Wed, 02 Jan 2013
PF 2013
I wish happy year 2013 to everyone who reads this blog.
Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
Wed, 28 Nov 2012
SOAP::Lite
Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.
For example, look at this:
HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
BEGIN {
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
}
So apparently the only way how to use Basic authentication is to override
a global function in some foreign namespace. And what to do when I want to
use two SOAP servers with two sets of credentials inside a single application?
There are more similar "features" in SOAP::Lite. For example, tracing can
only be set up globally in compile-time, or by manually calling ->import().
My dear lazyweb, is there a SOAP module with cleaner design?
Update - Wed, 28 Nov 2012: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication
and tracing at the transport level - the transport module here is
LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:
$soap->transport->add_handler(
request_prepare => sub {
shift->authorization_basic($login, $pass);
},
);
$soap->transport->add_handler(
request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
response_done => sub { print STDERR shift->content; },
);
I wonder why the SOAP::Lite manpages suggest such dirty ways
of handling this (and I have not even started mentioning things
like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global
variable; ugh)
Tue, 27 Nov 2012
Cookies Auth and 403 Forbidden
In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.
When the yet-unauthenticated user accesses an URL for authenticated users only,
Apache2::AuthCookie returns the HTTP response with "403 Forbidden"
status code, and with text/html body containing the login
form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive.
So the user fills the login form, submits it, and the server returns the real
page for that URL, this time with "200 OK" status code.
This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with
the following two use cases:
- Nokia Symbian-based phones. After receiving 403 from the server, they display their own error message, and ignore the returned HTML altogether (except for the page background :-).
- Microsoft Word. When the link to the authenticated page is embedded inside the Word document, and user ctrl+clicks it, Word apparently starts MSIE to get the page. However, in this special case MSIE does not display the login form after getting the 403 status, but reports the error to its caller (MS Word) instead. So Word displays a generic error pop-up to the user, without the user being able to log in.
What to do now? The problem is clearly in the HTTP status code 403, and in its
mis-interpretation by some clients. I don't want to return the login form
in a 200 OK response, because I need e.g. the web crawlers to know that this
is not actually the page they tried to access. As for Symbian, they can be
clearly identified by their User-Agent string, so I can
return 200 OK only for them. But as for MS Word, I have no clue: what I see
is the request made by MSIE (and again, I probably don't want to return
200 OK to every unauthenticated MSIE request).
Any other suggestions, my dear lazyweb?
Tue, 20 Nov 2012
SMD Soldering
For the first time in my life, i have tried to solder SMD components (as I have written before, I am working on DYI LED lights for my bike). The component side looks OK, and soldering through-hole components went without problems. The SMD parts were a bit tricky, though.
I have used an ordinary soldering station with temperature regulation, but the results are not pretty. I wonder what is required to achieve this level of quality (watch from 14:10). One possible problem might be that some components on my board (especially the smallest sensing resistors) are connected to the highest-current and thus thickest paths, which suck great amounts of thermal energy when soldering.
Anyway, from the preliminary testing, it seems that my board works. So far I have found the following problems:
- The programming connector is bigger than I expected. I have solved this by using the angled variant instead, and adjusting it using knife :-)
- The silk layer labels marking the polarity of components (electrolytic capacitors, diodes, etc.) can be placed under the components, except for the labels of connectors, which are needed even after the components are soldered!
- I should have added low-pass filters to the A/D converter inputs, at least for the feedback of the PWM-regulated converters. I think I would be able to overcome this in the firmware, though.
- Next time, I would probably design the board with round corners :-)
Now it's time to finish the firmware and to start adjusting the mechanical parts. I have already made the front spotlight and rear spotlight, and I want to make a LED string. Any tips about making a waterproof LED string out of 3mm through-hole LEDs will be appreciated. Should I use silicon, shrink-wrap tube, or what?
Thu, 15 Nov 2012
Printed Circuit Boards
For my bike lights I needed a PCB. Out of several services for manufacturing PCBs, I have chosen Itead Studio PCB prototyping service (the other candidate was Seeed studio). Here are the preliminary results:
I have placed my order on October 29th evening (Central European Time), according to Hong Kong post, the package was received by them on November 7th, it left Hong Kong on November 11th, and I have received it today, on November 15th.
They also have an interesting "Open source" program - the customer declares that his design is open source (mine is anyway), they make few more boards in addition to those the customer has ordered, and they send them to their other customers. The original customers gets his orderd boards, and in addition to that, two more boards from other open source projects. I have in fact got their demo board (on the right side), and one open source board (the white one). Apparently, it is Arduino 512KB SRAM expansion board. I currently don't use Arduino, so if any Arduino user is interested in this PCB, just let me know.
Okay, now it's time to take a soldering iron and play more with the hardware :-)
Mon, 12 Nov 2012
Desktop Environment-Specific Apps
I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.
So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?
That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).
Tue, 06 Nov 2012
DNS Lookup :-)
It seems my registrar will
discontinue their "free" hosting (as in "bundled with the domain
registration") soon,
so I will have to move my domain yenya.net mail and WWW servers
elsewhere. There is no problem with that - I have a 24/7 running computer at
home with good connectivity. There is one challenge, though:
The new DirectNIC service allows only one A record in the registered domain, when the domain is hosted on their DNS servers (no AAAA and no DNSSEC). So I am considering running my own DNS server in addition to mail and WWW servers. This would allow me to have A and AAAA records, SSHFP, and possibly the new DANE records. So I need someone to host a secondary DNS server. The requirements are:
- Static IP address, running 24/7
- IPv6 connectivity, if possible
- DNSSEC enabled
- Hourly update interval if possible
- Preferably outside the SmartComp/Nebox network
Of course, I am willing to provide the same service to the other party. Is anybody interested? Thanks in advance.
