->
F = fun() ->
mnesia:read({data, Key})
end,
{atomic, Data} = mnesia:transaction(F),
Data.

mnesia:transaction will either return {aborted, Reason} or {atomic, Rows}, where Rows is a list of all the retrieved data. If the key we tried to retrieve could not be found, then it will return an empty list.

Say however, we want to search the table for certain values that are not the index of the table. For that there is the matching functions, the simplest of them is the match_object whose usage can be seen here:

search(Val) ->
F = fun() ->
mnesia:match_object(#data{key = '_', value = Val})
end,
{atomic, Data} = mnesia:transaction(F),
Data.

As you can see, simply fill in all the values that are known and that you want to search for, and use the ‘_’ unmatched value for all the other values. This transaction will return the same forms as the read transaction.

There is another method for filtering through Mnesia tables, which is very similar to the list comprehensions builtin to Erlang which is called QLC. The QLC version of the above function is below:

search_qlc(Val) ->
F = fun() ->
qlc:eval(
qlc:q(
[X || X <- mnesia:table(data), X#data.value == Val]
))
end,
{atomic, Data} = mnesia:transaction(F),
Data.

What the query here is doing is is returning a list of Xs where every possible X comes from our data table, and X#data.value == Val. This should be very intuitive for those of you who are familiar with list comprehensions. What qlc:q() does is form a query handle (much like a function object) which gets evaluated by qlc:eval() inside of our transaction object. Again, this will return the same values from mnesia:transaction.

Well, that about covers the basics of Mnesia, you now should be able to setup Mnesia on your computer, create a table and insert/retrieve data from it. In the next installment, we will look at distributed Mnesia and the dirty interface, which provides faster queries by bypassing the transaction manager. After that we will put all of what we’ve learned into creating a system that will take advantage of Mnesia and give a pseudo real-world problem a fitting solution. Please check back soon for the next installment!

Peace and chow,

Ranok

Pete Freitag: Adobe MAX: Building JEE Portlets with ColdFusion 9

Wed, 14 Oct 2009 16:52:00 +0000

Adobe has posted the recording of my Adobe MAX presentation Building JEE Portlets with ColdFusion 9. Overall it was a great conference and I was happy to be a part of it. I was also happy to cover the topic of Portlets in ColdFusion 9, since it hasn't gotten much publicity as a new feature. This feature is also close to home for me, because I worked on this feature for Adobe as a consultant through Twin Technologies.

Erin Kennedy: Friday Night Robotics – MusicBox!

Mon, 12 Oct 2009 02:00:21 +0000

This Friday I had the most awesome idea of a weekend project ever! A 21st century MusicBox, using an Arduino and have blinking LEDs!

I had a Sparkfun box lying around, which is an ideal size for an Arduino and a WaveShield.

I wanted to have LEDs outlining the box, so I went to work on it:

Just as a disclaimer- I designed it wrong, so the LEDs don’t work well. If you’re looking to follow my steps, DON’T DO IT!

Then, installing them into the box:

It looks nice!

Once all of the connections are made, it’s pretty tight in there:

The problem though, is that I designed it so that all the LEDs are in series. Since al LEDs aren’t created equally, some suck up more power and therefore can’t share it with the others. This is what happened:

It’s pretty sad! But, I think that I can fix it because I soldered the resistors together, not the actual LEDs together. I was too excited to start this project, so I didn’t bother to plan I guess planning would have been better, but it would also have been too boring.

I also worked on a NXT LED blinky thingy. There are these HiTechnic Protoboards that you can get, and basically you attach them to one of the sensor inputs, and you can control power to certain ports and such.

In this case, there’s 6 output pins that you can control. Sounds like an opportunity to use LEDs to me!

This is what the setup looks like:

It goes like this: NXT -> HiTechnic ProtoBoard Sensor Adapter -> 6 LEDs

In order to output instructions to the HiTechnic ProtoBoard, you need ‘drivers’, or headers. They’re located here.

