Category Archives: General

Catch-all category

General

Little decisions

2007/05/18 – 23:16

One thing that’s nice about writing software for a living is that it helps remind you often that little decisions are important ones.

Tags , , | Permalink | Comment (0)
General

If thine axiom offend thee,

2007/05/02 – 16:26

pluck it out.

Tags | Permalink | Comment (0)
General

Legacy weirdness

2007/04/10 – 14:10

It makes me chuckle when I notice some of the weird information my computer gives me as a holdover from the old days. Some people probably don’t remember the days of ‘lower memory’ and ‘upper memory’. Here’s a little reminder about it, in case you need it.

There was a time when a BIOS boot-up report of available lower and upper memory was useful, back when the numbers were like “640k lower, 384k upper” and it was likely someone was running MS-DOS with a memory manager. But my laptop’s BIOS still reports it, in the days of Linux and Windows, when the numbers are “640k lower, 2096512k upper”.

Tags , , | Permalink | Comment (0)
General

SVN v. OSSEC

2007/04/07 – 05:30

Learned of an interesting interaction between Subversion (SVN) and OSSEC, an intrusion detection system that happens to be installed on a server I work with. If you’re seeing a problem where Subversion hangs when you’re trying to do a checkin, and you happen to be renaming a number of files, this might be your problem. I don’t offer a complete solution here, but maybe some help.

When you rename a file in Subversion (I’ve seen this with TortoiseSVN, Subclipse, and the official command line client, and would expect it in any client), the client does a check to make sure the new name isn’t in use. It does a PROPFIND on the file and expects a 404, giving an Apache log entry like this:

xx.xx.xxx.xx - username [07/Apr/2007:06:11:10 -0400] "PROPFIND /svn/trunk/blah/blah/newfilename.java HTTP/1.1" 404 297 "-" "SVN/1.4.2 (r22196) neon/0.25.5"

OSSEC has a rule (31151, in web_rules.xml) that alerts at level 10 whenever there are more than 10 404s (well, 4xxs) from the same IP in the same 120-second interval. That causes an active response from OSSEC to ban the IP for 10 minutes.

So, if you rename 10 or more files in a SVN checkin, OSSEC will ban you for a while. The 31151 rule makes sense in a basic way, in that some exploits will try to find vulnerable URLs for insecure scripts, etc., but it’s clearly too heavy-handed when SVN is running.

I don’t perceive that sort of URL scan to be a big threat on a well-maintained server, so one solution is just to drop the rule’s level below the active response threshold. However, it would be somewhat more sophisticated to do something like “don’t trigger if the username field in the log entry exists and the error is not 401 (unauthorized) and the method is PROPFIND and the URL is within the domain of the SVN install”. That refinement only works when mod_svn is configured to use Apache authentication (so that the username field would be in the log) and requires that you know the URL that SVN was installed under, so it can’t be done that way in the generic ossec install.

You could also make refinements based on IP address or something, but in my case, the server is used by different remote people on different dynamically-assigned IPs on different networks.

I don’t really know how to express any of that in terms of OSSEC rules anyway, given that I’d never heard of ossec before an hour ago :-). So I can’t say how OSSEC might mitigate this problem in general, but on an individual install, you can just drop the rule’s level or comment it out, if you’re feeling lucky.

Tags , , , | Permalink | Comment (1)
General

Tricky translation

2007/03/19 – 08:58

Hmmm, language translation is tricker than I understood. Here’s a translation from an article I just saw:
“Simple DS Series Vol.14 The Jidousha Kyoushuujo DS [translates to] Simple DS Series Vol.13: The Vehicle Learning DS.”

I never knew a Japanese 14 was an English 13.

Tags | Permalink | Comment (0)
General

Buggy software

2007/03/18 – 12:46

Should I love or hate buggy software?

I mean, the hate part is somewhat obvious, in that it interrupts work and takes one out of flow and dammit I paid $apple and I should get orange performance, etc.

