Audit my Server – A guide to performing a quick and thorough security audit on your web-facing server
This post has been moved to http://demongin.org/blog/828
This post has been moved to http://demongin.org/blog/826
This is a guest post from Timothy O’Connell.
This blog is going to end with a question that I have been unable, after countless minutes of Googling, to answer satisfactorily. It will start, however, with some givens.
I already know that if you want to alter the default settings for all profiles that will be created by a given Firefox installation in the future, you add the line for the preference that you want to effect those profiles to the file FIREFOX_ROOT/defaults/profile/prefs.js.
Similarly, I already also know that if you want to push a preference to all currently existing users on the machine, you add the line for that preference to FIREFOX_ROOT/deftauls/pref/firefox.js.
The caveat there, of course, is that if the user of the profile have already changed a preference in his personal prefs.js (i.e. the one in HOMEDIR/.mozilla/firefox/RANDOMALPHANUMERICS.USERNAME/prefs.js) and it conflicts with your preference in the (global) firefox.js, then you (the admin) are SOL, because the program will defer to the user’s personal prefs.js file.
Which brings us to the question: is there a way (short of writing a script to parse individual user’s personal prefs.js files and modify them as needed) to push a preference to all users of a given Firefox installation?
Full disclosure: I’m posing this question for two reasons. The first reason is that I’m sort of passive-aggressive with Firefox: ours is a very love-hate relationship. The second reason is that I honestly don’t think that what I’m describing–i.e. adding a preference to one, “master” preferences file that effects all users of a given installation, regardless of their personal prefs.js file–can be done.
Am I missing something? Maybe even something truly forehead-slap-worthy that’s at the top of all the documentation? Or is this a real limitation of the program?
I’ve heard there’s a big migration of ruby people to scala, and so the first thing I would say to the ruby people is that this is no panacea. It’s not ruby on a JVM; it’s an entirely new langauge, with much stronger java roots than any other language, so familiarity with java is probably more helpful than python or ruby. On the other hand, if ruby whetted your appetite for functional programming, scala has more of that than ruby and python combined, and seems to live up to its promise of exposing the wonders of java’s scalability and rock-solid virtual machine and garbage collector.
Rails programmers: what’s an example of one thing you find in other people’s Rails code that you (almost) always consider to be wrong?
jQuery version of technoweenie’s relative date js library.
PragDave: Twitter Should Move Away from Ruby
Oh dear. The chattering classes are at it, talking about how the Twitter folks are dissing Ruby by announcing the replacement of some Ruby code with Scala code. [Don't miss the comments!]
Building Sites Around Social Objects
Define Your Object. Define Your Verbs. Make the Objects Shareable. [I like the first 3 of these 5 principles.]
A personalized feeds of new and upcoming music releases. [Amazing!]
Behind the scenes of EveryBlock.com
Adrian Holovaty, co-author of the Django web framework, takes you under the hood of EveryBlock.com, a Knight Foundation News Challenge startup which rounds up local news and information, and is powered 100% by Python and Django.
Posterous Co-Founder Sachin Agarwal
Garry and I both went to Stanford and majored in Computer Science. When I graduated, I worked at Apple on Final Cut Pro for 6 years which was all the way up to starting Posterous. I was building the real-time playback engine and effects architecture. That didn’t have a direct impact on the formation of Posterous, except that we’re definitely Apple people at heart, and we want to be the Apple of blogging. We want to make the simplest, most beautiful site out there, and make it accessible to the masses.
iPhone on Rails and ObjectiveResource
ObjectiveResource is an Objective-C port of Ruby on Rails’ ActiveResource. It provides a way to serialize objects to and from Rails’ standard RESTful web-services (via XML or JSON) and handles much of the complexity involved with invoking web-services of any language from the iPhone.
A simple tool for managing your Slicehost account.
auto_html is a Rails plugin that let users embed HTML by providing URL of links, images, youtube, vimeo, deezer,…
ricardochimal’s taps at master
A simple database agnostic import/export app to transfer data to/from a remote database.
This is awesome.
This is mostly a solidarity bookmarking, but the site is actually useful, insofar as it contains a list of corporate sponsors of Fox News.
