Posts

Posted on

Is Apple evil?

Awhile back, I wrote that developers that wanted to write iPhone apps should just deal with Apple and the AppStore approval process as the upside of getting an app in the AppStore could be huge. Well, I’ve read lots of stories about the AppStore approval process and my views have changed a bit. Apple rejecting Google’s Google Voice app and pulling other Google Voice apps really would have ticked me off as it could easily have happened to me. When I created GrandDialer last summer (GrandCentral turned into Google Voice and GrandDialer was basically the first Google Voice app), my only problem getting it in the AppStore was that I had to change the color of the dialpad so it didn’t look like the iPhone’s dialpad. Then the stories about dictionary apps having to get a 17+ rating because you can find bad words in it is just baffling.

I’m not sure I’d want to create an app for the iPhone now without some financial backing as the risk is too great for me to go at it alone. I could spend a lot of time on an app and only have it rejected by Apple with little to no explanation why. Maybe Apple could review the ideas first (yes, I realize that is a huge undertaking), but it could help out developers that want to invest time. Even if developers had to pay some amount for this, it would definitely be worth it.

Am I going to develop for another platform? For better or worse, I really don’t write code anymore. The iPhone platform is great for developing, but the closed nature of the AppStore makes it a crapshoot to develop applications that will see the light of day. Is the Pre or Android any better? I have no idea. The huge success of the iPhone has caused a huge following and lots of applications; if the other platforms were this successful, would they see problems with their stores? Maybe. There must be a better way to not tick off developers as people acknowledge that the availability of apps makes or breaks a smartphone.

Posted on

The honeymoon is over

Yesterday I wrote about using Passenger (mod_rails) for deploying Ruby on Rails applications. Well, this morning, I ran into my first problems with it. I had reports that WebDAV wasn’t working. After trying a bunch of ideas that I read about, I finally decided to try changing the load order of the Apache modules. I set Passenger to load first and then WebDAV load later. That amazingly fixed the issue; if it hadn’t, I would probably have had to scrap Passenger which would have been a huge disappointment.

Posted on

Get with the (electronic) times

Today I went to submit for reimbursement from my flexible spending plan. Since I scan in all my receipts, assembling the information was quite easy. Our plan allows us to use a “wizard” to prepare the reimbursement. It generated a PDF cover sheet with all the information filled out. I added all my receipts (stored in Paperless), filled it out using PDFPen, added my signature and had one massive PDF. The form said to mail it via USPS or fax it. Since I pay $0.10 per page to send a fax via j2, I printed out the 13 pages, shoved them in my fax machine and sent it (the fax number was toll-free, but I have unlimited calling, so it didn’t matter). Now if I had been able to upload the PDF to their web site, I would have saved the paper.

Posted on

Dealing with Ruby on Rails Applications

When I first launched my first web site in Ruby on Rails (RoR) to get my store for ReceiptWallet (based on Potion Store) going, I learned a little bit about performance. A basic RoR application is launched each time a user hits a web site; this, of course, is only for development and isn’t practical for a production site. I opted to use lighttpd and FastCGI which worked well. However, modifying an part of the application required killing processes and restarting lighttd.

As a learned more about RoR and had to deploy more applications, I started using mongrel as we had a bug with lighttd that caused our application to not handle uploads. So I’ve been using mongrel for a bunch of RoR applications on 4 separate servers. Things work OK, but each time an application is updated, I have to either restart all of mongrel or kill individual processes and restart them (if I restart mongrel, non-updated apps get restarted and could disrupt people).

Last night as I was trying to catch up on some of my research (quiet time is only at night and allows me to leisurely do research), I came across Passenger which makes deploying RoR simple. All I have to do is setup the virtual host and point it to the RoR’s public directory and presto; this is in comparison to setting up mongrel with proxies from Apache. In addition, in order to restart an application after I update it, I just do ‘touch tmp/restart.txt’. Wow, that’s easy!

Is Passenger the holy grail for managing my RoR applications? It’s too early to know, but I’m optimistic.

Posted on

Standard, but braindead implementation

One of the features of OS X Server’s LDAP is the ability to disable an account after X failed logins. While this sounds like a great thing to turn on from a security point of view, the implementation has a lot to be desired. I turned this on several months ago and within 30 minutes had to turn it off. The reasons why it is flawed are quite simple.