But the love part comes from the following facts:

  • in cases where I’m paid by the hour, I make the same amount of money for struggling for a hour with OPB as for doing, ya know, some real work.
  • I learn things from struggling with bugs. Not only “this crap doesn’t work in this situation” (which is commercially valuable knowledge), but also things about the technologies involved, theoretically things that transfer to other contexts. Wasn’t it Heidegger that had a whole theory about how tools are invisible until they fail to work?
  • (third entry because a list of two things is weird.)
Tags , , , | Permalink | Comment (0)
General

“We Feel Fine”

2007/03/08 – 22:07

This is pretty amazing, on a few different levels: We Feel Fine.

Tags , , , , | Permalink | Comment (0)
General

A choice

2007/03/06 – 06:16

We can choose to see the past as a set of templates against which we can train our souls to perceive the peace and joy of every configuration of the universe.

Tags , | Permalink | Comment (0)
General

Teaching programming

2007/03/05 – 08:20

Someone (I don’t really like to mention a lot of specific names on my blog) asked me today what suggestions I might have to someone who’s about to start teaching a university course in programming in MIS. I had some fun hypothesizing about it; here’s what I wrote:

[I have to preface all my remarks with: I’ve never taught anything bigger than parts of a three-day course in the architecture of a specific application, and even then I didn’t try any of the blue-sky ideas I’m about to mention. But, if I did try to teach something like a college course, I would try them.]

My first thought is that the most important thing to emphasize is that programming is about structuring thinking and activity, and not really about the structure of computer programs, so I think a project-based approach seems like a good idea.

I’m going to just go full-hypothetical here and give a transcript of the first monologue I’d give :-). Hopefully people would interrupt me…

“Contrary to what you may have been told, programming is not really that much about languages and syntax and stringing together a series of canned solutions. Well, good programming is not about that. Mediocre programming is about that, and you can get by in the commercial sphere being a mediocre programmer, so if anyone is truly satisfied with that, we can have an independent study course where I assign you a textbook and you do problem sets and tests.

However, what I’d rather we all do is learn good programming, and by the method that I think makes most sense, which is to actually build something together and enjoy building it. Good programming is about structuring thinking and activity, both on your own and with others. It’s really just a particular discipline of problem-solving and communication, both of which I assume you all know a good deal about.

The project we’ll be doing is the software for a POS system. You might think “that’s boring”, which I hope to convince you doesn’t have to be true, and you might think “that’s quite practical”, which is true but not all that relevant.

What is relevant is that it’s something big enough that it will take the whole semester. Today is the last ‘lecture’ of the class. I mean, there’ll be plenty of opportunities to take notes if that’s your thing, but what I’ll be doing is not lecturing; I’ll be participating in the discussions that come naturally from the project, and bringing in whatever I can from my years of experience when the need arises. You’ll want to take notes on what you and your classmates say more than on what I say.

If you’re thinking about grades, and it’s OK to admit that you are, I think everyone will be graded by classmates. I won’t let you be too hard or too easy on one another, but other than that, you’ll be deciding grades. Inherent in the structure of a complete software system is some sort of assurance that what you’ve built is high-quality. So, for example, there’ll be people making test systems that will test modules that other people are making. It will be clear to both of those teams how well the other team did. You’ll be giving grades at the end of the second, fourth, eighth, and sixteenth weeks.

Speaking of teams, let’s start talking about the pieces of the system and the workflow for building them. I think we can accommodate everybody’s interests and talents somewhere in here.”…

[Some pieces of work/ideas I might bring up if they didn’t come up: user interface/ease of use, network protocols, language and coding style decisions, source control (use SourceForge and get the added effect that ‘anyone in the world might see your code’), error handling, exception handling, auditing, security, existing code and libraries, storage and redundancy, issue tracking, performance, testing, data formats (i.e. floating point is not necessarily good for financial data), customization/branding, data mining, what happens if the whole thing ‘crashes’, legacy system integration, self-check systems, …]

Tags , , , , , , | Permalink | Comment (0)
General

Remembering a name

2007/03/04 – 14:08

Funny the things one remembers. I’ll probably never forget the name of a mythical COM interface from a project I worked on: IWendyPointerToGuts. This was a name for, let’s say, an anti-pattern that we wanted to avoid in the project. I’ve long since left that project and have no need for the name any more, but it still sticks.

Tags , , | Permalink | Comment (0)

« Previous PageNext Page »

« Previous PageNext Page »