Justin Dugger

Do you have a creative use for nagios?

jldugger@gmail.com (Justin Dugger) — Tue, 24 Aug 2010 19:28:26 +0000

I'm looking for inspirations on nonstandard uses of monitoring systems like nagios, which is normally used to check whether HTTP is reponding etc. I'm curious how people have taken the simple nagios framework and run with it in unexpected ways, so I can ~~steal~~ borrow them.

Adios, Gamerfeed

jldugger@gmail.com (Justin Dugger) — Tue, 17 Aug 2010 04:16:12 +0000

I've been seeking out feeds to sync to my front page, in order to keep the front page interesting, updated, and sync'd. One such interesting feed I tried was my Xbox 360 gamertag. The idea was to update every time I had a new game. Instead, it's been spamming every day I play, which is pretty damn annoying. I've left it on, with the theory that I'd locate a better feed or fix it somehow. Well, I'm declaring todo list bankruptcy on that one. Fixing it may take quite a while, and the value is just too low to bother with.

Maybe once I finish my home inventory and valuation project I'll tweak it to list new game purchases in XML. Until then, you'll just have to ask or check Microsoft's web site.

Work desktop

jldugger@gmail.com (Justin Dugger) — Thu, 12 Aug 2010 04:36:52 +0000

Too many screens!
In album Toys

The One True OpenID configuration

jldugger@gmail.com (Justin Dugger) — Wed, 11 Aug 2010 04:59:51 +0000

I like the OpenID concept, but by now it's clear that there's far more Issuing Parties than Relying Parties. In layman's terms, there's more sites that want you to use your account with them on other sites than sites that let use an account from elsewhere. Which defeats the whole point in dramatic fashion. The Password Thicket: Technical and Market Failures in Human Authentication on the Web [via Bruce Schneier] examines the marketplace and offers the following conclusion:

In the meantime, this perspective supports the claim [15] that deployment of an open, federated identity protocol such as OpenID will be opposed by current stakeholders on the web. Federated login not only removes sites’ pretext for collecting personal data but their ability to establish a trusted relationship with users.

This is only the most recent accusation, as the citation indicates. And there's plenty of economic incentive to refuse OpenID; you'll have no pretext for asking for email addresses or Favorite Movie 'security questions' that will help you sell targeted advertising. But there's another reason OpenID is struggling in the marketplace that isn't mentioned: OpenID is hard for users to deploy correctly. There is One True Way to configure your OpenID safely, which I will document for myself and posterity:

Buy a domain name. This domain is your openID.
Find some hosting for this domain. Preferably with exclusive access so only you can modify it.
Purchase and install an SSL certificate for your domain.
Locate or install an authentication system that supports OpenID
On the page accessible on your domain, place an OpenID delegate relation link to that authentication system.
Make sure both your OpenID URL and the delegate use HTTPS and are invulnerable to the cornucopia of web attacks.
Cry as you realize that few of the OpenID providers you could have delegated to will accept your OpenID.

Skip any of these steps and there is a world of pain waiting for you. And there's plenty of smart people who miss important points. If you don't buy a domain and just use a site like LiveJournal or Gmail directly, you're at the mercy of your provider's implementation and longevity. If you need a real example, provider Vidoop gave people a real scare.

Reviewing the steps above, it's obvious why Verisign was an early partner with OpenID; they had a lot to gain up until their expert jumped ship for Facebook.

Work desktop

jldugger@gmail.com (Justin Dugger) — Tue, 10 Aug 2010 23:59:17 +0000

Too many screens!
In album New

Arduino Update

jldugger@gmail.com (Justin Dugger) — Fri, 09 Jul 2010 06:42:28 +0000

An alert (and anonymous) reader commented on a previous post about Arduino packaging, letting me know that packaging has been accepted into Debian—both the Java IDE and the underlying compiler toolchain. A big thanks to Phil Hands and Scott Howard for their efforts!

