Just got malware spam in a Skype chat claiming that “Security Center has detected malware on your computer” with the affected software listed being all the recent Windows flavors. It assures me that my “system IS affected, download the patch from the address below …” That would be, of course, my OS X system. Best of all, it warns that “Failure to do so may result in severe computer malfunction”, really meaning “Doing so will result in severe computer malfunction.”
Adobe recently rolled out a patch to Flash Player 9 to mitigate some bad security vulnerabilities (my favorite Flash vulnerability was hilariously described at Matasano Chargen). One of our Flash apps at work suffered collateral damage from the update.
If you get the message “Security error accessing url” after applying the April 8 Flash Player update, then it’s likely the app is doing something covered in this article covering potential compatibility issues with the update. Our app was affected because it accesses a web service running on another server.
When the Flash Player accesses data from another domain on behalf of a Flash app, it first looks for a crossdomain.xml file in the root directory of the domain that is being accessed. For example, on my site it would try to retrieve wombatnation.com/crossdomain.xml. This file contains access policies that the Flash Player will apply. If you want to allow any Flash app to access a web service on your site, you can go with the Come and Get It policy file:
<!DOCTYPE cross-domain-policy SYSTEM
<allow-access-from domain="*" />
If you need to allow access to only a small set of domains, you should replace the * wildcard with something more specific. You can use a * to pick up all sub-domains, though, for example, *.wombatnation.com would allow access to my local botnet herd.
One of the vulnerabilities Adobe is attempting to mitigate in this patch is the ability of a Flash app to send malicious HTTP headers to a remote service. The updated Flash Player lets an app send only the standard HTTP headers. If you want to send additional headers, the remote server must include additional policies. Unless, of course, your header of choice is already on the blacklist for fighting in bars, spitting on sidewalks or p0wning servers.
Since the SOAPAction header that is used with SOAP based web services is not a standard HTTP header, your Flash app will display the “Security error accessing url” message unless the remote server’s crossdomain.xml is updated. The quickest fix is to add the following line:
<allow-http-request-headers-from domain="*" headers="SOAPAction"/>
to the cross-domain-policy section. If you specified a more limited set of domains in the allow-access-from policy, you should probably use the same set of domains in this policy. This Adobe TechNote explains the details.
I tried to figure out what was going on with Firebug, but Flash apps are pretty much black boxes to me unless you’re debugging them with Flex Builder or whatever tool was used to build them. Flash is a pretty useful technology for quickly building apps, but there are so many drawbacks that I seriously doubt I would ever choose it as my preferred tool for building web apps.
I’ll be at the 2008 MySQL Conference the next three days. If any of the three or so of you that read these posts will be there, let me know and I would love to meet up down in Santa Clara. Even better, I’d love to carpool with someone from Oakland to Santa Clara.
Besides whichever keynotes I can manage to arrive in time for, I’m planning to attend the following sessions on Tuesday:
- Lessons Learned in Building a Highly Scalable MySQL Database
- The Lost Art of the Self Join
- EXPLAIN Demystified
- High Availability Landscape of MySQL
- Replication Tricks and Tips
- Mitigating Replication Latency in a Distributed Application Environment
Just over an hour into my bike ride today while I was slogging up a steep hill, my Polar CS200 heart rate monitor rebooted. The screen went blank, a few cryptic symbols appeared on the display, and then the display filled with a union of all possible characters and symbols that it ever displays. And it stayed like that until I turned it off and on again. It forgot the ride data up to that point for the day and all the general settings, like the current time, but kept all my personal settings. I’ve gotten use to the sensor strips on the chest strap sometimes not immediately picking up a signal, but I’ve never had the software crash like that before.
I recently got an invite for Pownce, which lets you send brief messages to selected groups of friends, similarly to, but arguably better than, Jaiku and Twitter, but also makes it easy to send files and events. Another big positive for me is that it is written in Python using Django. Which is probably a stupid reason for liking something that I almost certainly won’t be hacking on. But then I’ve preferred other things in the past for far more specious reasons. Like blue M&Ms. It’s not like the coating tastes any different just because it reflects radiation with wavelengths primarily at the blue end of the visual spectrum.
