Yesterday Damon wrote a great article on how to secure your system for unblock-us and I followed his lead.
My only machine runs Mac OS, so I had to do a bit of research…
Following these instructions:
sudo -s
rndc-confgen -b 256 > /etc/rndc.conf
head -n5 /etc/rndc.conf | tail -n4 > /etc/rndc.key
Make sure the ports match.
launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
echo "launchctl start org.isc.named" >> /etc/launchd.conf
I didn’t need any fancy setup, so I pasted everything into /etc/named.conf:
//
// Include keys file
//
include "/etc/rndc.key";
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
//
controls {
inet 127.0.0.1 port 54 allow {any;}
keys { "rndc-key"; };
};
options {
forwarders {
8.8.8.8;
8.8.4.4;
};
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
};
zone "hulu.com" {
type forward;
forwarders {
208.122.23.22;
208.122.23.23;
};
};
zone "unblock-us.com" {
type forward;
forwarders {
208.122.23.22;
208.122.23.23;
};
};
Check for typos in the configuration:
named-checkconf /etc/named.conf
and check if we get new results. Before nslookup returned:
$ nslookup hulu.com
Server: 10.255.255.4
Address: 10.255.255.4#53
Non-authoritative answer:
Name: hulu.com
Address: 63.150.131.26
Name: hulu.com
Address: 63.150.131.11
Now I get:
# nslookup hulu.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: hulu.com
Address: 184.154.113.147
Name: hulu.com
Address: 50.22.86.53
Name: hulu.com
Address: 173.208.155.19
Name: hulu.com
Address: 173.208.170.19
First, problem description.
My FritzBox allows to specify a user-defined server to use for DynDNS. But I didn’t know how it would notify this server about my home IP address. I couldn’t find any documentation about this anywhere. So I wrote a script to print all the information about the request into a log file. This is what I found:
So what do you need?
First, a .htaccess file to specify authentication for the dyndns script:
# put the name of the PHP script you're about to write here: <Files "dyndns.php"> AuthType Basic AuthName "Authentication for clients that want to connect to this dyndns server." # the name of the password file (see below): # Specify the absolute path, or the path relative to the server root! AuthUserFile /full/path/my-passwords # the username of your choice: require user dyndnsuser </Files>
You need to create the my-passwords file using the htpasswd utility that comes with the apache webserver installation. To create a password file called “my-passwords” with a user “dyndnsuser”, use this command on the shell command line:
htpasswd -c my-passwords dyndnsuser
It will let you type a password.
Now only clients with the correct username/password authentication will be able to call the dnydns.php script. Such as your DSL router.
Then, the script itself, here called dyndns.php:
<?php # this include file contains some helper functions: include("dns-functions.inc"); if ( readIpFromFile() == getIpFromRequest()) { header("HTTP/1.1 304 IP address didn't change", true, 304); message("no change in IP, address is " . getIpFromRequest() . "\\n"); } else { if (writeIpToFile()){ header("HTTP/1.0 200 OK", true, 200); message("change successful, new address is " . getIpFromRequest() . "\\n"); } else { header("HTTP/1.0 500 Error writing file or similar", true, 500); message("error writing file or other.\\n"); exit; } } ?>
The dns-functions.inc include file with the helper functions:
<?php # name of the file where the IP address will be stored: $ip_file = "./ip"; # write debug stuff to a logfile function message($text) { $file = fopen("dyndns.log", "a"); fwrite($file, $text); fclose($file); } # get IP address from request parameter, or if none is given, # from the REMOTE_ADDR parameter function getIpFromRequest() { # just in case the IP _is_ in the request parameters, you never know: if (isset($_GET["ip"])) { return $_GET["ip"]; } if (isset($_POST["ip"])) { return $_POST["ip"]; } # if it's not, we get it from the remote address parameter: return $_SERVER["REMOTE_ADDR"]; } # read the IP address from the file. function readIpFromFile() { global $ip_file; if(file_exists($ip_file)) { if(filesize($ip_file)>0) { $file = fopen($ip_file, "r"); $ip = fread($file, filesize($ip_file)); fclose($file); return $ip; } } } # write the IP to the file. will return 'false' if there is a problem. function writeIpToFile() { global $ip_file; $file = fopen($ip_file, "w"); $result = fwrite($file, getIpFromRequest()); fclose($file); return result; } ?>
This PHP stuff was inspired by Michi’s dyndns script.