Dealing with impossible crises
Generally speaking, I skim life advice links from Reddit, chuckle to myself about how such a self-absorbed community of self-declared geniuses, free-thinkers and savants consistently manages to recommend self help 101 articles about basic life skills as if they were the original wise sayings of the Lord Buddha and move on. But this one’s got two cherry pieces of advice and a fun anecdote about how you can +1 your fast talk skill: 1.) stay calm and polite, 2.) go into all conflicts assuming that you have already lost. Resolving oneself to failure and thus resetting the criteria for success according to your own rules is the original life skill.
How To Set Up A Postfix Autoresponder With Autoresponse | HowtoForge – Linux Howtos and Tutorials
This is a sweet little CLI autoresponder app for use with postfix that you can set up for all users on your box and modify at the line or via email. Effin’ sweet.
Android tethering apps pulled from Market
While totally unsurprising, this is still mildly infuriating. The only thing that makes it less than intolerably annoying is the fact that Google is kind of on the level about it: T-mobile’s TOS (which I agreed to obey at some point, I’m sure) forbid certain kinds of tethering, so Google had to pull the app. But the tether developer makes a good point: does this effect the whole market place? Or is market place going to be restricted by service provider in the future?
Associated Press Seeks More Control of Content on Web
Well, I guess that’s it for the AP, then. It’s probably for the best: they were really making a nuisance of themselves lately anyway (with that whole "Hope" poster biz) and we’ll certainly be better off without them.
AdFreak: Viagra always has such wonderful gift ideas
There’s nothing I love more than when Madison Avenue just straight goes for broke on a Mega Corp account and puts out an ad so utterly inane and puerile that you want to tell everyone you know about it. Call it a consciousness hack. And consider my private system exploited.
Schneier on Security: Who Should be in Charge of U.S. Cybersecurity?
This, for the record, is the ultimate talking point on Internet security: it’s a network everyone uses that depends on an infrastructure managed and maintained by everyone and it is therefore everyone’s responsibility to improve the quality and security of the network and its users. And this is why BS says the NSA shouldn’t be Obama’s go-to agency for "cybersecurity". They keep secrets. Secrets ruin the Internet. Don’t believe me? Consider Microsoft’s legacy of pissing in the pool in misguided and stupid attempts to deliver security through obscurity.
Sometimes you come across something in the Rails changelog that suggests a config change before upgrading to the next version. Sometimes you only have time to put some code together quickly, but you know that you really should go back and refactor it soon. How and where can you remind yourself about this stuff?
I’m not sure where I originally came across this concept, but I think it’s worth sharing again anyway. I’ll even give it a name this time. Time Bomb Tests: easy cheesy reminders you can put into your test suite. They’ll sit there like little time bomb reminders – exploding only when you need them to.
http://media.mtvnservices.com/mgid:uma:video:mtv.com:9770
# test/integration/time_bomb_test.rb
require 'test_helper'
class TimeBombTest Time.parse('5/1/2009')
# optimize that thing marked HACK in the user model
# etc...
end
end
Update: Check out jeremymcanally‘s deprecate, which appears to have been partially inspired by this post. It allows you to deprecate (primarily) test code after a certain date, version, or other arbitrary condition is met.
…it has been such a success that our plan for the long run is to move more and more of our architecture into Scala. The vast majority of our traffic is API requests, and we want most of those to be served by Scala, either at an edge cache layer or a web application layer. Hopefully by the end of 2009 the majority of users’ interactions with Twitter are going to be Scala-powered.
Twitter: blaming Ruby for their mistakes?
In conclusion… is Ruby a bad language for writing message queues in? Yes, there are much better choices. Message queues are a particularly performance critical piece of software… but message queues aren’t something you should be writing yourself. This speaks much more to Twitter’s culture of NIH than it does to Ruby as a language… Is Ruby a bad language for writing long-running processes? Absolutely not. JRuby provides state-of-the-art garbage collection algorithms available in the JVM to the Ruby world. These are the exact same technologies that are available in Scala. JRuby addresses all of their concerns for long-running processes, but they don’t bother to mention it and instead just point out the problems of the de facto Ruby interpreter. [Very interesting comments.]
Obie Fernandez: My Reasoned Response about Scala at Twitter
I’m glad that Twitter is working to resolve its scaling issues. It’s a service that I love and use on a daily basis and from which I have benefitted immensely. As far as I’m concerned, Twitter is a case-study in how Ruby on Rails does scale, even in their hands… My interest in the question of Ruby vs. Scala at Twitter had mostly consisted of curiosity and amusement, at least until last night.
