tag:blogger.com,1999:blog-225300442024-02-19T13:34:56.327+00:00Consonantsthe grkvlt irregular publishing mechanism - enterprise java, web development, information security, statistics and probability, gambling, book reviews and technology discussion, together at last!grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.comBlogger43125tag:blogger.com,1999:blog-22530044.post-30952396642657577012015-05-27T16:06:00.001+01:002015-05-27T16:06:31.042+01:00What Really Happened to the Search Results?I noticed this <a href="https://twitter.com/WolfieSmiffed/status/603241742767390720">tweet</a> along with a <a href="http://doubtfulnews.com/2015/05/what-happened-to-the-dinosaurs-they-are-used-to-indoctrinate-children/" rel="nofollow">number</a> <a href="http://thenextweb.com/insider/2015/05/26/why-is-google-giving-a-creationist-answer-to-a-question-about-dinosaurs/" rel="nofollow">of</a> <a href="http://www.theskepticsguide.org/google-is-wrong-about-what-happened-to-the-dinosaurs" rel="nofollow">blog</a> <a href="http://www.themarysue.com/google-dinosaurs/" rel="nofollow">posts</a> about the same topic. And there are <em>many</em> more pages like that, from the Internet atheism/skeptic brigade, protecting the world from Christianity gone mad.<br />
<br />
What has happened is that using Google to <a href="what happened to the dinosaurs">search</a> for the phrase <em>what happened to the dinosaurs</em> triggered a match on a book with a similar title: <a href="https://books.google.co.uk/books/about/What_Really_Happened_to_the_Dinosaurs.html?id=JKyLPwAACAAJ&hl=en">What Really Happened to the Dinosaurs</a> by Ken Ham. His crime is to be a creationist. Can you believe it? Those sneaky Christians have gone and adjusted Google's search algorithm, so that when you search for the title of a book, you get back a bunch of information about the book. Think of the children!<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9IDm7dYmczOZz8xTwYQhc-YnitHnzCJfPsoE56_2NWyCo0j-PFGclTd4GP2LfJH5hp6SS2vYe27ikwxz8y053ZhkQemu0O-c9XXG-bS22vF5BJLWTENyBgkQXg3iti8ho050v/s1600/dinosaurs-feedback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9IDm7dYmczOZz8xTwYQhc-YnitHnzCJfPsoE56_2NWyCo0j-PFGclTd4GP2LfJH5hp6SS2vYe27ikwxz8y053ZhkQemu0O-c9XXG-bS22vF5BJLWTENyBgkQXg3iti8ho050v/s320/dinosaurs-feedback.png" /></a></div><br />
Oh, wait. No. There's definitely a lack of critical thinking going on here somewhere, though. What's worse is all the oh-so-clever geniuses leaving 'feedback' about this, explaing how the result is incorrect <em>because science!</em> and similar. They semm to also have failed to notice this response to their submissions: <em>Note: Your feedback won't directly influence the ranking of any single page.</em> Probably because they are gleefully posting about how they have 'corrected' Google. They also appear to believe that despite this, the invisible hand of Google has listened to them, and removed the ofensive result, rather than what has actually happened - all the recent posts about the 'controversy' are weighted higher by the search algorithm, because they are more recent pages...<br />
<br />
Grrr. If there's one thing I hate it's idiots like this who believe they are more intelligent that they are (see also <a href="http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect">Dunning-Kruger</a> effect) and are blessed with super-rational skepticism that makes them infallibly right, unlike those poor benighted religionists. There's a time and a place for making fun of people who support flimsy beliefs with pretend science, and this is not it.grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-45672800730173014412012-08-07T10:32:00.002+01:002019-06-24T21:52:46.445+01:00Google TFA Security Issue<p>The following note describes a (serious) security vulnerability with Google accounts two-factor authentication, which I believe enabled <b>complete TFA bypass</b> and would therefore lead to full account access. I have raised this with Google, but it is a 'Known Issue' and no action is being taken, so they have no constraints on publication. I understand their security versus usability tradeoff, so this is mostly an exercise in full disclosure.<br />
</p><div class="image"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXVnYy4nJZKMDLERi0lGmr2PNy21mvfGE1DBnBccF1N4mLHGFbRnS99BV2a8XNQ5_n5Na187lv657Pi-JTO5VBTQNkApqjTIpXWPrJp3dhJU9BglIHqR5E2FTg-XfLw2msdcw2/s1600/_20190624_212219.JPG"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXVnYy4nJZKMDLERi0lGmr2PNy21mvfGE1DBnBccF1N4mLHGFbRnS99BV2a8XNQ5_n5Na187lv657Pi-JTO5VBTQNkApqjTIpXWPrJp3dhJU9BglIHqR5E2FTg-XfLw2msdcw2/s200/_20190624_212219.JPG" width="200" height="200" border="0" /></a></div><p>Since there was no bounty awarded, the issue was only recorded on the <b>Honorable Mention</b> list for Q3 2012. It can be found in the <b>Prior to 2015</b> section of the Google <a href="https://www.google.co.uk/about/appsecurity/hall-of-fame/archive/"><b>Security Hall of Fame</b></a> archive. If you want to verify that my name <i>really</i> is there you will need to click on the <i>Show List</i> link, and then search for <i>Kennedy</i>. The screenshot to the left is an edited copy of this page, created to highlight my entry, but there are a <i>lot</i> of other honourable mentions, so follow the link to see everything in context...<br />
</p><br style="clear: both;" /><br />
<h3>UPDATED 2013-02-25</h3><p>The same issue has been discovered and blogged about by <a href="https://www.duosecurity.com/">Duo Security</a> researcher Adam Goodman - <a href="https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/">Bypassing Google’s Two-Factor Authentication</a> and <a href="http://news.ycombinator.com/item?id=5279932">Hacker News</a> discussion.<br />
</p><h3>Issue</h3><p>It is possible to bypass and disable two-factor authentication and re-enable it with a different Android device and phone number without ever knowing the account password or having access to an authorised authenticator or phone number.<br />
</p><h3>Discovery</h3><p>I enabled two-factor authentication or two-step verification [<a href="#1">1</a>] on my Google account last year, using an Android phone connected to an Orange PAYG SIM to generate the validation codes. In the process of moving flat, I lost this phone and also mislaid my printed set of backup codes. This meant that I was unable to authenticate myself to any of the Google account services over HTTP/HTTPS, as after accepting my password they all required the extra TFA code. These included the account and profile settings page, Google+, Blogger and other Google web properties such as YouTube.<br />
</p><p>In fact, the only Google services I could access were those for which I had an application-specific sixteen character password [<a href="#2">2</a>] already generated, and it was not possible to generate any further such passwords. Additionally, these passwords are not sufficient to log into any of the Google web sites, and attempts using them are rejected. The only approved way to disable TFA and regain access to Google sites was to go through the account recovery process [<a href="#3">3</a>] which requires detailed knowledge of the history of the account. Even as the owner of the account, I was unable to provide enough correct answers to satisfy Google support and regain access although I tried several times.<br />
</p><p>Using the vulnerability below I discovered that I was able to bypass the normal restrictions and re-configure the account security settings to give me access to my account again, and register my new phone and device instead.<br />
</p><h3>Requirements</h3><p>The following are required to gain access to a two-factor authentication protected account. Note that the main password is not needed, nor is access to any of the configured authentication devices or phone numbers.<br />
</p><ul><li>Any application specific password for the Google account (This can usually be obtained by examining the configuration files for an application using the password, or looking in the 'Keychain' on OSX or other operating system equivalent)</li>
<li>Android 3.2.2 device (As tested, other versions may also work)</li>
</ul><h3>Process</h3><p>The following process will enable full access to, and control of any Google account protected by two-factor authentication. I have tested this using my own Google account.<br />
</p><ul><li>Add the Google account to the Android device, giving the application-specific password as the credential</li>
<li>Ensure 'Google automatic sign in' is enabled for the Android browser</li>
<li>Access Google's homepage using the browser</li>
<li>Click on 'account settings' or other link which requires authentication with Google</li>
<li>The browser will automatically authenticate the account you will be logged in as the chosen account</li>
<li>It is now possible to change all two-factor authentication settings, either disabling it completely or changing the configured device and phone numbers used to generate codes</li>
</ul><h3>Conclusion</h3><p>This is a serious flaw, since users assume that their accounts cannot be compromised unless an attacker obtains the device used for authentication, or gains control of their authorised phone number, neither of which is required for this attack.<br />
</p><p>It is possible to log into an account protected by two-factor or two-step authentication <strong>without</strong> ever invoking this process <strong>or</strong> having access to the authorised device or phone. This bypasses all protections that are assumed to be provided by the service, allowing an attacker in possession of an application specific password to gain complete control over a two-factor protected account which the user assumes is safe.<br />
</p><h3>References</h3><p>[<a name="1" href="http://support.google.com/accounts/bin/topic.py?hl=en&topic=28786&parent=2373945&ctx=topic">1</a>],[<a name="2" href="http://support.google.com/accounts/bin/answer.py?hl=en&answer=185833">2</a>],[<a name="3" href="http://support.google.com/accounts/bin/answer.py?hl=en&answer=117219&ctx=cb&src=cb&cbid=1uekfobxedtqi&cbrank=2">3</a>]<br />
</p><div class="technorati-tags"><a href="http://www.technorati.com/tag/security" rel="tag">security</a>,<a href="http://www.technorati.com/tag/google" rel="tag">google</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com3tag:blogger.com,1999:blog-22530044.post-23417604081549686342011-09-23T02:44:00.000+01:002011-09-23T02:44:50.856+01:00RebootI have decided to reboot my blog using Blogger templates. This means the layout is not as well designed as I might like - the previous design had six years of editing and tweaking...! Since the most boring type of blog post is one that talks about the blog itself, I'll leave things at that.<br />