You may want to add the following to your .htaccess file to prevent people from spying out your setup:
<Files "dns-functions.inc"> deny from all </Files> <Files "ip"> deny from all </Files> <Files "my-passwords"> deny from all </Files>
All the stuff you have written so far can be placed anywhere on your webspace, as long as you specify the complete URL path to the dyndns.php script as the “update URL” in the Fritzbox Dyndns configuration.
So now the FritzBox can pass it’s IP address to your webserver. In my FritzBox’s log file, there was no message if this process was successful, I only saw log entries if something went wrong (in which case I had to look at the dyndns.log file the script writes on the webserver to check what happened).
But what then? How do we set up the webserver to actually direct requests to the FritzBox’s IP? You will need a directory and/or a subdomain on your server which to use for the redirect, so you can type something like fritzbox.mywebserver.com or myserver.com/fritzbox to be redirected to your FritzBox.
There are several possibilites to do the redirect.
1. Return a “Location” header informing the client that the document he’s looking for is somewhere else.
to do this, you’ll have to create an index.php script in the directory or at the subdomain that looks like this:
<?php # specify complete path to the include file if it's in another directory: include("dns-functions.inc"); $newurl= "http://" . readIpFromFile(); header("Location: $newurl"); ?>
Whenever a client goes to fritzbox.mywebserver.com, it will be redirected to your FritzBox’s current IP address (URL in the browser’s location bar will change).
2. Use a frame redirect. This is a little bit more subtle since the IP address will not show up in the browser’s location bar, but on the other hand, if the client navigates within the page, the browser’s location bar will not show that, either. It will always just show the main domain: fritzbox.mywebserver.com
In this case, the index.php needs to look like this:
<?php include("dns-functions.inc"); $newurl="http://" . readIpFromFile(); ?> <html> <frameset rows="100%"> <frame src="<? echo $newurl; ?>"> </frameset> <noframes> <body>Please follow <a href="<?echo $newurl; ?>">link</a>!</body> </noframes> </html>
3. Use Rewrite Rules. This will make the forwarding look most professional as the client/browser will only see the main domain and the redirect will happen on the webserver (like with a proxy). Drawback is that POST parameters are not passed on.
For the Rewrite Rules to work, you’ll have to adapt the dyndns.php script to make a change to the .htaccess file whenever a new IP is set. I haven’t tried this yet but I’ll let you know as soon as I figured it out
]]>So how to get rid of this?
There is no simple solution like checking a box somewhere in the CUPS settings. But there is an easy solution nonetheless: you can define your own banner page as described in the CUPS FAQ.
Mine is now a plain text file and looks like this:
Job Name: {?job-name} From User: {?job-originating-user-name} Printer Name: {?printer-name} Creation Time: {?time-at-creation}
You can also use a postscript file, though I haven’t tried how the {?parameter} thingies work there.
This file needs to go into /usr/share/cups/banner/, then you need to restart the cups-demon, and then you can select the new banner page in the CUPS settings at http://localhost:631, go to Printers->Administration->Default Settings->Banner.
This is then printed single-sided as it should be.
]]>Well, a few weeks ago I switched projects and focus areas. Now for the first time in my career[1] at Google I work on a customer facing product: the Google Privacy dashboard. Obviously I can’t write about upcoming launches, but I can assure you that there are many cool new features in the making.