Mending The Bitter Absence of Reasoned Technical Discussion
Social media (blogs, community news sites like Reddit and Hacker News, Twitter and such) have swept in to fill a vacuum between peer-reviewed academic journals and water cooler conversation amongst software engineers… in theory, we should be more informed as a professional than we ever have been… In practice, the conversations that are most widely heard in the tech community are full of inaccuracies, manufactured drama, ignorance, and unbridled opinion. In discussing these Internet-spanning debates with non-technical friends, comparisons to Hollywood tabloids come first to mind. It’s a time sink for an industry that should be a shining example of how to use the newest of media for constructive debate.
Chax is a collection of minor modifications and additions that make using Apple’s iChat more enjoyable.
Reddit’s Steve Huffman and Alexis Ohanian. [They briefly discuss the infamous "gst" user around 15 minutes in.]
URL shortening services have been around for a number of years. Their original purpose was to prevent cumbersome URLs from getting fragmented by broken email clients that felt the need to wrap everything to an 80 column screen. But it’s 2009 now, and this problem no longer exists. Instead it’s been replaced by the SMS-oriented 140 character constraints of sites like Twitter.
The Real World: A video of David’s talk at FOWA Dublin – (37signals)
Execution and Perseverance are the keys to running a successful business.
The State of the Stack: A Ruby on Rails Benchmarking Report
New Relic helps more than 1500 organizations manage their Ruby on Rails applications. This gives us unique insight into how thousands of applications are deployed. Many of our customers have opted in to have their performance data shared with the Rails Core Team to aid in their ongoing work on the platform. In addition to that data we also aggregate information on the versions of OS, Ruby, and Rails used and the various plugins deployed.
Starting today, we’ll begin rolling out a new product we are calling the DiggBar. Before we dive into the details, check out this short video overview…
Google uncloaks once-secret server
Google is tight-lipped about its computing operations, but the company for the first time on Wednesday revealed the hardware at the core of its Internet might at a conference here about the increasingly prominent issue of data center efficiency.
Few know this, but one person, Paul Buchheit, is responsible for three of the best things Google has done. He was the original author of GMail, which is the most impressive thing Google has after search. He also wrote the first prototype of AdSense, and was the author of Google’s mantra "Don’t be evil."
Follow-up on "Get Satisfaction, Or Else…"
Customer support is my job, and I take it very seriously, and I am very, very good at it. To have another website undermine that job which leads to a customer with 1) a bad experience, 2) a bad impression of our company, 3) a bad impression of my work…well, it’s infuriating. Not only was I angry on the customer’s behalf, I was angry on behalf of our company to see our name and logo plastered all over a site we had never known about until then.
“Ambient intimacy” is a good term to describe how Twitter, Flickr, blogs, and other modern communications technologies keep us in touch with one another. The term I’ve been using for this is “passive communication.”
Hacker News on Daring Fireball’s Complex
We advise startups to launch when they’ve added a quantum of utility: when there is at least some set of users who would be excited to hear about it, because they can now do something they couldn’t do before.
stevenberlinjohnson.com: Old Growth Media And The Future Of News
…there are really two worst case scenarios that we’re concerned about right now, and it’s important to distinguish between them. There is panic that newspapers are going to disappear as businesses. And then there’s panic that crucial information is going to disappear with them, that we’re going to suffer as culture because newspapers will no long be able to afford to generate the information we’ve relied on for so many years.
We shouldn’t be forced to scour the internet finding sites that claim they are doing support for us when they’re not. It’s not fair to us and it’s not fair to customers to make something look like an official support site when it’s not. This should be entirely opt-in for a company and it’s not. In fact, it’s worse than that because if you don’t opt-in, they make negative claims about your company’s commitment to customers. [See also: http://news.ycombinator.com/item?id=540540]
2009 Rubyist’s guide to a Mac OS X development environment
My hard drive kicked the bucket recently. From scratch, here’s how I quickly got my Ruby web development environment into ship-shape form The Thoughtbot Way. Many of these instructions are specific to Mac OS X 10.5 (Leopard). Some of them are opinionated (Vim over Textmate). Pick-and-choose what you need but this is everything that I use happily day-to-day right now.
…the problem is that redirect_to doesn’t seem to preserve the HTTP method. This is ok for the faked-up methods eg using "_method=delete" but if the URL a person asked for was a POST it fails miserably with a routing error… [Checking out some of these solutions, but for now I'm just working around it by only storing the original request if it's a GET request.]
This is a triumph of the human spirit if I ever saw one.