Let’s say you have a VPN, a mail server (incoming and outgoing), a calendar server and a chat server and you have the failed logins set at 4. Let’s also say that your mail server and calendar server are accessible outside of your VPN so that handheld clients that don’t have a VPN client can get in. Most, if not, all services on the Mac store your password in the keychain and many don’t offer you the option to enter it each time (which actually would get quite annoying). Next, let’s say you just changed your password using a provided mechanism (OS X server requires an add-on to offer this if you only use the LDAP server without all the other management capabilities). Within a few minutes, your mail client will check for mail with the old password, iCal will check your calendar with the old password, you might be sending mail with the old password, and you login to iChat using the old password. Boom, you just hit your 4 failed logins without you entering or being prompted for your password once.

A much more intelligent way to do this would be to have the 4 failed logins be 4 failed logins with different passwords. So if you tried to login 20 times with the same password, it would only be recorded as 1 failed login. Would this weaken security? I don’t think so, but could leave your server open for a denial of service attack. In that case, why not take an additional 10 seconds to authenticate for each failed login? So while it would take awhile to have your login fail, at least you could enter your new password without having to contact your administrator. If your administrator is any bit like me, password resets are not easy.

Posted on

A fix for a broken web site

Today I had to purchase a Priority Mail label off the USPS web site and had a few problems with it. First off, Safari decided to keep eating the sample label. I then switched to FireFox and doing a Save As for the label saved it, but the file didn’t end in .pdf, so Preview wouldn’t open it even if I forced it to open it. (Yes, Preview should have attempted to decode it.) Once I renamed the file with a .pdf extension, the file opened just fine. Hmmm…what should I do to automate the process?

I remembered that I had a program called Hazel on my machine that watches folders and acts on them. I removed Hazel on my last machine because I was trimming things down (it got bogged down). I created a simple set of rules to change all files that start with com.usps to end in .pdf, open them and then trash them. Now I have to figure out more uses for Hazel as this is a great way to automate things.

Posted on

Inconsistent security

A colleague of mine flew from our main office to the east coast to run a test. As part of the test, he needed a large battery to power some equipment. He had no problems taking the battery on the plane to his destination, but on the way back, the battery not only couldn’t be carried on, it was pulled off the plane when it was checked as the TSA wouldn’t let it fly. There are 2 issues here; one is that we can’t find any regulations prohibiting the battery from flying and second, why was it allowed one way, but not the other?

This kind of inconsistency between airports must drive people crazy. When I travel, I travel with the same set of “gear” and haven’t had a problem going through any airport (knock on wood). Now if I had to bring more and varied equipment on different types of trips, this would frustrate me to no end. Years ago when I worked for QUALCOMM, I travelled to a conference and had to take a box of cables with me. This was way before tightened security, but I wasn’t taking any chances. I got there early, had QUALCOMM stickers put on the non-descript box and had no problems getting through security. Now, if I did that today, would I get searched and extra scrutinized? I guess it would depend on the airport.

I’m so glad that all the money we’ve spent on protecting our airports by standardizing procedures has helped.

Posted on

So much for unified security?

I’m on my way back from a trip to Kansas City and as I approached security, I saw that the guy checking IDs was private security and not TSA like I’d seen at every airport I’ve been to in awhile. As I walk past the ID checker, I see that every security person was from a private company. Well, it looks like in the government’s efforts to standardize security at airports, they left gaping holes. The The Aviation and Transportation Security Act of 2001 (ATSA) left the option open for airports, like Kansas City to use First Line Security. This seems like such a waste as the government spent a lot of money to get away from private, inconsistent security at airports.

While I can’t say that I feel more or less secure going through Kansas City, I think that the inconsistency sends a very wrong message to the flying public.

Posted on

Misguided financial values?

On the news the other night, we saw a story about how the stimulus package is providing jobs for some teenagers. The teenagers get paid $10 to work in different office capacities. In order to qualify, the teenagers must come from families that live below the poverty line. I’m not going to argue the merits of this program. They interviewed a few of the kids in the program and one kid said that he’d use some of the money to help out his mother, but then said that he was going to spend some money on himself to get a new cell phone. First off, is a cell phone necessary for everyone? I don’t know and don’t have to deal with that, yet. (My 2 year old son plays with our cell phones, but he doesn’t have his own plan and doesn’t actually make calls.) Second, the kid pulls out his brand new iPhone. Let’s do a little math. With Apple’s new pricing, the lowest priced iPhone is $99. AT&T puts every iPhone on a minimum $30/month data plan in addition to at least the lowest priced voice plan which is $39.99. Let’s also assume that the kid doesn’t do any text messaging. For a 2 year contract, that is $70/month * 24 = $1680 + $99 for the initial cost of the phone. I’ve excluded taxes for this example. So at $10/hour, this kid has to work 180 hours or effectively one month full time to pay for this gadget.