[1] This is not 100% true. A little over two years ago I did some 20% work on the dashboard, so there is already a tiny little bit of code online that yours truly wrote. In case you are curious, it’s the logic that makes sure you get to see the privacy statement for your country, e.g. http://www.google.com/chrome/intl/en/privacy.html or http://www.blogger.com/privacy?hl=en.
]]>For future reference:
for file in *.png; do jpg="$(basename \\"$file\\" .png).jpg"; convert "$file" "$jpg"; done
Yes, it’s that simple once you have installed ImageMagick.
]]>Yesterday I I got an idea and tryed a snippet of javascript as a search engine and was happy to see that it worked as intended. A few minutes of javascript hacking later the omnibar behaved the way I like it:
This is the current version of my default search engine, feel free to criticize, I’m a JS noob:
javascript:query="%s"; if (query.search(/\\s/) != -1) { window.location="http://www.google.com/search?q=" + query; } else { query = query.replace(/^h?t?t?p?:\/\//, ""); window.location="http://"+query; }
Enjoy and let me know if you have other ideas on how to improve this!
]]>I don’t know if anyone told you that you build pretty good hardware but your firmware SUCKS! It’s Nearly March 2010 and your customers still have to fight with an embarrassing Y2010 bug in your code, the UI is horrible and getting anything on or off the device is a pain. I am the not-so-proud owner of an eTrex HCx but I can’t remember the last time I actually used it. Why? Because a Nexus One with My Tracks is way better than anything you have to offer. No need to jump through hoops to get tracks off the device, no proprietary drivers that work with one and a half operating systems and I carry it anyway…
Do you want me back as a customer?
Build the eTrex Android.
Specs:
If you or any other company would build a device like that, you could ask ANY price and I would buy it. So please build it. Please…
]]>
sudo apt-get install sun-java6-jdk
sudo apt-get install ruby-full rubygems
This installs only rubygems 1.3.1 but appengine needs 1.3.5.
ERROR: Error installing google-appengine:
bundler requires RubyGems version >= 1.3.5
sudo gem install rubygems-update
sudo /var/lib/gems/1.8/bin/update_rubygems
sudo gem install google-appengine
Et voilà! Ten minutes later I have a running hello world in the cloud
]]>$ ps aux | grep randomprocessname
psycho 20429 0.0 0.0 11824 1580 pts/7 S+ 12:00 0:00 /bin/bash ./randomprocessname
psycho 20528 0.0 0.0 4188 740 pts/17 R+ 12:00 0:00 grep randomprocessname
$ pkill -9 randomprocessname
WTF? Kill that sucker!
$ pkill -9 randomprocessname
No typo... Am I crazy?
$ pgrep randomprocessname
What's wrong?
$ pgrep randomprocessna
20429
$ pkill -9 randomprocessna
For some arcane reason pgrep/pkill
matches only the first 15 characters.
$ diff -r jruby-1.2.0RC1 jruby-1.2.0RC1.patched/ Only in jruby-1.2.0RC1.patched/: build diff -r jruby-1.2.0RC1/build.xml jruby-1.2.0RC1.patched/build.xml 42c42 < --- > 238c238,240 < <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"/> --- > <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"> > <exclude name="**/doc/index.html"/> > </zipfileset> 268c270,272 < <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"/> --- > <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"> > <exclude name="**/doc/index.html"/> > </zipfileset> 387c391,393 < <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"/> --- > <zipfileset src="${build.lib.dir}/dynalang-0.3.jar"> > <exclude name="**/doc/index.html"/> > </zipfileset>
But beware! The new ASE apk is HUGE (4.6M) and JRuby is fairly slow. But it works
Name: does not matter
APN: internet.eplus.de
Proxy: <empty>
Port: <empty>
Username: eplus
Password: <empty>
Server: <empty>
MMSC: <empty>
MMS proxy: <empty>
MMC: 262
MNC: 03
APN type: <empty>
Update:
The recommended configuration is:
Name: does not matter
APN: internet.eplus.de
Proxy: <empty>
Port: <empty>
Username: simyo
Password: simyo
Server: <empty>
MMSC: <empty>
MMS proxy: <empty>
MMC: 262
MNC: 03
APN type: <empty>
After the initial success with the eplus configuration, I had some problems with it, too. But I guess these errors were internal eplus network hiccups because they were gone without me changing anything and now both configs work.