Here is the code for the LEDs, in RobotC:

#pragma config(Sensor, S1, HTPB, sensorI2CCustom9V)
//*!!Code automatically generated by ‘ROBOTC’ configuration wizard !!*//
/*
Crazy LEDs!
Erin K
Oct. 9th, 2009
*/
#include "drivers/common.h"
#include "drivers/HTPB-driver.h"
byte theLEDs[] = { 0×01, 0×02, 0×04, 0×08, 0×10, 0×20 };
task main() {
// Setup all the digital IO ports as outputs (0xFF)
if (!HTPBsetupIO(HTPB, 0xFF)) StopAllTasks();
wait1Msec(200);
while(true) {
// The delay time
int theTime = 50;
// LEDs going up
for(int i=0; i<6; i++) {
if (!HTPBwriteIO(HTPB, theLEDs[i])) nxtDisplayTextLine(5, "ERR WRITE");
wait1Msec(theTime);
}
// LEDs going down
for(int i=5; i>=0; i–) {
if (!HTPBwriteIO(HTPB, theLEDs[i])) nxtDisplayTextLine(5, "ERR WRITE");
wait1Msec(theTime);
}
alive();
}
}

This is what the code does:

To wrap up this Friday Night Robotics, I checked out the Adafruit Ask an Engineer chat. It was pretty cool! I learnt about how LEDs work, and how much it costs to create a Teenyduino! Everyone should check it out, Saturday at 10:00PM EST.

The only things that I didn’t get to do that I wanted to was play with MANOI and the iRobot Create. I’m kinda worried that MANOI’s batteries are drying out as they haven’t been exercised in a while EEP!

Erin Kennedy: Autonomous Robotics Club Meeting – Call for Electronic Junk!

Sun, 11 Oct 2009 15:57:42 +0000

This past week, we received the Blue-Bomber TGIMBOEJ! It came from Toronto, Canada. Here’s the blog post of the original creator of the Blue-Bomber box.

A TGIMBOEJ is a box of electronic junk! It stands for: The Great Internet Migratory Box of Electronic Junk. People put electronic junk into a box, usually take pictures and blog it, and send it to someone else. The process repeats and repeats. The general rule is that if you take something out, you have to put something back in it. Possibly the most awesomest thing to explain to anyone who hasn’t heard of one before!

This is what it looked like when we got it:

There is awesomeness inside:

This one is my favourite thing in the entire box:

Do you know what it is? It’s a NEWTON PEN!!!!!!!! A PEN FROM THE NEWTON!!!!! (A Newton was the first PDA, the pre-iPhone)! A NEWTON PEN IS IN THE BOX!!!!!!!!!! Rest assured, I’m going to be swapping something in for that.

(That giant resistor makes me laugh)

So that was some of the junk in the box. The pink flower camera is still in there. The funny thing is about that camera, is that I have one at home, and it still works. Hahaha!

One of the projects that was going on that night was someone (also a robotics floor member) was trying to open up an old computer that he bought on ebay for $0.99! It’s a Packard-Bell, and it’s really old, but uncannily looks like the netbooks of today:

Above is the battery for the laptop. They didn’t even try to make it not look like a capacitor!

I think at the end of it, what was wrong is that the CMOS battery is dead. I’m not sure why he hasn’t replaced it yet, but I think it’s along the lines of he doesn’t have one (that isn’t dead). It’s a pretty cool project, neat to see what others are doing!

Anyway, when I got the BlueBomber I sent out an email to the ARC members requesting electronic junk, so that we can have a lot of stuff to swap out. The amount of junk we received was phenomenal. It was MOUNTAINS of electronic junk. MOUNTAINS OF JUNK!!! It was a super giant electronic junk party!

This is what a CRT actually looks like without the box:

This is what a human actually looks like with the box: (Rofl)

There’s so much soldering/desoldering to be done! I can’t wait to continue the electronic junk party this Monday, and perhaps work on iSobot more. One thing is for sure- I won’t be forgetting the desoldering pump!

If you have some electronic junk or know of people with electronic junk, feel free to let me know and we’ll take it off of your hands. Eventually the stuff that we don’t use will either be used for a new TGIMBOEJ, or will stay in the ARC room!

Erin Kennedy: Robotics Floor = Closest thing to paradise!