It would seem to me that somewhere kids need to be taught fiscal responsibility and save money for college, a rainy day, or something else. If the parents can’t help, maybe it should be a mandatory class in high school. During the summer when I was in college, I worked full time and pretty much saved every penny I earned in order to pay for my half of college (my parents made a deal with me that they’d pay for half of my college and I had to figure out how to pay for the other half). I worked with my father to come up with a budget, put in a few things I wanted to buy including a road bike, and figure out how to pay for everything by working and taking out loans.

I know that I’m quite lucky that my father made me fiscally responsible at a young age (I started saving for retirement when I was 12). Actually, maybe I’m a bit too responsible as I’m always concerned about money when sometimes I don’t need to; however, I believe that I’ll be able to meet all my financial goals.

Posted on

Leopard Server Password Reminder

Leopard Server’s LDAP implementation allows an administrator to set requirements about user passwords, such as length of password, what characters it must include, how often it must be changed, etc. One major oversight on Apple’s part is a facility to inform users that their passwords will expire. Maybe if users login via AFP or using Network Home Directories they’d see a message, but we’re using LDAP for authentication from a bunch of other servers. As I didn’t want to have to remember to remind people to change their passwords, I came up with a script to handle it for me. I’ve seen other scripts out their, but they made some assumptions that didn’t work for us. Our mail server is on a different machine and usernames don’t match email addresses, so my solution had to be robust. The only requirement for my script is that the email address has to be filled in for the LDAP entry. Also you must have some facility for users to change his/her own password. We’re using a WebObjects program we found to let users do this.

You’ll need to change the LDAP server name and the number of days to send out the reminder; we require password changes every 90 days, so I send the reminder seven days before. This is run via a crontab at midnight (or so) each evening.

I’m not an awk master, but this seems to be working fine

#!/bin/sh
datelogfile=/backups/datechange.log
tmpfile=/tmp/passwordchange.tmp
grep -h "changed" /Library/Logs/PasswordService/ApplePasswordServer.Server.log* | awk '{ test=$1 " " $2 " " $3 " " $4; cmd="date -j -f \"%b %d %Y %H:%M:%S\" \047"test"\047 +%s"; cmd | getline day; close(cmd); {printf day " " $13"\n"}; }' | sed s/}/' '/g >> $datelogfile
sort -r $datelogfile | sort -r -k 2 -k 1 - | uniq -f 1 | sort -r - > $tmpfile
cat $tmpfile > $datelogfile

# Walk each line in $datelogfile
# See if the date > 83 days ago. If it is, send out a password change reminder
cat $datelogfile | awk '{ cmd="date -v-83d +%s"; cmd | getline expire; { if ($1 < expire) print}}' > $tmpfile
cat $tmpfile | awk '{test=$2; cmd = "ldapsearch -x -H ldap://ldap.gruby.com -b cn=users,dc=ldap,dc=gruby,dc=com uid=\047"test"\047 mail";  while ((cmd | getline) > 0) {if ($1=="mail:") {newcmd = "echo \"From: it@gruby.com\nTo: "$2"\nCc: it@gruby.com\nSubject: Password Change Reminder\n\nYour password will expire in less than 7 days. Please visit:  to change it.\n\n\nIf you have any questions, please contact it@gruby.com.\n\n\n--\nit@gruby.com\n\" | sendmail -bm -t"; newcmd | getline; close(newcmd); break;}}  }' 

rm -rf $tmpfile

Apple, please add some polish to the LDAP server; adding a little user interface on OpenLDAP is nice, but it isn’t finished. Building in the password change ability and the reminder system would be a good start. In addition, securing it out of the box by making the “require authenticated binding” setting actually work (I’ve ranted about this in the past; this actually makes it impossible for us to expose our LDAP server to the outside world and use it for integrating outsourced services like Salesforce that will do LDAP authentication to our server.)