Tue, 30 Oct 2012
Bike Lights
I have a new personal project: I am trying to build a set of lights for my bike. So far my setup is quite simple: I use a 700 mA Buck Puck current regulator to feed a front Cree XM-L white LED and three rear 350 mA red LEDs. It can only be switched on or off, and cannot blink at all. So I wanted to make something more sophisticated.
I have been playing with electronics many years ago in my teen-age years, but I have been doing only software since then. So I have taken this as an opportunity to find out what progress the world of DYI electronics has made, and to learn programming of microcontrollers. I want the resulting electronics to have the following features:
- LED drivers for high-power LEDs:
- Atmel AVR Tiny CPU, programmable in-system (various blinking modes, etc.).
- Power: 7 to 12 V battery pack (either lithium or NiMH).
- Ambient light sensor (for automatically setting the mode depending on the conditions).
- Battery voltage monitoring.
- Cycle computer illumination LED.
- Two status LEDs.
- Two buttons for adjusting modes, switching on/off, etc.
- Software on/off.
- High-power software switched output driven by a MOSFET transistor (I don't know the purpose yet, I just had a spare pin and MOSFET :-).
I have managed to learn how to use the gEDA suite of tools, and created my first PCB with it. Yesterday I have sent the result to the fab. Anyway, I have made the Project Bike Lights page for my project, where it is possible to watch the progress or look at the firmware code, schematics, and PCB design.
Sat, 13 Oct 2012
Those Annoying Endorsements
Recently LinkedIn has added a new feature, endorsements. The most annoying thing is that the requests for endorsements are now near the top of the page, and people are clicking on it. So I have several mails each day saying "$somebody has endorsed you!" (with an "and you are expected to return the favor" subliminal message). So, my dear LinkedIn contacts: feel free to not endorse me and don't bother to write recommendations, as I don't plan to do the same either.
Fri, 12 Oct 2012
Failed SSD
Yesterday I went to a meeting and brought my laptop with me. I made
notes to a text file, and after the meeting closed the lid (my laptop
is configured to suspend then) and went away. After returning to my
office I have opened my laptop and seen only error messages from
the sda drive.
The drive was totally dead, and did not work even in another computer.
After plugging it in the SATA controller only printed something like
"resetting SATA channel", so it did notice something has
been plugged in, but nothing more. I had to teach my UNIX course in two
hours, so I had to quickly find a replacement, install a new system,
and configure it for presentation. Fortunately, I had a "spare" 2.5" drive
prepared as a replacement of the root FS of my workstation. So I deleted
the already configured system for my workstation, and used that.
Have you anybody seen a similar problem? The drive was "iops-optimized" OCZ Vertex II, about a year old. Fortunately, I use LUKS, so I can send it back to the vendor without worrying about my data.
Tue, 09 Oct 2012
Zacyklení 2012
I like outdoor puzzle-solving games, and last weekend I managed to take part in a really special kind of puzzle-solving competition:
Zacyklení is a puzzle-solving outdoor game for cyclists. And what is even more interesting, we have managed to create a purely recumbent team for this game. Those who can read Czech, here is the report from the game. Those who can't, follow the link anyway for more photos :-). We have not made it in time, but among all the teams we have finished somewhere around 5th place. Congratulations to the winners, and thanks to the organising team!
Thu, 20 Sep 2012
Hanwag Boots
Afters about 10 years, my Hanwag Alaska boots have disintegrated while I've been walking in the forest during this year's Svíčky. I will need a new boots. Which boots do you recommend, my dear lazyweb?
I have been satisfied with Alaska, and I have chosen them because the big part of the boot is made from one piece with only one seam i the back. However, the middle part of the sole has completely disintegrated. The consipration theory follows: I wonder whether it could be intentional from the manufacturer, in order to not allow their customers to use the product for more than 10 years. In my opinion it should be possible to find a material which lasts almost indefinitely. That said, from my previous experience the sole was the weakest part of all my previous boots in terms of endurance. So maybe it is perfectly OK to expect the boots to last only 10 years. What do you think?
Wed, 19 Sep 2012
Playing with Prezi
A while ago, I've came across Prezi presentation tool. It is completely different approach to presentation than slides with bullet-points. I didn't like the dependence on either the on-line access with Flash, or on the Windows executable (with embedded Flash, of course). Today, I did my first presentation using Prezi (together with Šimon).
We have been given 10 minutes to present our approach to two sub-tasks of the Plagiarism Detection task of PAN 2012. We used Prezi in order to be able to focus on explaining our approach without devoting too much time to explaining the structure of the talk to the audience. I think this is a great strength of Prezi, if used correctly.
So, my dear readers, do you think Prezi can be a useful tool, or do you instead agree with Peter (in Slovak), that it is just an over-glorified eye-candy? You can see our presentation here. Thanks to Yuri for the photo!
Mon, 06 Aug 2012
Enterprise Bug Fixes
Today, an unimportant but interesting bug #313291 has been fixed in RHEL 5. Here is the timeline:
- 2007-09-30: I reported the bug.
- 2007-10-03: The package maintainer found the upstream change which fixed the bug.
- 2007-10-05: I have verified that this trivial patch fixed the bug for me.
- 2012-08-06: The errata and the fixed package have been released.
I am grateful that the bug has been fixed after all this time,
but I don't use RHEL 5 anymore, and mutt in RHEL 6 got the fix
from the upstream.
I wonder why they even bothered to fix the bug after so much time,
and even release the new mutt package fixing this single bug.
This is not a complaint, this is hopefully an interesting insight to
the release process of RHEL packages. Maybe some high-profile customer
wanted this bug fixed. Who knows?