Sun, 11 Oct 2009 15:19:23 +0000

A while ago, I was on the internet TV show – Fat Man and Circuit Girl! At that time, when I showed the robotics floor, we only had a camera and a desk. Now we have everything on the floor, and it’s virtually the closest thing to a paradise!

The robotics floor is basically a group of people that all really enjoy robotics- we’re all on the FIRST 229 team. We help out with 229 related activities, like remote mentoring. Basically any team that is in our county can call in and ask for help on their robot. I really like the feel of remote mentoring, it’s like being on-call for a robo-emergency. There hasn’t been any calls yet, though The fancy name for the floor is ‘Living Learning Community’… or LL Community. We would say LLC, but I was the nerd who pointed out we could easily be pwned for that, especially if someone had a company called Robotics LLC or Team 229 LLC. Plus, it’s just generally confusing if people look on the website and see a LLC, it wouldn’t make sense- so it’s LL Community.

This is the phone we use for remote mentoring. We’re going to be switching to VoIP soon, though:

We have a huge computer that has two displays, an extreme amount of graphical processing power, can record TV shows and has a Netflix account. It’s an amazing computer. The keyboard and mouse are really nice, too.

On top of this, we have a huge smart board! It’s really amazing! It stands up and has a projector sort of floating in front of it. You can touch the screen and it’s like your clicking!!! I tried some of the Processing applications that I made, and it works really good, and the particle finger painting looks extremely realistic!

We also have this intense camera! You can move it around from the internet, and it can zoom in super far, it’s creepy!!!

This is what it looked like with people in it, when it was in its most fire hazardous messy lego state:

It’s much cleaner now, though.

So yeah, that’s the Robotics Floor. I haven’t heard about this type of awesomeness at any other university, so Clarkson has done this first! Woohoo!

So, this floor is so super amazing, but what’s the worst part of it? I’d have to say the respect that the people on the floor have. There’s so little of it that it’s somewhat disgustingly sad

The main problem I have is Quiet Hours. For some reason, everyone on the floor doesn’t understand what QUIET means. So this means that I have to do the RA’s job and tell everyone to shut up, EVERY SINGLE NIGHT. I’ve tried being nice, angry, mean, aggressive, sad, happy, ignoring it, and telling the RA to shut everyone up, but nothing works! They don’t have the courtesy to respect anyone that likes to wake up at the beginning of the morning. How can such an amazing floor have that little respect for its floormates? It disappoints me and bedaffles me!

If I didn’t have respect though… I would play classical music super duper loud on my stereo, each morning, at 6AM. >:D But I haven’t done it yet, because I have respect. I respect people that don’t respect me… that doesn’t make sense.

Anyway, during the day this floor is the most amazing place on Earth!! This is what I see out of my window:

I hope that the bad part of the floor will improve, but it’s still the most amazing thing ever.

Pete Freitag: IIS: Disabling Weak SSL Protocols and Ciphers

Thu, 08 Oct 2009 19:21:00 +0000

It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.1 states:

Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

If you are running IIS there are typically several weak Protocols and Ciphers enabled, such as SSLv2, and 40-56 bit key ciphers. The Internet Information Services Management Console doesn't have a GUI to let you disable these protocols and ciphers. You need to use Regedit to make several registry changes in order to disable these.

While doing some consulting work last week a client mentioned how useful it would be to have a product for toggling ciphers and protocols in IIS. I agreed, and built the following:

I also built a web based tool to test your server for SSLv2. The testing tool works on both IIS and Apache Web servers.

Matt Finlayson: My Top 5 Artists (Week Ending 2009-10-4)

Mon, 05 Oct 2009 15:06:33 +0000

My Top 5 Artists (Week Ending 2009-10-4)

Todd Deshane: Delicious LiveJournal Links for 10-4-2009

Sun, 04 Oct 2009 23:06:27 +0000

DHS to hire up to 1,000 cybersecurity experts - CNN.com

"Cybersecurity is one of our most urgent priorities," said Homeland Security Secretary Janet Napolitano

(tags: security internet us government dhs phd)

Timothy Fanelli: The nightmare of server migration

tim@timfanelli.com — Fri, 02 Oct 2009 16:41:59 +0000

Well this week began "re-registration" week at Clarkson, where they randomly and repeatedly delete MAC addresses from your NetReg registration list and make your life miserable.