]]>But thanks to the omniscient internet I found a solution. At the bottom of the “Keyboard & Mouse” preferences page is a setting which allows you to navigate only between text boxes or between all controls. I don’t know who came up with the great idea that the default should be “text boxes and lists only”, but I guess the mighty Steve knows what he is doing.
]]># cat test.rb require 'java' import java.lang.System class Ruboto def greet(who) puts "Hello, #{who}!" end end name = System.get_property('java.runtime.name') Ruboto.new.greet(name) # dalvikvm -classpath ruboto.jar org.jruby.Main -X-C test.rb Hello, Android Runtime!
This leaves only one question: where can I get ruboto.jar to start playing around with it
]]>Only 8% members of the Scientific Research Society agreed that “peer review works well as it is”. (Chubin and Hackett, 1990; p.192).
“A recent U.S. Supreme Court decision and an analysis of the peer review system substantiate complaints about this fundamental aspect of scientific research.” (Horrobin, 2001)
Horrobin concludes that peer review “is a non-validated charade whose processes generate results little better than does chance.” (Horrobin, 2001). This has been statistically proven and reported by an increasing number of journal editors.
But, “Peer Review is one of the sacred pillars of the scientific edifice” (Goodstein, 2000), it is a necessary condition in quality assurance for Scientific/Engineering publications, and “Peer Review is central to the organization of modern science…why not apply scientific [and engineering] methods to the peer review process” (Horrobin, 2001).
…
Chubin, D. R. and Hackett E. J., 1990, Peerless Science, Peer Review and U.S. Science Policy; New York, State University of New York Press.
Horrobin, D., 2001, “Something Rotten at the Core of Science?” Trends in Pharmacological Sciences, Vol. 22, No. 2, February 2001. Also at http://www.whale.to/vaccine/sci.html and http://post.queensu.ca/~forsdyke/peerrev4.htm (both pages were accessed on February 1, 2009)
Goodstein, D., 2000, “How Science Works”, U.S. Federal Judiciary Reference Manual on Evidence, pp. 66-72 (referenced in Hoorobin, 2000)
This sounds so true to me. I heard way more than one story from Ph.D. students where the professors who were supposed to review papers just forwarded this work to their slaves.
But the fact that academic peer reviews are possibly a failure should not be used to argue against the usefulness of code reviews.
As a reviewee
My first project at Google was written in Python. I had never written a single line of Python before. The feedback I got from the first few reviews helped me learn a lot about Python in a very short time. I don’t know how many times I got these “Yes, this would work but if you replace these 6 lines with that short statement it would work, too” comments.
The same is true for my second project in C++. I have written some C++ before but this was for my Diploma thesis and the code was far from professional. Again the feedback I got from my reviewers helped me learn C++ a lot faster than I would have otherwise. This project was a lot bigger than the first one so I got a few “we already have this implemented here” comments.
As a reviewer
I usually don’t pay that much attention to our coding conventions but my pet peeve is looking out for missing comments. Every time I have to think about a single line of code, this is a pretty good signal that a comment is missing.
Reviewing other people’s code makes sure that I have at least a little knowledge about the areas of our project I do not work on directly.
Conclusion
Code reviews take time and need the proper tool support. But if it is done right, they are useful and help in a couple of different areas:
Rod Hilton explains it much better than I could ever do, why you should Pair-Program. But I haven’t heard about the “ping-pong pairing”:
When doing Test-Driven Development, one of the things we do is called “ping-pong pairing”. So the other developer will write a test, then make it compile but fail. Then he passes the keyboard to me. I implement the feature just enough to make the test pass, then I write another failing test and pass it back.
I have to try this on Monday…
]]>