When I last updated WordPress I added a plug-in to display my pownces, though they’re also accessible at my Pownce page. I’ve got about 15 Pownce invites left, so let me know if you want one. The only thing I ask is that you periodically post messages like “Wow, that Robert is just so dreamy. And humble. And he can beat up Chuck Norris.”
I’ve been completely Microsoft Windows free at home once again for quite a while since the death of yet another hard drive in a Dell computer with a pre-installed copy of Windows XP Home. This time it was a Dell Inspiron 8600 laptop. There have been a couple of times over the last few months where it would have been convenient to have a Windows install at home so I could test some code to make sure it ran fine on Windows or to run some odd program that is available only on Windows. After upgrading my laptop to 1.5 GB of RAM, I decided to set up a Windows XP virtual machine using the Windows XP reinstallation CD that came with my Dell. For no particularly compelling reason, I decided to use KVM instead of Xen or VMWare. The Fedora project website has a great overview of virtualization options built into Fedora 7, though most of the focus is on Xen.
Setting up the Windows XP VM using KVM and a management tool called virt-manager was amazingly easy. I also benefited from a KVM and Fedora 7 tutorial at Phoronix, which is also home to great info for Linux users like me who have laptops with ATI video cards, but it would have been easy enough to figure out just by running virt-manager.
First, you may need to install a couple of packages:
$ sudo yum -y install kvm qemu virt-managerIf you had to install kvm, you should reboot to load the kvm modules. Once you restart, launch Virtual Machine Manager from the System Tools section of the Applications menu.
One problem I ran into with virt-manager was that it wouldn’t let me browse to the reinstallation CD. I ended up having to copy it to the hard drive into an iso disk image file, but that was easy enough.
$ cat /dev/cdrom > /tmp/winxphome.isoAlso, because the 2004-era Intel CPU in my laptop doesn’t have the Intel VT enhancements that support hardware acceleration of VMs, I had to configure my VM for full virtualization. It’s definitely slower than running native, but it’s still quite usable. I wouldn’t try running Halo in the VM, though.
I was worried when a popup window appeared about thirty minutes into the Windows XP install asking me to insert a CD that contained Service Pack 2. That was baffling, because the XP reinstallation CD claimed to include Service Pack 2. After canceling out of that dialog and stopping and restarting the VM a couple of times, the install continued. After a couple of hours of the installer grinding away with 98% CPU usage, I had a functioning Windows XP VM.
The biggest problem I’ve run into is with the mouse cursor. Frequently, it behaves like it has hit the bottom or the top of the screen, even when it is far from the edge. Perhaps Windows is getting confused about the size of its display window, which appears to be 800×600. The easiest way to work around it is to move the mouse all the way to the edge of the window in the opposite direction. This seems to temporarily help Windows calibrate the screen size. I ran into a similar problem years ago with VMWare, but was able to get past it by installing VMWare Tools. I’m not sure/doubtful there is an equivalent for KVM for Windows guest operating systems.
I haven’t set up a new Windows install for a couple of years, so I forgot how painfully slow it is to install all the anti-virus and anti-malware software, disable the naive user settings that Explorer and other Microsoft apps set up by default, enable the power user settings, and install all the apps and utilities like Firefox that make Windows usable. Setting up a new Linux install is so much easier for me and takes a small fraction of the time. When comparing the time to set up Windows versus Linux (especially for a software developer), you have to keep in mind that Windows comes with only a very basic set of useful tools and applications when compared to a good Linux distribution. The Yum (RedHat/Fedora) and apt (Debian/Ubuntu) packaging tools also make it far easier to install additional applications on a Linux system than on a Windows system. Keeping software up to date on Windows is generally a nightmare compared to Linux.
I wrote this review nearly three years ago, but never pulled the trigger to publish it to my blog. Maybe because it seems half written. I don’t think I’m going to ever go back to it, so what the heck.
Having skimmed part of the eponymous essay and having enjoyed other essays by Paul Graham, I bought a copy of Hackers & Painters: Big Ideas from the Computer Age without bothering to read any reviews. While I’m very glad I purchased it and read it, there were a few elements of the book that bothered me.
Most of my issues with the book revolve around Graham’s take on programming languages. Even then, I think he is mostly dead on. There are significant differences in the power of different programming languages. As he suggests, even if they are all Turing machine equivalent, who wants to waste their time reimplementing the abstractions provided by a more powerful language?