This is a very new package, so patches are still rolling in. The DebianImportFreeze has come and gone, but Scott appears to be on top of things, having just filed a sync request a few hours ago to pull in a few more changes. If he keeps that pace up, he'll make MOTU in no time ;)

University Renderfarm management tools?

jldugger@gmail.com (Justin Dugger) — Tue, 22 Jun 2010 23:46:51 +0000

Faculty are requesting tools to manage the rendering crunch during finals week. Currently the status quo is a free-for-all in the computer lab during project deadlines. People end up "reserving" computers for rendering with signs threatening curses, mutilation, or death if disturbed, so we need something to manage renders. Campus closes at midnight, so something that can queue up enough work overnight without intervention is best.

I'm having trouble finding any other local animation education departments, so I'm putting this out to ServerFault: what tools do you use to manage a desktop renderfarm and notify students when batch renders finish?

Bruce Schneier deserved to lose

jldugger@gmail.com (Justin Dugger) — Sun, 20 Jun 2010 22:39:07 +0000

NPR held and broadcasted a debate on the resolution, "The cyber war threat has been grossly exaggerated," and invited a sophisticated panel to debate for and against it. The format of Intelligence² debates is two panels of speakers competing to change the audience opinion. So even if the audience comes in with a massive majority opinion, the merit of the debaters is judged by the change in opinion after the debate concludes.

NPR's debate organizers do a good job of recruiting people with experience on the subject rather than experience with policy debate and the more estoeric philosophical techniques to "win". The team arguing cyberwar is a bogeyman consists of Bruce Schneier and Marc Rotenberg. The team arguing that cyberwar is real and dangerous is John M. "Mike" McConnell and Jon Zittrain. I've actually heard of two of these people, which makes me feel just a bit smarter. As I subscribe to Schneier's blog (squids or not), I was rooting for his side to win. Alas, rather than pursuading the undecided audience, his team lost a few supporters to the other side, and lost by the rules of the debate.

But having listened to it, it's pretty clear Schneier's team made several key mistakes. Firstly, they let the other team decide what statements were under scrutiny. If all your opponent has to do is not make exaggerated claims during the debate to win, you'll lose pretty easily. You can see this principle in action as Schneier tries to quote McConnell, only to have McConnell dismiss it as out of context and a misquotation. Instead, they should have gone after public figures and decision makers not present — McConnell isn't the only politician or bureaucrat talking up cyberwar. I'm not about to go through CSPAN transcripts, but surely Lieberman, who's introduced a bill I understand would authorize the president to use an internet kill switch (and effectively censor people) made an exaggerated claim to support that broad reaching power.

Meanwhile, Zittrain and McConnell pretty much offered a no contest argument. They admitted that newspapers wrote exaggerated headlines, that the "cyberwar" attacks against Georgia may have been self inflicted, and that the main risk was not to our military but to high profile financial targets. By carefully avoiding any sensational or exaggerated claims they gave the other team nothing credible to point at as evidence. McConnell's main cyberwar threat example was catastrophic data loss at US moneycenter banks who handle trillions of dollars daily, and Zittrain's was the Youtube-BGP screwup.

In closing statements, Schneier and Rotenburg attempted to argue against the policy that would emerge from a loss, effectively an appeal to heads in sand. Instead of focusing on the negative policy outcomes, they should have addressed the likelihood of the oppositions's two threats in closing statements. I was never on a debate team but that seems like an obvious thing to do! The banking argument is a classic confusion of consequences for risk that Schneier is renowned for pointing out. The Lieberman bill even makes the distinction:

18) RISK.—The term "risk" means the potential for an unwanted outcome resulting from an incident, as determined by the likelihood of the occurrence of the incident and the associated consequences, including potential for an adverse outcome vulnerabilities, and consequences associated with an incident.