I leased a VPS from SliceHost and am in the process of moving all my sites there -- which is turning into quite the process... I've decided to clean things up a lot to make my life easier, as well.

Unfortunately, that means my websites are only partially up at the moment... please bear with me as I work through this. It's difficult to migrate off a server, when you can only access it intermittently :-\.

Meantime, I'd like to say "Thanks, OIT, for creating yet another debacle that just makes our lives more difficult. Aren't you supposed to support the faculty and staff? What the hell?"

Pete Freitag: Using Railo, Secure The railo-context

Wed, 30 Sep 2009 17:47:00 +0000

If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

One of the features of Railo is that each web site can have its own administrator and settings. The first time you access the web administrator eg: /railo-context/admin/web.cfm it prompts you to set the administrator password. The drawback to this approach is that if you have multiple virtual hosts you have to go through and setup a password for each one. If you don't set the password, and the railo-context is wide open, anyone can go and set the password and access the railo administrator. It would be nice if you could specify a default password for all web contexts in the server wide Railo administrator. (Update See Todd's comment, you can set a server wide password)

So how do you go about this, James Allen has written up a guide for securing Railo Administrator on IIS. Here's how you can easily do it on Apache httpd.conf using basic authentication:

<Location /railo-context>
    AuthName "railo"
    AuthType Basic
    AuthUserFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

You will want to setup a password file using htpasswd (located in your apache bin directory) and place the path to that file in AuthUserFile directive.

Using Digest Authentication (better) your config will look as shown below, and you create the password file using htdigest:

<Location /railo-context>
    AuthType Digest
    AuthName "railo"
    AuthDigestFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

Another approach you can take is limit access by IP. For example to limit it localhost:

<Location /railo-context>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

You could also use mod_rewrite to block railo-context uri on all sites but one:

RewriteEngine ON
RewriteCond %{HTTP_HOST} !^admin\.example\.com$ [NC]
RewriteRule ^/railo-context.* [F,L]

Note: By password protecting or blocking the entire /railo-context you are blocking access to things like cfform, keep that in mind, you may want to be more selective about the uri's that you password protect. If you aren't using any features that require the railo-context it's best to block the entire thing.

Do you have any other Railo Security Tips? I plan on writing a few more articles on Railo Security in the future.

Mike Buzzetti: Digest for 09/24/09

Thu, 24 Sep 2009 05:07:13 +0000

Mike Buzzetti: Digest for 09/21/09

Mon, 21 Sep 2009 05:07:14 +0000

Mike Buzzetti: Digest for 09/18/09

Fri, 18 Sep 2009 05:07:17 +0000

Pete Freitag: The many ways to Lower Case a String

Tue, 15 Sep 2009 20:37:00 +0000

If you ever wondered why there are so many programming languages, look no further than the the many ways to convert a string to lower case. Almost every language has a core function to make a string lowercase, yet there seems to be pressure to come up with a distinct name for the function:

Function Name	Languages
LCase()	ColdFusion / CFML, ASP, Visual Basic
lower()	SQL, Python
toLowerCase()	Java, JavaScript, ActionScript
strtolower()	PHP
tolower()	ANSI C/C++
toLower()	C#
downcase	Ruby
lower-case()	XQuery
lowercaseString	Objective C / NSString
lc()	Perl

Are there any other lowercase functions out there that you know of?

Mike Buzzetti: Digest for 09/14/09

Mon, 14 Sep 2009 05:07:13 +0000

Zach Shepherd: lilurl

Fri, 11 Sep 2009 17:46:50 +0000

For some reason, I decided that I wanted a simple, easy url shortener for personal use. I spent 5 minutes installing lilurl and another 5 minutes hacking in a simple password field (so that only I and people I know can use it).