If your knowledge of programming languages stops at around Visual Basic, Graham’s book should be extremely enlightening. There are a lot of powerful languages out there, and Graham does a very good job of explaining why Lisp is one of the best of the best. But, sometimes he goes a bit too far. It’s hard to avoid getting the impression that Graham views anyone who doesn’t program in Lisp or a Lisp-like language to be a fool. While he seems to accept that there are a few acceptable reasons for using other languages, I don’t think he’s being very realistic about software development at most companies, as well as about the typical skill level of the people available to do development at many companies.
I was fortunate enough to have spent a few years doing commercial software development in Lisp. Working with the Lisp interpreter was a great pleasure, and even though I was by no means an elite Lisp hacker, I was frequently amazed by how much functionality I could implement in Lisp in a relatively short period of time.
However, there were several times when I found concepts in Lisp to be difficult to grok. One issue is that I don’t have a formal computer science degree, but rather degrees in physics and in philosophy and a lot of graduate work in electrical and computer engineering. A lot of the programmers in the IT departments of companies are going to have even less experience in computer science. I think you will see a lot of eyes glazing over if you drop into a typical IT shop and start trying to explain lexical closures. Of course, there will many IT developers who get it, but I’m talking about the average mainstream developer.
Graham echoes a common sentiment that the majority of great software is written by a very small percentage of the best developers (though I don’t remember him making an estimate as to what percentage of that code is written in one of the most powerful languages).
Patrick Barnard wrote a very nice post about Voxify on his Making Contact TMCnet blog after speaking with the heads of our sales and marketing groups. Patrick’s post aptly summarizes the nature of the hosted speech applications that Voxify provides.
For the sake of credibility regarding real world speech application implementations, it’s important to note that we don’t claim we can implement every imaginable integrated application in less than eight weeks. Patrick doesn’t say that either, but I can see how some people might jump to that conclusion. Some applications require the development of very complex call flows and extremely technically challenging integrations to back end systems. I think we still deploy these complex kinds of applications surprisingly quickly, though.
The telephony integration for a hosted speech application can add time, too, if a lot of changes need to be made to existing circuits or if new circuits need to be provisioned. The telecom companies have gotten a lot better about this, but it can still take them 1-2 weeks to provision a new line. Fortunately, we’re able to catch most of these situations up front and get all of the telecom work queued up early.
But, Voxify absolutely can design, develop and deploy integrated speech applications in less than eight weeks. We’ve done that for several clients, and we’ve made some changes to our platform that will enable us to deliver that fast much more often in the future.
Part of the reason we can develop speech applications so quickly is that we have the experience from developing a lot of applications. In addition, we took the time, either during those deployments or soon after, to capture that experience in our core platform or in reusable libraries. We now have a very powerful platform and a strong set of reusable horizontal (e.g., geographical location, billing and shipping address, credit card information, etc.) and vertical (e.g., flight info, hotel reservation, prescription refill, order status, etc.) libraries. We also have a very efficient set of deployment processes that we have honed during all of our previous deployments. And, oh yeah, there are a bunch of smart people in our office who continually amaze me.
If you’re still using DRM’d audio formats, you owe it to yourself to check out Ogg Vorbis. It’s not just a pretty name anymore. The FSF has set up the PlayOgg.org website to promote Ogg Vorbis (audio) and Ogg Theora (video) as high quality media formats unencumbered by patents and restrictions on your rights. There is also a great article on Ogg at Wired.com for Windows and Mac users. The article explains how to get Ogg support in iTunes and how to rip to Ogg Vorbis. I use Grip and oggenc on my Linux desktop to do all my ripping. I use Amarok on the desktop and laptop as my primary audio player.
Years ago I started to rip my CD collection to MP3. I quicky switched to Ogg Vorbis after experimenting a bit and discovering that I could get much higher quality audio files at about the same file size by using Ogg Vorbis. My wife bought me an iAudio X5L about a year ago, since it supports playback of Ogg files. Unfortunately, the iPod I bought her recently doesn’t play Ogg. I’m tempted to install RockBox on it so it will play Ogg files, but maybe I will wait at least until the warranty expires.
I may actually give Rockbox a try on my iAudio X5L. While I’m pretty happy with the X5L, the user interface is far from intuitive. Perhaps even counter-intuitive. The sound quality is great and the battery life is incredible.