As determined by likelihood and adverse outcomes. Consider a common example, one my own website faces and which I think McConnell alluded to with his "millions of attacks daily" comment: brute force SSH login attempts. They happen quite frequently, but because they are easily guarded against, I argue the threat is low. With the proper safeguards in place, what is the remaining likelihood of a brute force attack succeeding? Slim to none, because I have no guessable common system accounts and the keysize is massive enough to make such attacks infeasible. The consequences are high but the likelyhood is miniscule, so the risk is low. I'm much more worried about keeping all my webapps patched than this SSH spam attack.

So what is the likelihood of the threats presented? A major bank losing all customer data is pretty slim I'd say. They have incremental backups and transaction logs and firewalls, and redundant file systems and offsite backups, and things I'm missing because I haven't spent a lifetime working for the financial sector. It would take more than the "two weeks" Zittrain suggests for a crack tiger team to construct a plan to completely wipe out customer records in seconds. Cyberwar could still do some damage, but, importantly, no more than they experience and plan for daily. Computers today are failure prone, even without script kiddies and trained military strikes, so private firms have all kinds of insurances, countermeasures and recovery plans in place. The consequence might be 7 trillion dollars, but the risk of complete loss of records is minuscule, so the threat is small and therefore exaggerated. Unregulated credit default swap markets present a greater risk to banks than this.

Meanwhile the Youtube-BGP attack was resolved within two hours, and early warning systems (more like fast after-the-fact alerts, really) are in place to watch for bogus announcements. So the outages from a network routing attack can be resolved relatively quickly. When the beer passing brigade fails en masse the companies that profit from it figure it out and quickly. The internet was built to be resilient to attack and Zittrain even admitted an adhoc networks were a sensible approach to a destabilized internet.

In conclusion, I think the cyberwar threat is overstated, but the weak case Schneier and Rotenburg presented at the debate was sufficient cause for them to lose both the debate and majority consensus. This doesn't mean we should be arming the president with a kill switch or ignore the dangers of fraud and hacking, but we should prioritize based on risks rather than consequence, and the risk is far greater elsewhere.

Has nothing changed in the past 8 years?

jldugger@gmail.com (Justin Dugger) — Thu, 10 Jun 2010 05:25:04 +0000

Can anyone recommend a good technical / business writing book? I took a technical writing for engineers class in undergrad, and kept the book, which I find myself referring to when writing resumes, job applications and proposals. But sometimes I wonder how relevant it remains in an era where most writing happens in email. I also wonder if the resume writing and cover letter advice is well received by people making hiring decisions.

For those who prepare written documents regularly on the job: is there a better book people working in the field recommend for preparing and formatting reports, proposals, and other written communication?

Hiring managers: are there books with advice you like on the subject of resumes and cover letters?

On synchronization and "the cloud"

jldugger@gmail.com (Justin Dugger) — Thu, 10 Jun 2010 04:42:56 +0000

I've been meaning to do a followup post on N900/Maemo5, but every time I summon the effort to start drafting the post, a new firmware comes out to address problems motivating the post. Case in point: the most recent firmware (PR1.2) finally added the USSD code support one needs to query Tmobile about money left on prepaid accounts (a fantastic money saver for me).

But one thing that has become readily apparent is why people are so excited about "the cloud". Roughly speaking, the non-technical and semi-technical people who use that term mean something other than elastic computing. As best I can tell, what they're after is an online datastore / network API that's on 24/7. Which can be neat, but isn't the revolutionary thing you might imagine based on the rhetoric.

Anyways, about that neatness: after a few months of smartphone ownership it became apparent that I need some way to deal with the fact that all of my devices create and store new data sources, but none of them are on and accessible 24/7. Solutions like unison remain academic because they are neither automated nor available 24/7. Essentially, it seems people are rediscovering the value of mainframe computing, but with redundancy and graceful degradation to offline mode. Maemo5 meets this concept to varying degrees of success.

Music

Synchronizing music libraries is relatively simple, and even Banshee supports it. Simple file sync tools like unison are also admissible to me because generally speaking, I don't add much music very fast and changes needed immediately. But there's a side problem here: hidden data. Music ratings are a great tool I use to create shuffle playlists of minimally acceptable music. Because the MP3 format does not include this admittedly subjective rating field, it's not sufficient to sync files to get this data. It's become clear that the tight integration iTunes offers by sharing metadata between desktop and device is pretty damn useful. Granted, they're impossible to get out, and people sometimes accidentally wipe their ratings stored on iPods, so perhaps the grass is just greener on the other side of the electric fence. Perhaps I should see if something like Last.fm / Libre.fm can play a role in collecting and syncing this data.

Maemo5's media player doesn't provide a rating concept, so there's nowhere for this data to be put on the device for smart playlists. I hear that Meego took a great step in the right direction by selecting Banshee as the media player, so I hope the group takes time to address Banshee<->Banshee setting sync, to meet or beat iTunes.

Photography

Maemo does an outstanding job here with a great idea. The unit of software deployment on smartphones is generally the app. Maemo's Sharing plugin system does a superlative job of modularizing the upload process such that you don't need a seperate uploader app for each hosting provider. There is a gallery2 plugin, which works well for me, and there's no shortage of other plugins if you prefer not to self host. This deserves an A++ and I hope Meego keeps this tradition.

Bookmarks / History

Upon seeing that Mozilla was building their mobile Fennec browser for N900, I decided to check out Mozilla Weave. It's a great replacement for an old tool that was popular and canceled before the term "cloud" was cool: Google Browser Sync. They've since rebranded it Mozilla Sync which maybe indicates more clearly what the product does. Many people use Xmarks, but Sync also handles history, preferences, even tabs. Mozilla offers a central service, but I prefer to use the minimal standalone system that I can host myself. This is probably the ideal -- people who want privacy have a number of steps they can take, while there's still an easy to use compliment. Interestingly, Meego has chosen Chrome as it's default browser, and the state of the art in cross browser sync is bookmarks only (I can't imagine sharing preferences between browsers being useful).

Calendar & Organizer

I've lately been experimenting with calendars and todo lists at work. For example, I have "package weave-minimal for Ubuntu" as a todo item. At work we have Exchange and Outlook. At home I have Evolution, which integrates with the desktop in some neat ways I'd like to keep. Surprisingly, Maemo supports Exchange very well. Calendars / alarms, todos, notes, etc. all come across fine, and PR1.2 even generates responses to meeting invites. Ideally, I'd keep work and personal data separate and let the phone unify them for presentation, but I've yet to find a way to do that -- CalDAV support is not in Maemo. The good news is that I've seen a few emails from Nokia developers that suggest CalDAV might work in Meego. Guess it's time to set up a personal CalDAV server and point Evolution at it.

As far as contacts go, I generally just centralize it on the SIM card and leave it there, but I think Ovi has a system in place, and syncML has rough support.

Conclusions

I don't know why this form of cloud computing is popular now, when many of the same problems and solutions have been around since laptops and wifi. Perhaps the pocketability and utility of cellphones cancels out the "nerd factor" associated with carrying around laptops, so that people now run into these problems daily rather than just during offsite business meetings. Either way, there's plenty of technology to support private cloud systems; I use gallery2, weave and (soon) CalDAV privately to synchronize my computers.

Frankly, the greatest remaining challenge I have left is storage. In contrast with jzawodny, S3 doesn't even come close to making economic sense at personal scales of a couple TB, and Dropbox is even more pricey with less data at end. For now I'll just take the availability risk of residential networking and save the money.

Certificate-Received

jldugger@gmail.com (Justin Dugger) — Thu, 10 Jun 2010 00:23:58 +0000

When you use online banking transactions in GNUcash, it asks you to validate a certificate, even though it's already done so for you, and has a far better understanding of what's good / bad than the average user ever will.
In album Screenshots