The hack:

17a18,20
> // Password
> define('MD5_PASS', '5f4dcc3b5aa765d61d8327deb882cf99');
>
diff -r lilurl/index.php l.zjs.name/index.php
11a12,13
>  if ( md5($_POST['password']) != MD5_PASS ) { die('Incorrect Password'); }
>
179a182,184
>   <br />
>   <label for="password">Enter your password:</label>
>   <input type="password" name="password" id="password" />

Todd Deshane: Delicious LiveJournal Links for 9-10-2009

Thu, 10 Sep 2009 23:08:53 +0000

7 Reasons Websites Are No Longer Safe

1. Polluted ads
2. SQL injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

(tags: security web-based malware phd)
Pro Git - Pro Git Book

Free online, creative commons book on git

(tags: github creativecommons ebook git free online opensource)
Git - Fast Version Control System

(tags: versioncontrol git opensource tutorials reference)
YouTube - O'Reilly Webcast: Git in One Hour

Good introduction to git

(tags: git screencast tutorial)

Erin Kennedy: Fading LEDs – Circuit & Arduino Way

Tue, 08 Sep 2009 02:40:27 +0000

Someone recently commented on one of the posts and asked:

Hey Erin, I was just checking around looking for help with a project Im doing. Im not an expert by any means ,I could really use the help and expertise of somone like you. I like your robot too.
Im building a Terniator endo Bust. Its Recast vinyl kit. My …dilemma is ,…The kit came with 2 Red LEDs for the eyes,a bouble A battery pack and a switch. I want to mod this guy so the lights come on slowly,and when switched off they dim out.(3-5 sec.)
The second effect I want is to install a pulsing or vibrating motor inside the scull that comes on momentarily with the lights?
I have other Ideas too. If I can interest you ,Id be will to pay for your help.
I hope this sounds interesting to you, Thanks ,Daniel Shaffer

Sounds like a great weekend project!

There are two ways to solve this problem: with a circuit, or with a microcontroller.

I can’t exactly help out with the mathematical part of the circuit, but in order to obtain the dimming effects, you would need to first charge a capacitor up when you switch it on, that would be connected to the LEDs. As more and more voltage fills up into the capacitor, the LEDs will make a fade-in effect! When you switch off, the capacitor will have to de-charge (perhaps into a different capacitor). When it is emptying, the voltage will be going lower and lower, making a fade-out effect.

The second part of your question, how to make a vibrating motor come on with the lights… you would have to use a 555 timer IC. These also use capacitors and resistors in order to create a timed circuit. They are a really interesting concept, and I would encourage you to check out these sites about them!

Now… if you wanted to use a more extendable option with a microcontroller, that is more easier! I made a post about how to fade many LEDs here, with an Arduino. You could have the LEDs fading in and out while having the motor turning on/off. AND, you could use sensors to create specific behaviours and triggers for the Terniator.

I hope this answers your question, and I hope you will keep us posted on the status of your project! Woohoo for blinking LEDs!

Jacob Torrey: Hurry Up and Slow Down

Sun, 06 Sep 2009 00:38:05 +0000

Now that I’ve had a chance to settle into my new apartment above Misty Hollow on Market Street, and I have all the needed utilities, I thoughts I take a break and reflect on my first two weeks of my senior year. My schedule this semester has me in class for 11 hours Monday and Wednesday, and practically without class the other week days (I do have class every few Saturdays). This schedule is requiring some work to get used to, either I’m feeling rushed to make it to my next class and keep everything straight (philosophy to statistics) or I’m wondering what to do with all my spare time. I have however found a few things to keep myself occupied on my off days, I’m working for Clarkson as a campus photographer, shooting lots around the area for brochures, the website or mailings. This is a great way for me to practice and improve my photography skills and work with a professional! I will update my Flickr when I have some great shots, so keep checking it out! Of course I’m also still the co-director of COSI, which has a large amount of interest this year, and I’m hoping for good things to turn up. naturally I’m still working on my baby, OSP (a post on that soon). Lastly, I’ve joined the Potsdam Rescue Squad, and am enrolled in the NY state EMT course, which I am enjoying, and excited to become a more useful member as my knowledge grows.

Well, I think that about covers all in my life for the time being.

Peace and chow,

Ranok

Rouslan Solomakhin: Self-Replicating 3D Printer

Sat, 05 Sep 2009 19:32:44 +0000

RepRap is an amazing idea (with partial implementation) to make a 3D printer that can make its own parts. Version 1 can only make 50% of itself: the plastic parts, apperently. Version 2 will know how to make silicon chips to create its own circuit boards. Check out the video: