Colin Harrington

Why is everything so slow?  Why does it take forever for the laptop to go to sleep? 

Holy thrashing platters Batman — Firefox is taking up 1.25GB of Memory.  I guess it is partially my fault.  Having 126 Tabs open isn’t the nicest thing that you can do, but thats what I did during some intense research.  After I brought it down to about 30 tabs, it still held 1GB.  That is a little too much if you ask me. 

I’ve been a fan of Firefox for a while.  Its attractive because of its extensibility, flexibility, W3C dom, and rendering standards.  I’ve been a fan of good add ons like greasemonkey, Firebug, Better Gmail, View Source Chart, Fullerscreen.  I enjoy using these tools regularly.

I use IE7, and Safari 3, and rarely opera.  Usually its just to make sure my css and javascript are cross-browser compatible.  Each one has it’s strength’s and weaknesses.  Obviously with Firefox, Memory usage is not its strength :-) 

http://dotnetperls.com/Content/Browser-Memory.aspx

I’m hoping that Firefox 3 will help with the Memory usage.  I hope they can adhere to a different model; Weak references please?

I’m also excited to see what the IE8 team is cooking up.

Update:  I’m not so excited to see what IE8 is cooking up for Microsoft’s business plan.  Firefox 3 is Doing great on Mac, Windows and Linux for me.  Yea I wrote this a while ago, but thought it was still worth putting out there.  I don’t use Opera or IE7 much anymore now that I am primarily on Linux (home) & OSX (work)

I’m trying to restart MySQL from the command line in Mac OSX.  The GUI tool in the Preference Pane wouldn’t work for me, so its time to go back to the Command Line roots.  I knew that there was a way to restart MySQL from the commandline, but I was looking in all of the wrong places, (no /etc/init.d/ or others).  I fired off a few quick Web Searches with Google and found many hints.

Most of the articles I found online were not very helpful.  They all contained information that didn’t work for me and OSX 10.5.3 with MySQL 5.0.51a MySQL Community Server (GPL). Maybe Mysql changed their installer recently, maybe its a Mac Update thing, but the I ended up finding the solution in a comment of this article.  A comment by someone named Russell proved to be very helpful.

Basically it came down to knowing where to find these commands:

Start - sudo /usr/local/mysql/support-files/mysql.server start
Stop - sudo /usr/local/mysql/support-files/mysql.server stop

Thanks Russell - You rock!!

Big news today about a large security whole that affects the backbone of the Internet; DNS.  The Domain Name System or DNS is basically what translates readable names like colinharrington.net to its corresponding IP address.  It is cornerstone to just about everything that we do on the internet.  This news is larger than the Debian, OpenSSL fiasco that I blogged about earlier.

I first came across this when I read this article which was posted to Digg.com.

When I first logged into Ubuntu, I was notified that there were very important security updates by the bright red warning icon in the gnome panel.  I was quite happy not to have annoying balloon pop-ups or tricky log-out buttons that hijack the computer to automatically install important updates.  The Ubuntu security updates notified me that I needed to update bind9-host, dnsutils, libbind9, among others. 

We have known that DNS poisoning was an issue, but recent findings combining multiple attack vectors revealed a gaping security hole.  It was interesting to note that this ‘bug’ was a design descision and had to be patched across the board.  I guess design bugs can be quite hairy since its baked into everyone’s implementation.  All major vendors have to patch this hole due to the design nature of this bug.

According to the initial article, The details of the attack will be revealed in 30 days "at the Black Hat security conference in Las Vegas".  It is very interesting to note the current DNS issues that have made headlines recently.  Apparently ICANN itself had lost its own domain name according to this story care of MSNBC.  According to that article icann.com and iana.com were both hijacked.  This sounds more like proof of concept work to me. 

I am not an expert in this area but from the bit that I do know, the possibilities are scary; Naming authorities being compromised, man in the middle attacks, etc.  What if someone were to gain control of major certificate authorities like VeriSign? It is a little scary to think about what someone could accomplish unknown to the user.  Online Banking, Corporate Communications, Secure Service Bus communications, what if these could be spoofed into being sent to the wrong place, or *through* the wrong place?

This could very well make it into our history books.  I guess we will know more in 30 days.

Here is some extra reading on the subject:

• http://www.us-cert.gov/cas/techalerts/TA08-190B.html
• http://latimesblogs.latimes.com/technology/2008/07/major-computer.html
• http://www.doxpara.com/
• http://www.kb.cert.org/vuls/id/800113
• http://digg.com/security/Massive_Internet_security_flaw_uncovered
  
• http://www.hackaday.com/2008/07/08/major-dns-issue-causes-multivendor-patch-day/

The initial article ended with these words: "This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It’s more, but I can’t talk about how much more."  which sounds very similar to Rusty Ryan’s line in Ocean’s Twelve "Look, it’s not in my nature to be mysterious. But I can’t talk about it and I can’t talk about why."

Yea I know… PHP.  Please don’t shoot me.  Its not as groovy as say … Groovy or Ruby, but it can get the Job done.  I just found out how to configure PHP per virtual host. I guess I knew that it was possible, I just did not know how to do it.  Tomorrow I’m planning on forgetting how to do it and have to look it up again, which is exactly why I’ll blog about it :-).

So Basically you can set specific PHP.ini settings in the virtual host definition.  There are other ways of configuring PHP, but this one seems to be aligned to virtual hosts and is the right tool for the job I had to do.

PHP alania tipped me off to PHP.net’s article on the subject.  It would look similar to:

 <virtualhost>
    DocumentRoot "C:\non\aya\business\public_html"
    ServerName www.somesite.com
    ServerAlias somesite.com
    <directory>
        Allow from all
        php_admin_flag short_open_tag off
    </directory>
</virtualhost>

Don’t forget that you could also configure PHP on the fly (while its running/executing) by utilizing the ini_set() function.

Happy PHP-ing!

This last week (the 13th of May 2008) they announced a jaw-dropping security hole in the Debian OpenSSL package.  This Bug was introduced on May 2nd 2006 (relased in September?) and fixed on May 13th 2008.

What was the Bug?  Basically the randomness of the key generation processes was severly inhibited, thus making it feasible to guess (by brute force) the private keys.  Someone commented out a block of code that was nessesary to guarentee the randomness of the key that was to be generated.

#ifndef PURIFY   /*    * Don’t add uninitialised data.     MD_Update(&m,buf,j); /* purify complains */    */  #endif 

Ok what does that mean?  It means that someone could listen in on your communications that you thought were secure.  Sniff passwords, ssh into machines you don’t own, etc.

I was happy to get an urgent update from the Ubuntu update manager in such a short amount of time.  I like that I was able to patch my systems so quickly.  I am floored that this bug was allowed to happen for the last 2 years

Many people have explained the fiasco/bug in more depth; here are some of my favorites 

• Good Technical explaination — http://metasploit.com/users/hdm/tools/debian-openssl/
• Thread explaining the Comic – http://forums.xkcd.com/viewtopic.php?f=7&p=670397
• The actual annoucement — http://www.debian.org/security/2008/dsa-1571

I explained in a previous post on distributed computing, that one of my parallel programming courses in college required us to find the seed and depth of a sequence of random numbers (very similar to the generation of rainbow tables or brute force password/key checking).  I’m sure that a few slight modifications to that code and I would have a workable, scalable and efficient brute force attack.  Am I going to do this?  no.  Can you have the code?  Yes…and by yes I mean no.  Realistically anyone skillful enough to capture and stage an attack would have the skills to formulate this on their own.

H D Moore over at metasploit - calculated that it would take his 31 Xeon cores approximately 2 hours to brute force 2048bit RSA Keys, and ~ 100 hours (3100 CPU hours) to brute force a 8192 bit RSA key path, and 100,000 hours (3,100,000 CPU Hours) to brute force a 16384 RSA Key assuming the max-breadth to find the pair. 

With a tool like Amazon’s Ec2, this would allow you to scale this application as far as your pocket book would allow :-)  Well there is an actual limits, but it could be expanded by Amazon to handle your requests. 

I’m thinking something along the lines of 10,000 Extra large instances.  So that would be 80,000 cores, which would handle the 3,100,000 CPU hours in just 38.75 hours (yea, I know Ec2 core != Xeon … its just for illustration).  3,100,000 hours of computing could be completed in just over 3 days!!!!  with Amazon’s current pricing model, it would end up costing you $8000 per hour to run those 10,000 Large instances.  So the total bill (not including storage or testing time) would be around $310,000 to complete the processing.  I guess I have better things to do with $310k.  $310 is the most that you would pay, statistically you’d end up paying ~ $160k if you had to average it out. and that for 16384 bit RSA key pair.  the most common would be 1024 or 2048 bit RSA keys.

For a large organization such as the government, this would be cake money.  I’d be willing to bet that they already have much more computing horsepower than Amazon has at the disposal of EC2.   I love open source projects, but with so much going on at many levels, open projects can leave themselves open to bugs like this.  I guess thats why many projects go for the benevolent dictator approach.  Someone has to understand, and coordinate the project as a whole.  It will be interesting to see the fallout of this issue. 

This definitely got me to further my thoughts on Open Source Software.

What do you think?

When I was studying at Bethel College (now Bethel University) located in Arden Hills, Minnesota, I took a class called on Parallel Programming taught by Dr. Brian Turnquist.  I have to say that this class was my favorite.  I would stay up late just to solve the problems and projects that were presented to us.  I loved it!!!

We had a 40 CPU Beowulf cluster that we were able to work with.  It was a pretty standard AMD Dual Processor Configuration on a 10/100mbps ethernet network (which was usually the bottleneck).  Several students had the opportunity to help design and setup the cluster.  The cluster had its own housing inside one of the Computer Science labs. 

We ended up writing C++ programs that utilized MPI to communicate.  We ran calculations, rendered fractals, and simulated breaking passwords in a distributed form; Well maybe not passwords, but finding the seed and depth of how to replicate a series of "random" number’s generated by the stock random number generator could be easily substituted with other code .  I won’t get into how important the RNG (Random Number Generator) is to our modern systems (1,2) but it was a fun exercise none-the-less.  I ended up using the cluster briefly to render some intensive POV-Ray Fractals (See the contest results). 

I’ve always loved the concept of distributed computing.  I was really excited when I learned of Amazon’s Elastic Compute Cloud (EC2).  The concept of Pay as you go applied to Distributed computing is an interesting one!  And having a top-tier datacenter and Simple Storage Services (S3) makes it an attractive solution.  The concept of building scalable web applications is one that has caught my eye. 

I have some good ideas on how to utilize this service but haven’t made time to finish the concepts.  The Amazon Web Services crew have really started to round out ther services with the announcement of Persistent Storage for EC2 and SimpleDB.  Persistent Storage is, in my humble opinion, one of the last things that they needed to solve to service a fully viable, scalable, pay as you go/grow computing platform.  

I really enjoy using Firefox.  I have recently re-imaged my laptop after a hard drive upgrade.  I use Firefox quite Heavily.  I will frequently have one hundred of tabs open especially when I go through my reading materials for a week. 

I noticed on both Windows and Linux (Ubuntu) that my firefox sessions would hang after I crossed a certain threashold.  I have other browsers that I popped open to check to see if it was application or network specific.  Epiphany IE and Safari all worked flawlessly so it had to be specific to Firefox.

my first reaction was to pop open about:config (more) and start poking around the network settings, network.http.max-connections and the like seemed to have no effect.  Alas google remided me of the network.http.pipelining (more)  it basically allows for multiple requests to be executed at once.  This is especially important when using both Gmail and Google Reader and Digg which all utilize ajax calls in the background.

Its been a fun April 1st 2008!  I’ve Rick Rolled (definition) numerous people, and still have a friend believing that my wife and I are pregnant (right after talking about April Fools jokes.)  But my measly measures aren’t fit to stand up to some of the grandiose pranks out there today.

My Favorites have been (So far)

• YouTube’s Mass Rick Roll
  All of the Featured videos on the home page redirect to Rick Astley’s video
• BBC’s Video and story on flying penguins
• Digg’s Random Math symbols,
  I didn’t know it was possible to have an imaginary number of diggs ( I got the "¡" symbol when I dugg the story).  Infinite number of Diggs would probably do a number on any server.
• IGN’s "The Legend of Zelda" movie
  This one took the cake in my book.   Why does this have to be fake?  I want it to be real.  I would go see this movie.  I wrote on Jake Good’s Blog: "Maybe the joke is that it is not an Joke? Haha they got me!! (right?) Either way that is a lot of good work for an April fools gag."

Last year I had my wife up in arms over Goole’s TiSP.  She refused to allow a cable to hang in the toilet.  By the end I was trying to give it away by saying, "its only available today April 1st 2007."  It took a while but she eventually calmed down and laughed about it with me.

Happy April Fools Day!

I have come to love jQuery - It is incredibly slick to automate basic tasks.  The winning combination is being able to dynamically load jQuery with a browser plugin called greasemonkey (wikipedia entry). 

I got sick of always having to log-in to a specific site and click through links to get to what I wanted, so here is a sample of a userscript that logs me in and manipulates things the way I want them to.  I have written some other ones to do extra calculations on top of finance.yahoo.com pages.  Its a handy combination.

Of course to round out the development of these scripts don’t forget to use FireBug!!

// ==UserScript==
// @name           Crestock
// @namespace      net.colinharrington
// @include        www.crestock.com
// @include        crestock.com
// ==/UserScript==

var my_username = 'username';  //fill this in yourself...
var my_password = 'password';  //again use your own...
// Add jQuery
var GM_JQ = document.createElement('script');
GM_JQ.src = 'http://jquery.com/src/jquery-latest.js';
GM_JQ.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(GM_JQ);

// Check if jQuery's loaded
function GM_wait() {
    if(typeof unsafeWindow.jQuery == 'undefined') { window.setTimeout(GM_wait,100); }
else { $ = unsafeWindow.jQuery; letsJQuery(); }
}
GM_wait();

// All your GM code must be inside this function
function letsJQuery() {
    $('#ctl00_cphMainContent_txtUsername').attr('value',my_username);
    $('#ctl00_cphMainContent_txtPassword').attr('value',my_password);
    $('#ctl00_cphMainContent_btnLogin').click();
    $('#ctl00_cphMainContent_cbContentAgreement').click();
    $('a#ctl00_cphMainContent_btnDownload').attr('onclick',$('a#ctl00_cphMainContent_btnDownload').attr('href'));
    $('a#ctl00_cphMainContent_btnDownload').click();
}

I may get around to submitting some of these to the public repository over at http://userscripts.org/.

Enjoy!

The other night, my wife left to attend a church event after I got home from work.  This particular night she took Kari with her and left Lucas at home with me.

We are in the process of potty training our three year old son named Lucas.  Since he still has accidents we are having him use the potty hourly.  The rule of thumb is that he has to at least try to go every hour.  When it came time for Lucas to use the potty, I led him into the bathroom and had him sit down to go potty.  To give him some privacy, I shut the door to the bathroom and sat down at my desk (right next to the bathroom). 

After a minute went by, I suddenly heard a commotion from the bathroom.  Frankly it startled me since my desk shares a wall with our bathroom.  As I quickly went to open the bathroom door, I wondered what in the world it could be.  As I started to opening the door our cat immediately ran to the door prying to get out.  The poor cat was wet!  His velvety black fir had glistening shine over the breadth of his back.  Puzzled by these circumstances I quickly discerned the source of the chaos.  I promptly asked "Lucas, did you pee on the cat?" to which he happily responded "I just shooted him" with the ecstatic grin of a three year old on his face.

After hearing his enthusiasm, I had to duck behind the door for a moment to make sure I didn’t let out a laugh.  After I made sure I had my composure, I went in and sat him back down on the potty.  I quickly rescued the cat before he could go roll all over fresh sheets or any similar deed. 

Once I had given the cat a shower in a plastic laundry basket, complete with Duck Tape latch (so I didn’t have to deal with the whole cats + water + claws issue), I was able to teach him all about how we aren’t supposed to pee on cats.