<br />
I have recently started working at a new company, a cloud technology start-up based at Edinburgh University. <a href="http://cloudsoftcorp.com/">Cloudsoft</a> produce <a href="http://en.wikipedia.org/wiki/Cloudsoft_Monterey">Monterey</a>, a middleware framework for application mobility across various cloud infrastructure providers. I am developing the latest version of this, on which more later. It is a great environment to work in, with really smart colleagues and lots of challenges that keep me thinking. There are also the obvious benefits of being based in the University, such as very fast Internet and free access to academic journals.<br />
<br />
Due to the scope of my work, I have found myself learning a lot of interesting new things. These range from picking up new languages (<a href="http://groovy.codehaus.org/">Groovy</a>), libraries and APIs (<a href="http://www.jclouds.org/">jclouds</a>, <a href="http://aws.amazon.com/">AWS</a>, <a href="http://seamframework.org/">Seam CDI</a>), applications (<a href="http://redis.io/">Redis</a>, <a href="http://karaf.apache.org/">Karaf</a>, <a href="http://www.opscode.com/chef/">Chef</a>, <a href="http://www.jboss.org/infinispan/">Infinispan</a>) as well as technologies (<a href="http://www.osgi.org/">OSGi</a>, <a href="http://en.wikipedia.org/wiki/Platform_as_a_service">PaaS</a>). I am also working on open source projects during 20% of my time, which will mostly involve <a href="http://qpid.apache.org/">Qpid</a> but I have also been investigating jclouds and <a href="http://www.elasticsearch.org/">elasticsearch</a>. I hope to be able to write more about many of these topics.<br />
<br />
<div class="technorati-tags"><a href="http://www.technorati.com/tag/blog" rel="tag">blog</a>,<a href="http://www.technorati.com/tag/cloud" rel="tag">cloud</a>,<a href="http://www.technorati.com/tag/development" rel="tag">development</a>,<a href="http://www.technorati.com/tag/work" rel="tag">work</a>,<a href="http://www.technorati.com/tag/meta" rel="tag">meta</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-28704805209400075672010-08-01T19:40:00.009+01:002010-08-01T20:13:34.739+01:00Silly, Mischievous Fools and RoguesThe following extract from <a href="http://amzn.to/b746Go"><b>Churchill's Wizards: The British Genius for Deception 1914-1945</b></a> by Nicholas Rankin <em>(pp379-380)</em> is taken from a minute to the Security Executive, made on 06 September 1940, by Sir Alexander Maxwell, Permanent Under Secretary at the Home Office, in response to a proposed defence regulation making it 'an offence to attempt to subvert duly constituted authority.'<br /><br /><div class="image"><a href="http://amzn.to/b746Go"><img border="0" src="http://ecx.images-amazon.com/images/I/51sfWbyZ5TL._SY220_.jpg"></a><img src="http://www.assoc-amazon.co.uk/e/ir?t=consonants-21&l=as2&o=2&a=0571221963" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" /></div><blockquote>There would be widespread opposition to such a regulation as inconsistent with English liberty. Our tradition is that while orders issued by the duly constituted authority must be obeyed, every civilian is at liberty to show, if he can, that such orders are silly or mischievous and the duly constituted authorities are composed of fools or rogues <em>[...]</em> Accordingly we do not regard activities which are designed to bring the duly constituted authorities into contempt as necessarily subversive; they are only subversive if they are calculated to incite persons to disobey the law, or to change the Government by unconstitutional means. This doctrine gives, of course, great and indeed dangerous liberty to persons who desire revolution, or desire to impede the war effort <em>[...]</em> but the readiness to take this risk is the cardinal distinction between democracy and totalitarianism.</blockquote><br /><b>Sir Alexander Maxwell</b><br /><em>06 September 1940</em><br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/quotes" rel="tag">quotes</a>,<a href="http://www.technorati.com/tag/politics" rel="tag">politics</a>,<a href="http://www.technorati.com/tag/ww2" rel="tag">ww2</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com43tag:blogger.com,1999:blog-22530044.post-1391602671623244122010-02-13T02:13:00.014+00:002010-02-13T03:53:30.096+00:00LEGO Games 3835 Robo ChampIt was my nephew's fifth birthday recently, and I was struggling to find a suitable present for a young boy that loves robots, and also playing with LEGO. Then, I remembered I was supposed to be finding a present for Ben! Fortunately, I discovered <strong><a href="http://bit.ly/aMQnlR">Robo Champ</a></strong> while browsing the new <a href="http://www.hamleys.com/">Hamleys</a> store, in <a href="http://maps.google.com/maps/place?client=safari&rls=en&oe=UTF-8&um=1&ie=UTF-8&q=hamleys+glasgow&fb=1&hq=hamleys&hnear=glasgow&cid=11578073571904739000">Glasgow</a>!<br /><br /><div class="image"><img src="http://ecx.images-amazon.com/images/I/41-33DvkS5L.jpg" width="500" height="312" border="0" /></div><br /><br style="clear: both;" /><br /><br />This is an excellent game, both conceptually and in actual execution. It consists of LEGO pieces, and instructions to build three brightly coloured, cartoon style robots and one die. All the robot LEGO pieces provided are standard shapes and sizes, as found in any conventional LEGO set, and there are <a href="http://www.peeron.com/inv/sets/3835-1">118</a> separate pieces in total. The only custom part is the die, which accepts 2x2 tiles on each face (or combinations of two 2x1 or four 1x1 tiles) so you can re-use parts or build extra robots if desired. The robots themselves are fairly simple to build and great to look at and play with once built - in fact the set would be worth it just as a three-robot kit, I feel! Once built, the robot arms, legs and heads are detatchable by design, and this is an essential feature of the game...<br /><br /><span class="full-post"><blockquote>There is a contest at the robot factory. The first to build a robot with all the correct colour parts will win this year’s trophy and be named the Robo Champ. If someone takes a part you need you may have to steal it back to achieve victory. A fast and fun game to play again and again for 2 to 3 players. Game play approximately 10-15 minutes.<br /></blockquote><br />Gameplay is quite straightforward, with the amusing back-story above presented in the instructions. Players take turns rolling the die and each get to pick, swap or steal an appropriately coloured robot part depending on the colour shown. In line with the spirit of LEGO, the rules are malleable, and it is suggested that players and families develop their own sets. I felt that the initial set of rules was complex enough to provide a fun game, but still easy to learn. The first game I played took around ten to fifteen minutes, just as suggested on the box, which included the learning time. Of course it also took some time beforehand to build the robot pieces involved, which will depend on your individual LEGO skills.<br /><br />One caveat for this set is based on my experience with the recipient of the set I purchased, my young nephew. He is slightly younger than the suggested minimum of six years old, but has very readily grasped the idea behind building LEGO models from their instruction sheets, and loves robots of all kinds! He found it hard to grasp that his beloved new robots had to be taken to pieces after he built them so carefully, and also had difficulty accepting that he might not be able to re-build the robot with the correct parts. I think that older children would be able to understand this aspect of co-operative gameplay automatically, but it is a point to note if buying this for younger children. Also, the next time he plays, he will not have just built the new robots, so will be less apprehensive about their impending destruction.<br /><br /><div class="box"><div class="book"><div class="book-cover"><a href="http://bit.ly/aMQnlR"><img style="border: 1px solid white;" border="0" src="http://ecx.images-amazon.com/images/I/51QMVRoYkgL._SY200_.jpg" title="LEGO Games 3835 Robo Champ" width="162" height="200" /></a></div><div class="book-details"><strong>Title</strong> / Robo Champ</div><br /><div class="book-details"><strong>Manufaturer</strong> / <a href="http://shop.lego.com/Product/?p=3835">LEGO</a></div><br /><div class="book-details"><strong>Price</strong> / GBP 6.45 / EUR 8.98 / USD 19.45</div><br /><div class="book-details"><strong>Pieces</strong> / 118</div><br /><div class="book-details"><strong>Code</strong> / 3835-1</div><br /><div class="book-details"><strong>Released</strong> / 2009</div><br /><div class="book-details">An excellent, fun game for children and adults alike, with the added bonus of a collection of amusing robot models.</div><br /></div><br style="clear: both;" /><br /><div class="rating"><span class="five stars"></span></div><em style="">Five out of five cats preferred <strong>Robo Champ</strong></em></div><br /><img src="http://www.assoc-amazon.co.uk/e/ir?t=consonants-21&l=as2&o=2&a=B001U3Y5UW" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" /><br /><br />There are several other LEGO game sets which intrigue me, such as <a href="http://shop.lego.com/Product/?p=3844">Creationary</a> and <a href="http://shop.lego.com/Product/?p=3842">Lunar Command</a>. i think this is a great idea from LEGO, and hope they continue the theme. Sadly, some sets, like <a href="http://shop.lego.com/Product/?p=g678">Knight's Kingdom Chess Set</a> are no longer available, but i think a quick look on <a href="http://toys.shop.ebay.co.uk/Toys-Games-/220/i.html?_nkw=lego+chess&_catref=1&_fln=1">eBay</a> would probably net a copy.<br /><br /><em><a href="http://www.lego.com/eng/info/fairplay.asp">LEGO®</a> is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this site.</em><br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/lego" rel="tag">lego</a>,<a href="http://www.technorati.com/tag/games" rel="tag">games</a>,<a href="http://www.technorati.com/tag/robots" rel="tag">robots</a>,<a href="http://www.technorati.com/tag/review" rel="tag">review</a>,<a href="http://www.technorati.com/tag/presents" rel="tag">presents</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-89700697388941400412010-02-04T00:33:00.006+00:002010-08-01T20:23:04.484+01:00Brain OverflowI'm a great fan of <a href="http://stackoverflow.com/">Stack Overflow</a>, which is a collaborative <em>expert-sexchange</em> style site that actually has useful <em>answers</em> to your questions. The site allows anyone to ask software development questions, and registered users can answer them, and also vote on other people's answers, giving a <a href="http://en.wikipedia.org/wiki/Crowdsourcing">consensus opinion</a> that is surprisingly accurate. The site itself has some nice features, with heavy use of AJAX for dynamic forms and open interfaces for <a href="http://www.gravatar.com/">avatar</a>s and <a href="http://openid.net/">authentication</a>. The site also functions as a wiki and hosts <a href=""http://meta.stackoverflow.com/">meta-discussion</a> about itself. And, if you want to do something clever with a host of questions, answers, ratings and wiki articles, the <a href="http://blog.stackoverflow.com/category/cc-wiki-dump/">data</a> is available as a <a href="http://www.legaltorrents.com/get/991-feb-10.torrent">torrent</a> to download.<br /><br />Anyway, <a href="http://www.joelonsoftware.com/">the</a> <a href="http://www.codinghorror.com/blog/">creators</a> have spun off the software behind it as a stand-alone product for community question-and-answer sites as <a href="http://stackexchange.com/">StackExchange</a>. They sell consultancy and services as well as hosted versions of the software as white-label sites, and give away free access for non-commercial usage. It's a nice <a href="http://www.readwriteweb.com/archives/stack_overflow_hits_3m_uniques.php">business model</a> which I'd love to copy with my own software... <br /><br /><div class="image"><a href="http://bit.ly/2Bmj3Z"><img src="http://bit.ly/bFwOdE" width="160" height="120" border="0" /></a></div> While looking at some of these associated sites, I discovered <a href="http://mathoverflow.net/">Math Overflow</a>, which makes Andrew feel stupid.. This is chock full of people asking about <a href="http://mathoverflow.net/questions/13995/nontrivial-isomorphisms-of-categories">non-trivial isomorphisms</a>, homologous cauchy integral groups over non-integral fields, and getting intelligent answers! Of course, there's also lots of homework questions, and potentially <a href=""http://mathoverflow.net/questions/14083/riemann-hypothesis">unanswerable</a> stuff in there too. I really like some of the philosophical discussions that pop up, as well as the more basic questions which are good at reminding me how much of my education I've forgotten due to alcohol and time...<br /><br />The whole point of this post is that I found this <a href="http://bit.ly/2Bmj3Z">amazing video</a>, which is a sphere being turned inside-out in the most awesome way possible, with a little help from <a href="http://www.pixar.com/">Pixar</a> and the University of Minnesota. The frame shown is above is just part of the transformation, which is very clearly explained. The whole video is just over 20 minutes long, and I suggest you watch it all the way through, as it's pretty cool (and probably expensive, counting the number of grants that funded it...) animation for 1994.<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/maths" rel="tag">maths</a>,<a href="http://www.technorati.com/tag/questions" rel="tag">questions</a>,<a href="http://www.technorati.com/tag/answers" rel="tag">answers</a>,<a href="http://www.technorati.com/tag/software" rel="tag">software</a>,<a href="http://www.technorati.com/tag/animation" rel="tag">animation</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-69031268345405052312009-04-18T11:28:00.004+01:002009-04-18T11:49:59.194+01:00Working Standardswell, i've now been working at yell adworks for almost three months, and i'm really enjoying it so far. after spending (probably too much) time on design, we have got started on development of a workflow engine system. i'm using spring, hibernate, mule, cxf, jbpm and other interesting technologies, some of which i'm still learning about (mule and associated esb technologies) or, in the case of spring, updating myself on - until now the most recent version of spring i had used was 2.0.9 and we are using 2.5.6, with attendant annotation based goodness and so on.<br /><br /><span class="full-post">one of the only problems so far is the continuous integration system, which is set up with a very strict set of <a href="http://checkstyle.sourceforge.net/">checkstyle</a> and <a href="http://pmd.sourceforge.net/">PMD</a> rules for code quality. i'm all in favour of managing code quality as an automated process and continuous integration with these tools is a <em>Good Thing</em>, but i keep falling foul of some of the rules, in particular the checks for multiple return statements in one method, to enforce <a href="http://c2.com/cgi/wiki?SingleFunctionExitPoint">single exit points</a>. i believe writing methods with <a href="http://c2.com/cgi-bin/wiki?GuardClause">guard clauses</a> up front is the most readable and elegant way of expressing certain types of logic, and apparently martin fowler agrees (see his <a href="http://www.amazon.co.uk/Refactoring-Improving-Design-Existing-Technology/dp/0201485672">refactoring</a> book) with me. the following discussion on <a href="http://stackoverflow.com/questions/36707/should-a-function-have-only-one-return-statement/48630">stackoverflow</a> is relevant, too. also, there are strict rules on long variable names, which keep me from naming things like <tt>constraintDefinition</tt> or <tt>workflowInstance</tt> although i do agree with the restriction on short (less than four characters) names.<br /><br />i'm (<em>really</em>) going to try and make more of an effort to keep this blog updated more frequently, since it's over a year since i last posted ;)<br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/development" rel="tag">development</a>,<a href="http://www.technorati.com/tag/personal" rel="tag">personal</a>,<a href="http://www.technorati.com/tag/checkstyle" rel="tag">checkstyle</a>,<a href="http://www.technorati.com/tag/standards" rel="tag">standards</a>,<a href="http://www.technorati.com/tag/java" rel="tag">java</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com1tag:blogger.com,1999:blog-22530044.post-27829669822318213952008-03-16T18:33:00.008+00:002009-04-18T12:04:23.301+01:00greenock central<div class="image"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGvitmOND_GSGqmO44TcAWEt714G_a0XHLBz47hO5mbqUddyQdJFSajJEBbxjgpa2m-9uTqN0RyKzKJkAADXoObxQKljx0VT3T1kJeznyQtTDfznqpUGkT0Zf3zfvfsT5KNe9V/s1600-h/image-upload-30-701306.jpe"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGvitmOND_GSGqmO44TcAWEt714G_a0XHLBz47hO5mbqUddyQdJFSajJEBbxjgpa2m-9uTqN0RyKzKJkAADXoObxQKljx0VT3T1kJeznyQtTDfznqpUGkT0Zf3zfvfsT5KNe9V/s320/image-upload-30-701306.jpe"/></a></div><br clear="all" /> sunset over greenock central station taken with panorama setting by stitching three landscape frames together using a sony ericsson camera phone.grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com2tag:blogger.com,1999:blog-22530044.post-69400988539962466402008-02-29T22:45:00.010+00:002010-01-16T19:11:56.202+00:00images from outer space...<div class="image"><img src="http://upload.wikimedia.org/wikipedia/commons/2/23/7166_Kennedy_Animation.gif" border="0" /></div>I recently managed to obtain some images of the asteroid <strong>(7166) Kennedy</strong>, which is named after my father, Malcolm Kennedy. The discoverer Ted Bowell, and his colleague Bruce Koehn, sent me a set of four images from their frame archive. The Lowell Observatory Near-Earth Object Search (LONEOS), which is funded by NASA, looks for objects that may present a hazard to the planet, such as asteroids with orbits that are close to or intersect earth's. As far as I know, we are in no danger from Kennedy, which is comforting.<br /><br />I uploaded the images from Bruce to a <a href="http://www.flickr.com/photos/grkvlt/sets/72157604009500794/">Flickr set</a>, and tagged them with a note indicating the asteroid's location, since it's very faint (magnitude 16.6 in these images). Also, to see more details, including the IAU discovery details and citation, as well as confusing orbital ephemeris and data, I have updated the <a href="http://en.wikipedia.org/wiki/7166_Kennedy">Wikipedia article</a>. This contains the image you can see here, which is a composite of the LONEOS frames, saved as an animated GIF to show the motion across the fixed stellar background. I really can't explain how much I appreciate the fact that Ted named this object after Malcolm, so I'd like to publicly thank him anyway.<br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/astronomy" rel="tag">astronomy</a>, <a href="http://www.technorati.com/tag/asteroid" rel="tag">asteroid</a>, <a href="http://www.technorati.com/tag/LONEOS" rel="tag">LONEOS</a>, <a href="http://www.technorati.com/tag/personal" rel="tag">personal</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com1tag:blogger.com,1999:blog-22530044.post-69387476166029232912007-10-02T20:39:00.005+01:002009-04-18T12:05:29.392+01:00coming home present<div class="image"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3lEoUOwr61ypS6k83obd4kgIcOdOLQS7Z5gQY-odeuS9azonxo7yPWfLUBxAoep6BGEthr20OZNT4SQHYyg16sUIevnxjxiMiyxuUN0YsmuX_AxR3e2UzklHmtXCOa3GwsvCIHg/s1600-h/image-upload-11-769629.jpe"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3lEoUOwr61ypS6k83obd4kgIcOdOLQS7Z5gQY-odeuS9azonxo7yPWfLUBxAoep6BGEthr20OZNT4SQHYyg16sUIevnxjxiMiyxuUN0YsmuX_AxR3e2UzklHmtXCOa3GwsvCIHg/s320/image-upload-11-769629.jpe"/></a></div><br clear="all" /> the problem is, of course, whether to be happy that biggles likes me enough to give me his dead mice, *OR* to be worried that there is (was) a mouse (or mice) in my flat... maybe it's time to board up the hole in the bathroom wall before it gets colder?grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com5tag:blogger.com,1999:blog-22530044.post-18160555139612683542007-10-02T01:37:00.002+01:002009-04-18T12:05:57.145+01:00seeing music, hearing picturesi just have to post a link to this site. it's called <a href="http://www.musanim.com/index.html">the music animation machine</a> and consists of videos of classical pieces being performed, with a piano-roll type animation showing the notes as they play, with different colours for separate voices and highlights for the current tone, almost like a strange karaoke machine. you can buy them on dvd or just watch some samples on youtube. apparently <a href="http://en.wikipedia.org/wiki/Edward_Tufte">edward tufte</a> is a big fan, and uses the system as an <a href="http://www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=00005y">example in his lectures</a>, to show how information can be easily assimilated if it is in the right format.<br /><br /><div class="image"><img src="http://www.musanim.com/indulci.gif" title="the music animation machine" border="0" /></div><br clear="all" /><br /><br />the best ones i have seen are <a href="http://www.youtube.com/v/ipzR9bhei_o&rel=1" target="_blank">Johann Sebastian Bach, Toccata and Fugue in D Minor</a>, <a href="http://www.youtube.com/v/oP6URbitYOg&rel=1" target="_blank">Frederic Chopin, Etude, opus 10 #7</a> and <a href="http://www.youtube.com/v/o1ZCH7gr4dI&rel=1" target="_blank">Franz Liszt, Feux Follets</a>. i think they look like some sort of bizarre 2D <a href="http://mathworld.wolfram.com/CellularAutomaton.html">cellular automata</a> evolving with the music<br /><br />enjoy!<br /><br />(<em>see also the IBM <a href="http://www.philipglass.com/glassengine/#">glass engine</a>, infinity edition - a java applet for exploring <a href="http://en.wikipedia.org/wiki/Philip_Glass">philip glass</a>'s musical works.</em>)<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/music" rel="tag">music</a>,<a href="http://www.technorati.com/tag/visualization" rel="tag">visualization</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com1tag:blogger.com,1999:blog-22530044.post-5793073615692857182007-10-02T01:24:00.007+01:002010-02-03T06:22:15.224+00:00bandwidth gadgetsok, i better post something since otherwise it'd be a full year (well, in a fortnight it would...) between posts. and, of course, fifty weeks is a perfectly reasonable gap instead.<br /><br />the other reason for posting is that i finally got myself an interweb thing and my email and web-browser suddenly started working again! but no ADSL (no land line, rented property) or cable (not in my postcode, anyway) for me. instead, i now have a vodafone 3G data card in my laptop. it goes in the expresscard slot (although it does come with an adapter for PC card slots) so it looks nice and tidy, as opposed to the alternative white brick on the end of a USB cable i was offered. it does cost GBP 50.00 for the internal card, and the USB dongle is free, but there's no competition when you see them, and what else am i going to put in that slot anyway?<br /><br /><div class="image"><img title="vodafone 3g expresscard modem" src="http://farm3.static.flickr.com/2215/2200707909_a98d0f2088.jpg" width="131" height="232" border="0" /> <img title="sony ericsson w880i phone" src="http://farm1.static.flickr.com/183/381668673_8ca744263b.jpg" width="149" height="232" border="0" /></div> i also grabbed a new mobile phone, too - the <a href="http://www.sonyericsson.com/cws/products/mobilephones/overview/w880i">sony ericsson W880i</a> walkman phone. beautiful shiny steel case, really thin, candy-bar phone, plus it's 3G. the walkman features are pretty cool, and since it came with a 1Gb M2 data card and <em>proper</em> sony in-ear headphones (i.e. the ones with changeable rubber seals that stop noise escaping and irritating other people...) i might even start using it instead of my ipod. to complete my sony collection, i'm just holding out for the MBW-150 bluetooth watch, supposedly shipping in october...<br /><br />it's still the 3g data card that amazes me, though. i remember my first GSM modem card (in an apple newton, actually, connected to a motorola star-tac) which gave me 19.2Kbps with compression, if i was lucky. this card gives me 7.2Mbps (peak, confirmed) or 1.4 Mega-<em>bytes</em> per second. boggle.<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/mobile" rel="tag">mobile</a>,<a href="http://www.technorati.com/tag/phone" rel="tag">phone</a>,<a href="http://www.technorati.com/tag/gadgets" rel="tag">gadgets</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1160428172784436772006-10-09T21:45:00.001+01:002009-04-18T12:07:00.993+01:00the tesco value experimentalthough i've been paid now, i had to spend over a month (nearly two...) waiting on my first cheque (actually, BACS) during which time i had to economise. there happens to be a large, 24-hour, tesco near the halls of residence i stay in, since they claim that <em>every little helps</em>, i decided to shop there. my problem - how to make no money (or very close to none) last a week and provide me with food? the answer - <strong>tesco <em>value</em> food</strong>!<br /><br /><span class="full-post"><div class="image"><img src="http://www.tesco.com/pi/xpi/2/5010204862132_200.jpg" title="chicken noodles @ 8p" alt="chicken noodles @ 8p" width="150" height="150" /><img src="http://www.tesco.com/pi/xpi/2/5000436787402_200.jpg" title="four teacakes @ 27p" alt="four teacakes @ 27p" width="150" height="150" /><img src="http://www.tesco.com/pi/xpi/8/5018374320148_200.jpg" title="baked beans @ 17p" alt="baked beans @ 17p" width="150" height="150" /><br /><img src="http://www.tesco.com/pi/xpi/1/5050179246841_200.jpg" title="36 wheat biscuits @ 64p" alt="36 wheat biscuits @ 64p" width="150" height="150" /><img src="http://www.tesco.com/pi/xpi/4/5010204838274_200.jpg" title="golden savoury rice meal @ 25p" alt="golden savoury rice meal @ 25p" width="150" height="150" /><img src="http://www.tesco.com/pi/xpi/0/5010204450490_200.jpg" title="plain chocolate digestives @ 34p" alt="plain chocolate digestives @ 34p"width="150" height="150" /></div><br clear="all" /><br /><br />and, there's more where they come from. since they all cost so little, my expectations were naturally low, and i can fairly say they were met, and possibly even exceeded. in particular, those teacakes are an amazing purchase and last for ages without going stale, as are the digestives. even the savoury rice and tomato pasta meals (not pictured) which are bags of rice/pasta with powdered sauce that require boiling in water/milk for 5-10 minues to cook are not overly dreadful. now, i know people are going to say why didn't i get vegetables and meat and so on - <em>ingredients</em> basically! and make my own meals? well, i'm pretty lazy, and also, i still think the 'value way' is cheaper.<br /><br />another thing i noticed is that the value brand now extends way past food. you can buy value pens, pencils and paper, cameras, telephones, crockery, shampoo, irons, microwaves - i could go on... my experiment has thankfully ended, but i am convinced that although man may not live on bread alone, he <em>could</em> do it with tesc's value range, even on the dole...<br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/tesco" rel="tag">tesco</a>,<a href="http://www.technorati.com/tag/value" rel="tag">value</a>,<a href="http://www.technorati.com/tag/food" rel="tag">food</a>,<a href="http://www.technorati.com/tag/shopping" rel="tag">shopping</a>,<a href="http://www.technorati.com/tag/money" rel="tag">money</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com2tag:blogger.com,1999:blog-22530044.post-1157903319499460792006-09-10T13:46:00.000+01:002006-09-10T16:48:39.620+01:00regarding web two point zeroi've been looking at new additions to google and amazon that seem to be pushing the web 2.0 model of user supplied and managed content. firstly, there's <a href="http://base.google.com/">google base</a> which is a new database of user supplied and annotated content that is indexed, searched and published by google. if you have a google services account, you can easily add items, either singly or in bulk using XML to submit them all. there are a bunch of pre-defined item types or categories, such as Blogs, Jobs, Podcasts, Reviews, Recipies, Products or Reference articles each with their own set of default attributes/meta-data.<br /><br /><span class="full-post">you can also post items in your own categories, and add arbitrary new attributes. attributes are just name/value pairs, where the value is either a plain text string or one of several pre-defined types like numbers, date (range), URLs or locations (for google maps). these are displayed at the top of an item's display page. additionally you can add up to ten labels, which are similar to tags or keywords. these labels are used to group items, and for browsing, similarly to categories except that you may have membership of multiple label classes but only one category.<br /><br />although i like the idea of submitting your own content to be hosted by google, with tags and semantic info for indexing, it appears that most of the information in the base is auto submitted from other sites, as a link to the item page and some meta-data. unfortunately, for items like books, cds and dvds or other physical objects, there are many online retailers selling them. it means that there are <em>many</em> copies of the information (meta data) on an item, sometimes conflicting, and no way of determining the <em>definitive</em> item's identity. this is a shame, because a database like this would be a good basis for some of the <a href="http://en.wikipedia.org/wiki/Semantic_Web">semantic</a> <a href="http://www.w3.org/2001/sw/">web</a> projects.<br /><br />i'm not sure how google will <em>rank</em> the information though, since people can obviously submit anything - the wikipedia problem, basically, which <em>they</em> seem to have solved, admittedly. also, there aren't really any links to or from the google hosted content (yet) and this makes it hard to calculate a pagerank equivalent. interestingly, you can see recent searches on the base front page, which can be odd! but, they could use some of the search data to determine which items people looked at most and have this as part of the ranking data.<br /><br />there <em>are</em> also vocabularies to describe links and relationships. for instance <a href="http://vocab.org/frbr/core">functional requirements for bibliographic records</a> (FRBR) is a vocabulary that describes the relationships between works, such as <em>parodyOf</em>, <em>excerptFrom</em>, <em>originalWork</em>, <em>reviewOf</em> and so on. sites like <a href="http://www.imdb.com/">IMDb</a> provide a unique namespace for referencing movies, which can each be entered into base with the relevant meta data. then, any reviews, parodies or whatever can be easily linked to the unique identity of the original work.<br /><br />i have submitted a copy of my mind performance hacks review, as one of <a href="http://base.google.com/base/search?authorid=1437851">my items</a> to see how the data entry works, as well as data for my weblog. as mentioned previously, there aren't many google hosted items at the moment, although the <a href="http://base.google.com/base/search?a_n0=people+profiles&a_y0=9&hl=en&gl=US">people profiles</a> category is, and has some special search settings. this part works like a personal ad database, really, although it could eventually evolve into a directory for identity information, like a white pages. <br /><br />the second user generated content system is on <a href="http://www.amazon.com/">amazon</a>, namely their addition of <a href="http://wiki.org/wiki.cgi?WhatIsWiki">wiki</a>-pages to all book information, called <a href="http://www.amazon.com/gp/wiki/what-is-this/103-6731623-5173411"><em>ProductWiki</em></a> (product information from our customers). this allows any customer to contribute relevant information as freeform text and links, not nescessarily in the form of a product review. for instance, links to source code download sites for technical books or to online discussion forums about the characters for fiction. at the moment, uptake seems slow for this feature, but since the wikis allow cross-referncing between books easily, this could grow into a hypertext literary database. i have edited and created content on the <a href="http://en.wikipedia.org/wiki/Wikipedia">wikipedia</a> encyclopaedia site, as well as friend's private wikis, and used them at work for recording information like network configurations that is often dynamic, and i really like the concept. hopefully user contributions will make amazon's wiki a useful resource eventually.<br /><br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/semantic%20web" rel="tag">semantic web</a>,<a href="http://www.technorati.com/tag/google" rel="tag">google</a>,<a href="http://www.technorati.com/tag/content" rel="tag">content</a>,<a href="http://www.technorati.com/tag/wiki" rel="tag">wiki</a>,<a href="http://www.technorati.com/tag/google%20base" rel="tag">google base</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1157864916970695182006-09-10T04:28:00.000+01:002006-09-10T11:55:16.976+01:00restartwell, it seems like i'm working again! this time, though, i'm a java developer, which is a new experience as a full-time role. i mean, i've done development work as <em>part</em> of other jobs, and i've worked on development projects on a freelance basis from home (see earlier posts...) just never in an office, nine-to-five, with other developers. so, i'm getting on ok, although i've still not been paid, due to the vagaries of contract work and umbrella company/agency interaction, which is a pain. it's good to have a 'proper' job though, and i feel much more motivated that a few months ago, when i became disillusioned by internet-based freelance development contracting...<br /><br /><span class="full-post">i'm living in <a href="http://maps.google.com/maps?f=q&hl=en&q=greenock,+uk&ie=UTF8&z=14&om=1&iwloc=A" rel="map">greenock</a>, outside <a href="http://maps.google.com/maps?f=q&hl=en&q=glasgow,+uk&ie=UTF8&om=1&z=11&ll=55.86568,-4.257202&spn=0.272407,0.86586&iwloc=A" rel="map">glasgow</a>, which is also different for me. i actually happen to be staying in halls of residence at the moment, since greenock isn't exactly a top tourist destination, and they seem to be the only form of temporary accomodations available. the students arrived two weeks ago now, so i'm surrounded by people half my age who seem to spend all their time drinking and smoking pot, stereotypes and cliches be damned! i hope i'll be moving into a proper flat soon, since my contract has several months to run yet.<br /><br />a nice thing about my current digs is the view - i can look out onto and across the clyde, and the deep-water channel along which diverse ships steam most days. there is a container terminal slightly further down-river where cruise liners and container cargo vessels both dock; the occasional royal navy frigate or somesuch from <a href="http://www.royal-navy.mod.uk/server/show/nav.3157">HM naval base faslane</a> are often visible (no submarines spotted yet); tugs and other workboats from <a href="http://www.clyde-marine.co.uk/">clyde marine</a> can be seen assisting larger boats; and the paddle steamer <a href="http://www.waverleyexcursions.co.uk/waverley.htm">waverley</a> stops regularly on her pleasure trips to rothesay and points west. i've been quite enjoying my forays into ship-spotting out of the window, particularly since there's not much else to do!<br /><br />once i have a more permanant base, i think i'll start to feel more at home, since the halls are rather basic and uninviting. there's nothing worse than not wanting to go home at night, when home is a tiny room with a single bed and a desk, where i can't even smoke. that ought to change, like i said, in a week or so, when i move out. so, here's to working again, and getting myself sorted out with a flat and a kitten here on the west of scotland...<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/work" rel="tag">work</a>,<a href="http://www.technorati.com/tag/development" rel="tag">development</a>,<a href="http://www.technorati.com/tag/java" rel="tag">java</a>,<a href="http://www.technorati.com/tag/location" rel="tag">location</a>,<a href="http://www.technorati.com/tag/personal" rel="tag">personal</a>,<a href="http://www.technorati.com/tag/ships" rel="tag">ships</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com3tag:blogger.com,1999:blog-22530044.post-1143349455358273962006-03-26T05:54:00.002+01:002010-02-13T03:44:16.957+00:00mind hackingthis is a review of two o'reilly books from their <em>hacks</em> series which are both basically about the same thing, although the subject is approached in two different ways. they are '<em><a href="http://www.amazon.co.uk/exec/obidos/ASIN/0596007795/consonants-21?creative=6394&camp=1406&adid=14D3Q241X3RCT4Y3MGWS&link_code=as1">mind hacks</a></em>' and '<em><a href="http://www.amazon.co.uk/exec/obidos/ASIN/0596101538/consonants-21?creative=6394&camp=1406&adid=1NF5ZVW2D13JPCJ1TQD6&link_code=as1">mind performance hacks</a></em>', the former published back in early 2005 and the other just last month, in february 2006.<br /><br />the books have very similar titles and are difficult to judge by their covers alone. in fact, MH ('<em>mind hacks</em>') is not a typical <em>hacks</em> book at all. instead of being filled with useful tricks and ideas to improve and enhance the way you work with your mind, it is more of a description of the hacks that are employed by your brain and your mind to make <em>you</em> work. it gives an introduction to the neural machinery behind your mind, with lots of facts and details about cognitive- and neuroscience. it uses these to explain perception, thinking, cognition, optical illusions and other aspects and artifacts of consciousness. this is in essence a hardware manual, showing why and how your mind does what it does, without explaining how to do any of it better.<br /><br />MPH ('<em>mind performance hacks</em>' - i will refer to the books by their abbreviated titles in the rest of this review) on the other hand is a software users guide. it gives many tricks, or what you would recognize as <em>hacks</em> that you can use to accomplish mental tasks quicker, better and more efficiently. it covers memorization, computation or calculation, organization, creativity, communication and general efficiency. these are all presented in a very practical way, with examples illustrating situations where the hacks can be used with complete instructions for you to follow. they are not rote copying tasks, though, but mostly conceptual tools that should become part of an overall mental toolbox to be used whenever you need to think quickly and efficiently.<br /><br />both books score well on references and citations for further reading, giving you pointers to all the material you will need to study each concept in much more detail - scientific papers, journal and newspaper or magazine articles, books and websites. there are also excellent websites associated with the books, written by their authors, a <a href="http://www.mindhacks.com">mind hacks</a> blog and the <a href="http://www.ludism.org/mentat/MindPerformanceHacks">mentat wiki</a> for MPH. as o'reilly books, they both have excellent indexes, and there are also some good sample hacks available as pdf downloads from the <a href="http://www.oreilly.com/catalog/">publisher</a>.<br /><br /><span class="full-post">i suspect that many people will have bought the first book hoping that the contents are similar to those of the second, and at the time the second book did not exist, making MH the best book available. however, now that MPH is available it occupies the space that most readers would associate with a <em>hacks</em> series book dealing with the mind in a practical sense, and the title is certainly relevant since all the hacks are about increasing your mental performance, or overclocking your brain.<br /><br />MH covers a lot of ground, and is a useful jumping-off point for people who want to learn how their mind and brain work. it starts off with a description of the brain, and the methods used by neuroscientists to explore and map the physical structure and activity, such as MRI and PET scanning and EEG readers. there are sections on each of the senses, showing how we perceive things and how we can be tricked by simple illusions. many of the hacks are actually tricks or demonstrations that show off these mechanisms, and can usually be performed while reading the book. they are, however, solely intended to illustrate these points, and most cannot be used for anything else, except to prove that your brain works in the same way as everyone else's!<br /><br />i did find that i could just dip into the book at random and find something interesting to read, and because it is very well researched, i could always lose myself for hours following up the references and end-notes given for each hack. i definitely enjoyed reading this, and it will appeal to anyone who is interested in or thinking about studying cognitive science, psychology or neuroscience, although it will not turn you into a brain surgeon overnight. i don't think MH really fits into the hacks series, but does make a good and easy to read reference book for the casual reader.<br /><br /><div class="box"><div class="book"><div class="book-cover"><a href="http://www.amazon.co.uk/exec/obidos/ASIN/0596007795/consonants-21?creative=6394&camp=1406&adid=14D3Q241X3RCT4Y3MGWS&link_code=as1"><img style="border: 1px solid white;" border="0" title="mind hacks" src="http://rcm-images.amazon.com/images/P/0596007795.02._SY200_.jpg" title="mind hacks" /></a></div><div class="book-details"><strong>title</strong> / mind hacks</div><br /><div class="book-details"><strong>author</strong> / tom stafford and matt webb</div><br /><div class="book-details"><strong>price</strong> / gbp 17.50 / eur 22.00 / usd 24.95</div><br /><div class="book-details"><strong>pages</strong> / 394</div><br /><div class="book-details"><strong>isbn</strong> / 0-596-00779-5</div><br /><div class="book-details"><strong>published</strong> / november 2004</div><br /><div class="book-details">an excellent introductory reference to cognitive science and the mind, masquerading as a book of practical tips and tools.</div><br /></div><br style="clear: both;" /><br /><div class="rating"><span class="three stars"></span></div><em>three out of five cats preferred <strong>mind hacks</strong></em></div><br /> <br />MPH, on the other hand, definitely fits the mould. it is an entirely practical text, and is still easy to dip into. if you want to try and get the most out of your brain, and become a better thinker, this will help you. you won't be able to absorb many of the hacks at first reading, since a lot of them require memorisation or rote learning of techniques, or repeated practice until you can get them just right. i found that it helped to skim through the book, reading the hacks that looked interesting, and noting down those that seemed useful. the book recommends creating a 'mental toolkit' and you should bear this in mind, thinking about where you need to strengthen yourself mentally, and focus on the topics that relate to those areas. once you have noted down the hacks that you want to try and implement, you can then go back over them and read them carefully, one at a time, looking up the end-notes and references.<br /><br />to get the full benefit of the book will, i think, require a long time, possibly several months, since the hacks often require you to commit to a certain way of doing something that you will need to dedicate time to practice each day. i think of it as a mental exercise program, with the long-term goal of getting mentally fit. this means drawing up a schedule of exercises and routines to go through on a daily or weekly basis, much the same as physical exercise. certainly, there are some hacks that can be understood instantly, with immediate effect, but most are long-term habit and routine changing, and will require (and repay) dedication and perseverance.<br /><br />MPH is split into several sections: memory, information processing, creativity, maths, decision making, communication, clarity and mental fitness. each of these focusses on a single area, but often gives several different methods for each type of task. different people work best in different ways, and this allows you to choose the hack that best suits your type of personality and use it to its full effectiveness, and there is usually guidance on deciding between these multiple choices if you are unsure.<br /><br />the topics i am most interested in and will be trying to implement are the memory and mnemonics, shorthand writing, techniques for recording ideas and information, creativity tools and mental fitness and clarity techniques. i will go over these briefly, but the first section of the book is illustrative of the style and content as a whole, and is a good example to go over in detail.<br /><br />this section contains twelve hacks related to memory. the first is one that i was aware of already - the <em>rhyming method</em> for remembering ten things to take with you when leaving your house. this involves a rhyming list of words relating to the numbers one to ten. each word is then associated with a vivid picture to remind you of an object. you can then go through the ten rhymes easily, bringing the pictures into your head and thus remembering the items. for example <em>one</em> rhymes with <em>gun</em> and i picture firing a gun-toting cowboy with an enormous, oversized stetson hat, thus reminding me to pick up my own hat. this system is only really extensible to ten, and maybe a few more, items. the system i am currently trying to learn for larger lists is the <em>hotel dominic</em> system. this allows ten thousand pieces of information to be stored and recalled instantly. the details are complex, but the operation of the system is simple, and i hope it will be able to supplement my usually pretty flaky memory.<br /><br />another technique that i am trying to work into my everyday routine is hack number fourteen - <em>write faster with speedwords</em> which is an alternative to shorthand systems like pitman. traditional shorthand has the drawback of using special symbols and cannot be entered into a computer or pda. this system uses only lowercase letters, and is standardized so cannot be misinterpreted like txt abbrv style writing. there is a list of single, two and three letter combinations, along with the words they represent which must be learned, and then they can be used in place of the full spelling. the abbreviations have mnemonic-style notes to aid memorization, often based on another language or a homophone. a useful extension of this hack would be to use the features of some text editors and word processors that allow expansion of arbitrary strings into full words and phrases, greatly speeding up typing.<br /><br />the sections on creativity and clarity contain many hacks that seem rather 'fluffy' at first glance, however changing the way you think about something and deliberately doing things according to some plan that seems unnatural to you is often a good way to stimulate your mind, and get you thinking along paths that would not otherwise be available. there are a lot of well respected ideas presented, including brian eno's <em>oblique strategies</em> and edward de bono's <em>po</em> which have helped many people generate brilliant ideas. i would encourage trying these hacks out, even if they seem silly, since you will never know if they are helpful until you put in the effort and try. something that i have problems with is stage fright, and hack fifty four gives some interesting ideas on how to use this to your own advantage, which i will try to remember for the next time i have to speak in public. <br /><br />the last section on mental fitness is a good example of the routine-changing advice given in the book. it suggests many ways of keeping your mind active and heathy, from the obvious, such as playing board games, to the less obvious (eating and sleeping properly) and also explains the <em>mental toolbox</em> concept, which is one of the central themes. the previous chapter, on clarity also contains some intriguing ideas. hack sixty suggests <em>meditation</em> as a way to clear and focus the mind, which i have never really tried before, but would like to learn more about. also, hack sixty one talks about <em>self hypnosis</em> which i am skeptical of, but will also investigate.<br /><br />one thing about MPH that will particularly appeal to hackers is the code snippets provided. the book contains several short perl programs to illustrate or implement the hacks. these are usually for generating randomness, but there are some innovative programs and the source is freely downloadable from the publisher. there are also pointers to applications (commercial, free and shareware) that can augment some of the hacks, although they are never necessary to use the book. the software is biased towards macintosh os x, however the scripts should work on any operating system that has a perl interpreter.<br /><br />overall, MPH is an excellent resource, particularly if you feel you might be stagnating mentally, or are suffering from lack of mental stimulation after finishing university or leaving an interesting job. if you put in the time and effort to develop your mental toolkit, MPH will help you keep it up to date and working. i don't recommend all of the hacks to everyone (for instance, not all readers will have the time or patience to learn esperanto!) but picking and choosing what hacks seem right for you, and starting off with something achievable should produce obvious results. treat the book as a do it yourself guidebook combined with an exercise program and you will get the most out of it.<br /><br /><div class="box"><div class="book"><div class="book-cover"><a href="http://www.amazon.co.uk/exec/obidos/ASIN/0596101538/consonants-21?creative=6394&camp=1406&adid=1NF5ZVW2D13JPCJ1TQD6&link_code=as1"><img style="border: 1px solid white;" border="0" title="mind performance hacks" src="http://rcm-images.amazon.com/images/P/0596101538.02._SY200_.jpg" title="mind performance hacks" /></a></div><div class="book-details"><strong>title</strong> / mind performance hacks</div><br /><div class="book-details"><strong>author</strong> / ron hale-evans</div><br /><div class="book-details"><strong>price</strong> / gbp 17.50 / eur 22.00 / usd 24.99</div><br /><div class="book-details"><strong>pages</strong> / 330</div><br /><div class="book-details"><strong>isbn</strong> / 0-596-10153-8</div><br /><div class="book-details"><strong>published</strong> / february 2006</div><br /><div class="book-details">a great selection of mind expanding tips and tricks that should be an essential part of your mental toolkit.</div><br /></div><br style="clear: both;" /><br /><div class="rating"><span class="five stars"></span></div><em>five out of five cats preferred <strong>mind performance hacks</strong></em></div><br /><br /><strong>note</strong> - <em>i will be writing more about my experiences implementing the techniques from MPH above, and explaining which hacks i found useful, in a few months, by which time the techniques i described above should be completely natural to me.</em><br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/books" rel="tag">books</a>, <a href="http://www.technorati.com/tag/review" rel="tag">review</a>, <a href="http://www.technorati.com/tag/mind" rel="tag">mind</a>, <a href="http://www.technorati.com/tag/hacks" rel="tag">hacks</a>, <a href="http://www.technorati.com/tag/brain" rel="tag">brain</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1143072149158990672006-03-22T23:32:00.000+00:002006-03-29T22:24:01.806+01:00shell idiomthis is a little bit of unix shell technique that i haven't seen mentioned much. there are some really good lists of <a href="http://sial.org/howto/perl/one-liner/">perl one-liners</a> floating around, but there's also a lot you can do in the shell alone. this particular command is used to solve the common problem of finding all files containing a particular regular expression, and displaying them, along with the matching lines.<br /><br />it uses <em>find</em> to get a list of files that match some criteria and then looks for the regular expression using <em>grep</em>. the intuitive solution, piping the file contents, or passing the file as an argument, to <code>grep <i>regexp</i></code> won't work, because grep just outputs the matching lines, and we won't know which file they came from.<br /><br />one solution would be to use <em>xargs</em> which accepts paramaters on stdin and executes a command with each line of input as an argument. this will run into shell command length limitations, although xargs is a handy tool for many tasks. my preferred one-line command is this one, however:<br /><br /><pre class="box">find <i>path</i> -type f -exec grep "<i>regexp</i>" {} /dev/null \;<br /></pre><br />which uses the fact that although <em>/dev/null</em> will never contain your pattern, since <em>grep</em> is looking at multiple files it will print the names of files that contain a match, at the start of each line, for example, as shown below:<br /><br /><pre>$ <b>find ~/public_html/ -type f -exec grep "^<title" {} /dev/null \;</b><br />~/public_html/index.htm: <title>index page</title><br />~/public_html/test.htm: <head><title>testing</title></head><br />Binary file ~/public_html/scripts/statcgi matches<br /></pre><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/unix" rel="tag">unix</a>, <a href="http://www.technorati.com/tag/shell" rel="tag">shell</a>, <a href="http://www.technorati.com/tag/one-liner" rel="tag">one-liner</a>, <a href="http://www.technorati.com/tag/scripting" rel="tag">scripting</a>, <a href="http://www.technorati.com/tag/tips" rel="tag">tips</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com3tag:blogger.com,1999:blog-22530044.post-1142522909129637422006-03-16T15:16:00.000+00:002006-03-16T15:28:29.156+00:00sun fire link rounduphere area few links that will be of interest to sun fire t2000 owners and users. first off, the <a href="http://sunfirefan.com/">sun fire fan site</a>, which is a community of people who are participating in the try'n'buy performance evaluation program. i found this from the <a href="http://feh.holsman.net/articles/tag/t2000">feh v2 blog</a> run by the same person. several people have already looked at the crypto accelerator performance, as an <a href="http://blog.goolamabbas.org/?p=36">https accelerator</a> and here are <a href="http://blogs.sun.com/roller/page/chichang1?entry=rsa_performance_of_sun_fire">raw numbers</a> on <em>openssl</em> performance. several sun blogs deal with the t2000 including this one on <a href="http://blogs.sun.com/roller/page/travi">database scalability</a>. finally, here is some good information on <a href="http://www.stdlib.net/~colmmacc/2006/03/11/first-results-from-the-niagara-benchmarking/">throughput benchmarking</a> with some useful graphs..<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/sun" rel="tag">sun</a>, <a href="http://www.technorati.com/tag/sparc" rel="tag">sparc</a>, <a href="http://www.technorati.com/tag/t2000" rel="tag">t2000</a>, <a href="http://www.technorati.com/tag/performance" rel="tag">performance</a>, <a href="http://www.technorati.com/tag/links" rel="tag">links</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com1tag:blogger.com,1999:blog-22530044.post-1142479912344540602006-03-16T02:58:00.000+00:002006-03-16T03:35:38.830+00:00network security applianceone of the ideas i have for testing the capabilities of the <a href="http://www.sun.com/servers/coolthreads/t2000/">sun fire t2000</a> server is to build a network security appliance. this would involve utilisation of the <a href="http://www.sun.com/software/solaris/howtoguides/containersLowRes.jsp">zones</a> feature in solaris 10. this allows full virtualisation of sevrers on one machine, along with allocation of resources, such as network ports or physical cpus, to that instance. each instance is a separate, full version of the solaris operating environment, and is indistinguishable from a complete physical machine to any processes running in it. this makes it ideal for separating security critical functions like firewalls and intrusion detection systems from each other, while still allowing them to run on one server. <br /><br /><span class="box"><a href="http://photos1.blogger.com/blogger/2599/2292/1600/t2k-net-app-full.jpg"><img src="http://photos1.blogger.com/blogger/2599/2292/1600/t2k-net-app.jpg" border="0" /></a></span><br /><span class="caption">network security appliance diagram</span><br /><br /><span class="full-post">in the above diagram you can see that i intend to virtualise six instances, four firewalls, one ids sensor and a management system. the t2000 has four gigabit ethernet ports, which would be assigned to each of the four networks, while inter-machine communication and intrusion detection would all be done using the virtual internal network. it will be simple to allocate at least one cpu to each machine, and the resource pooling commands available will allow some of the virtual machines to have extra cpus allocated, perhaps the internet-facing firewall and the ids sensor. the sun bigadmin site has some useful <a href="http://www.sun.com/bigadmin/content/zones/">resources</a> on zones, including the original <a href="http://www.usenix.org/events/vm04/wips/tucker.pdf">usenix paper</a> describing the implementation.<br /><br />the software to be installed will all be open-source packages, most of which are de-facto industry standards. i will use <a href="http://www.squid-cache.org/">squid</a> as the outgoing web proxy, <a href="http://www.snort.org/">snort</a> as the network ids and use native solaris networking for the firewall rules. i will need to determine a suitable console to administer the firewalls, but <a href="http://sguil.sourceforge.net/">sguil</a> will be used for ids command and control.<br /><br />a useful test would be to determine the line-speed that the firewalls and the ids are capable of handling without dropping any packets, and the number of simultaneous outgoing connections that the proxy will allow, while the dmz also has web traffic being sent to it from the internet. i believe that the t2000 should be a good platform for this kind of appliance, due to the one-box approach that can be taken, while not having to compromise on cpu power available. i intend to set this environment up over the next week and produce some performace figures to try and validate this claim.<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/sun" rel="tag">sun</a>, <a href="http://www.technorati.com/tag/sparc" rel="tag">sparc</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/t2000" rel="tag">t2000</a>, <a href="http://www.technorati.com/tag/network" rel="tag">network</a>, <a href="http://www.technorati.com/tag/solaris" rel="tag">solaris</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1142462962614198352006-03-15T22:44:00.000+00:002006-03-20T01:57:03.360+00:00hardening solaris tenmy first job on booting solaris 10 on <code>hexagon</code>, my sun fire t2000 system, was to harden the operating system. i want to make sure that the system is not going to be offering extraneous services to passers-by on the internet (even though everything but ssh will be firewalled off.) this will have the added bonus of stopping cpu being used unnecessarily. an initial portscan using the ubiquitous <a href="http://www.insecure.org/nmap/download.html">nmap</a> utility revealed the following open ports:<br /><br /><pre>robot$ <b>nmap -p1-65535 -A hexagon</b><br /><br />Interesting ports on hexagon (10.10.10.6):<br />(The 65514 ports scanned but not shown below are in state: closed)<br />PORT STATE SERVICE VERSION<br />21/tcp open ftp Solaris ftpd<br />22/tcp open ssh SunSSH 1.1 (protocol 2.0)<br />23/tcp open telnet<br />25/tcp open smtp Sendmail 8.13.4+Sun/8.13.3<br />111/tcp open rpcbind 2-4 (rpc #100000)<br />513/tcp open login Berkeley remote login service<br />514/tcp open tcpwrapped<br />587/tcp open smtp Sendmail 8.13.4+Sun/8.13.3<br />898/tcp open http Solaris management console server<br />4045/tcp open nlockmgr 1-4 (rpc #100021)<br />5987/tcp open unknown<br />5988/tcp open unknown<br />7100/tcp open font-service Sun Solaris fs.auto<br />9010/tcp open tcpwrapped<br />22273/tcp open wnn6?<br />32771/tcp open status 1 (rpc #100024)<br />32772/tcp open fmproduct 1 (rpc #1073741824)<br />32773/tcp open rusersd 2-3 (rpc #100002)<br />32774/tcp open ttdbserverd 1 (rpc #100083)<br />32777/tcp open sometimes-rpc17?<br />32778/tcp open dmispd 1 (rpc #300598)<br />32779/tcp open snmpXdmid 1 (rpc #100249)<br />32795/tcp open unknown<br />Service Info: OSs: Solaris, Unix, SunOS<br /><br />Nmap finished: 1 IP address (1 host up) scanned in 1778.040 seconds<br /></pre><br /><span class="full-post">as you can see, there's a lot of unwanted access provided there. at least <em>ssh</em> is there by default, but we also have <em>telnet</em> and <em>rlogin</em>, the X11 font server, as well as all those RPC services... solaris 10 manages services with the <code>svcxs<em>xxx</em></code> utilities, and i will use them to turn off telnetd and rlogin, as follows:<br /><br /><pre>root@hexagon# <b>svcadm disable svc:/network/telnet</b><br />root@hexagon# <b>svcadm disable svc:/network/login:rlogin</b><br />root@hexagon# <b>svcadm disable svc:/application/x11/xfs</b><br />root@hexagon# <b>svcadm disable svc:/network/ftp:default</b><br />root@hexagon# <b>svcadm disable svc:/network/rpc/rusers</b><br />root@hexagon# <b>svcadm disable svc:/network/rpc/rstat</b><br />root@hexagon# <b>svcadm disable svc:/network/shell:default</b><br /></pre><br />and we can also get rid of the packages that provide <code>telnetd</code> itself, since it is inherently insecure, and there is always potential access via telnet to the console over the ALOM network port. first, check what packages need removed, then remove them with the <code>pkgrm</code> utility:<br /><br /><pre>root@hexagon# <b>pkginfo | grep -i telnet</b><br /> SUNWtnetr Telnet Server Daemon (Root)<br /> SUNWtnetc Telnet Command (client)<br /> SUNWtnetd Telnet Server Daemon (Usr)<br />root@hexagon# <b>pkgrm SUNWtnetr SUNWtnetd</b><br /></pre><br />hopefully, this has given you an idea of how to do all this manually. i also downloaded the <a href="http://www.sun.com/software/security/jass/">sun solaris security toolkit</a> which has a lot of useful scripts to automate the hardening process. the file you require is <code>SUNWjass-4.2.0.pkg.tar.Z</code> and is only 600KB. you need to be registered with sun to download anything, but this is useful anyway, since you need an id to get the latest security patches, and also to access the <a href="https://updates.sun.com:443/">sun update connection</a> site.<br /><br /><pre>root@hexagon# <b>uncompress SUNWjass-4.2.0.pkg.tar.Z</b><br />root@hexagon# <b>tar xf SUNWjass-4.2.0.pkg.tar</b><br />root@hexagon# <b>pkgadd -d . SUNWjass</b> <br /><br />Processing package instance <SUNWjass> from </root/install><br /><br />Solaris Security Toolkit 4.2.0(Solaris) 4.2.0<br />Copyright 2005 Sun Microsystems, Inc. All rights reserved.<br />Use is subject to license terms.<br />Using </opt> as the package base directory.<br />## Processing package information.<br />## Processing system information.<br />## Verifying package dependencies.<br />## Verifying disk space requirements.<br />## Checking for conflicts with packages already installed.<br />## Checking for setuid/setgid programs.<br /><br />Installing Solaris Security Toolkit 4.2.0 as <SUNWjass><br /><br />## Installing part 1 of 1.<br />/opt/SUNWjass/Audit/disable-IIim.aud<br />/opt/SUNWjass/Audit/disable-ab2.aud<br /><i>...etc...</i><br />/opt/SUNWjass/rules.SAMPLE<br />/opt/SUNWjass/sysidcfg <symbolic link><br />[ verifying class <none> ]<br /><br />Installation of <SUNWjass> was successful.<br /></pre><br />you'll notice that the package was loaded from <code>/root/install</code>. this is because i modify the <em>root</em> user to have a different home directory. often <code>/</code> is a shared home directory for other system accounts and daemon user ids, and it's never a good ide to have the root <code>.profile</code> and other dot-files there. moving home is relatively easy though:<br /><br /><pre>root@hexagon# <b>usermod -d /root root</b><br />root@hexagon# <b>mkdir /root</b><br />root@hexagon# <b>chmod 700 /root</b><br />root@hexagon# <b>mv /.[a-zA-Z0-9]* /root/</b><br /></pre><br />and even all the existing dot-files get copied across. the <em>jaas</em> security toolkit has a large number of configurable options, which are documented in the <a href="http://www.sun.com/products-n-solutions/hardware/docs/pdf/819-1503-10.pdf">reference manual</a>. the <a href="http://www.sun.com/software/security/blueprints/index.html">security blueprints</a> collection is also a good place to look for information. to secure your solaris system with the <em>jaas</em> tool, execute the hardening driver using the following command:<br /><br /><pre>root@hexagon# <b>/opt/SUNWjass/bin/jass-execute -d hardening.driver |<br /> tee jaas-hardening.log</b><br /></pre><br />which will lock down your system, and place a log of all output into <code>jaas-hardening.txt</code>. once this has completed, reboot to implement the changes. when you next login you will see that a security warning has been added:<br /><br /><pre>|-----------------------------------------------------------------|<br />| This system is for the use of authorized users only. |<br />| Individuals using this computer system without authority, or in |<br />| excess of their authority, are subject to having all of their |<br />| activities on this system monitored and recorded by system |<br />| personnel. |<br />| |<br />| In the course of monitoring individuals improperly using this |<br />| system, or in the course of system maintenance, the activities |<br />| of authorized users may also be monitored. |<br />| |<br />| Anyone using this system expressly consents to such monitoring |<br />| and is advised that if such monitoring reveals possible |<br />| evidence of criminal activity, system personnel may provide the |<br />| evidence of such monitoring to law enforcement officials. |<br />|-----------------------------------------------------------------|<br /></pre><br />which should be modified to comply with local legal requirements. also, the passwords for any existing users will have been expired, and a much more stringent policy is now in place. if an <em>nmap</em> scan is run against the system now, you will see that most ports are closed, except ssh and one other that will be investigated later:<br /><br /><pre>$ nmap -p 1-65535 -A hexagon | tee entries/hexagon.ports.03.txt<br /><br />Interesting ports on hexagon (10.10.10.6):<br />(The 65533 ports scanned but not shown below are in state: closed)<br />PORT STATE SERVICE VERSION<br />22/tcp open ssh SunSSH 1.1 (protocol 2.0)<br />22273/tcp open wnn6?<br /><br />Nmap finished: 1 IP address (1 host up) scanned in 1814.355 seconds<br /></pre><br />next, i installed some useful extra utilities, from the <a href="http://sunfreeware.com/programlistsparc10.html">sun freeware</a> site. this has lots of GNU software compiled for SPARC on solaris 10, although you may want to check out sun's offerings from the solaris 10 <a href="http://www.sun.com/software/solaris/freeware/">companion dvd</a>. <em>sudo</em> is a good replavement for the standard <code>su</code> program, <em>curl</em> makes retrieval of files from the internet simple and <em>lsof</em> lists all files that a process has . once you have downloaded them, installstallation follows the same basic pattern. this is how i installed the <em>SMClsof</em> and <em>SFWsudo</em> packages:<br /><br /><pre>root@hexagon# <b>gunzip lsof-4.76-sol10-sparc-local.gz</b><br />root@hexagon# <b>ln -s /usr/sfw /usr/local</b><br />root@hexagon# <b>pkgadd -d ./lsof-4.76-sol10-sparc-local</b><br /><br />The following packages are available:<br /> 1 SMClsof lsof<br /> (sparc) 4.76<br /><br />Select package(s) you wish to process (or 'all' to process<br />all packages). (default: all) [?,??,q]: <b>all</b><br /><br />Processing package instance <SMClsof><br />from </root/install/lsof-4.76-sol10-sparc-local><br /><br />lsof(sparc) 4.76<br />Vic Abell<br />Using </usr/local> as the package base directory.<br />## Processing package information.<br />## Processing system information.<br /> 2 package pathnames are already properly installed.<br />## Verifying disk space requirements.<br />## Checking for conflicts with packages already installed.<br /><br />The following files are already installed on the system and are being<br />used by another package:<br />* /usr/local/doc<br />* /usr/local/man<br /><br />* - conflict with a file which does not belong to any package.<br /><br />Do you want to install these conflicting files [y,n,?,q] <b>n</b><br /><br />Do you want to continue with the installation of <SMClsof> [y,n,?] <b>y</b><br />## Checking for setuid/setgid programs.<br /><br />The following files are being installed with setuid and/or setgid<br />permissions:<br /> /usr/local/bin/lsof <setgid bin><br /><br />Do you want to install these as setuid/setgid files [y,n,?,q] <b>y</b><br />## Processing package information.<br />## Processing system information.<br /><br />Installing lsof as <SMClsof><br /><br />## Installing part 1 of 1.<br />/usr/local/bin/lsof<br />/usr/local/doc &glt;conflicting pathname not installed><br />/usr/local/doc/lsof/00.README.FIRST<br />/usr/local/doc/lsof/00CREDITS<br />/usr/local/doc/lsof/00DCACHE<br />/usr/local/doc/lsof/00DIALECTS<br />/usr/local/doc/lsof/00DIST<br />/usr/local/doc/lsof/00FAQ<br />/usr/local/doc/lsof/00LSOF-L<br />/usr/local/doc/lsof/00MANIFEST<br />/usr/local/doc/lsof/00PORTING<br />/usr/local/doc/lsof/00QUICKSTART<br />/usr/local/doc/lsof/00README<br />/usr/local/doc/lsof/00TEST<br />/usr/local/doc/lsof/00XCONFIG<br />/usr/local/doc/lsof/lsof.man<br />/usr/local/man <conflicting pathname not installed><br />/usr/local/man/man8/lsof.8<br />[ verifying class <none> ]<br /><br />Installation of <SMClsof> was successful<br />root@hexagon# <b>bzip2 -d SFWsudo.bz2</b><br />root@hexagon# <b>ln -s /usr/sfw /opt/sfw</b><br />root@hexagon# <b>pkgadd -d ./SFWsudo</b><br /><br />The following packages are available:<br /> 1 SFWsudo Sudo - superuser do<br /> (sparc) 1.6.8.5,REV=2005.01.05.17.49<br /><br />Select package(s) you wish to process (or 'all' to process<br />all packages). (default: all) [?,??,q]: <b>all</b><br /><br />Processing package instance <SFWsudo> from </root/install/SFWsudo><br /><br />Sudo - superuser do(sparc) 1.6.8.5,REV=2005.01.05.17.49<br /><br /><em>...and so on...</em><br /><br />Installation of <SFWsudo> was successful.<br />root@hexagon# <b>chmod u+s /usr/sfw/bin/sudo</b><br /></pre><br /><strong style="text-decoration: underline; text-transform: uppercase;">important</strong> - notice that the <em>sudo</em> executable was <em>not</em> setuid root, and we had to change this after installation, to make it work! after this, the installs for any other packages will be very similar - use the above processes as a guide, just remember to check where in the filesystem things get installed, and either create symlinks or allow it as required. once <em>sudo</em> has been installed, you need to authorise users to have access to the root user. use the <code>visudo</code> command as root, and setup the <code>sudoers</code> file. i added the following line, which gives everyone in the <em>sysadmin</em> group root access:<br /><br /><pre>%sysadmin ALL=(ALL) ALL<br /></pre><br /><br />since we have <em>lsof</em> installed now, we can check what was holding the other port (22273/tcp) open. in the <em>nmap</em> output it is listed as <em>wnn6?</em> but we can check what process is using it with <em>lsof</em> and <em>find</em> as follows:<br /><br /><pre>root@hexagon# <b>lsof | grep -i wnn</b><br />jserver_m 741 root 3u IPv4 0x600036e0100 0t0 TCP *:wnn6 (BOUND)<br />jserver_m 741 root 4u IPv6 0x6000377f940 0t0 TCP *:wnn6 (LISTEN)<br />root@hexagon# <b>find / -name "jserver_m" -print</b><br />/usr/lib/locale/ja/wnn/jserver_m<br /></pre><br />and we can see that it is a program called <code>jserver_m</code> that seems to have something to do with the japanese locale input method. i don't live in japan, or speak japanese, so this can be safely turned off. checking with <em>svcs</em> shows that it is started by <em>init</em> and can be disabled as follows:<br /> <br /><pre>root@hexagon# <b>svcs | grep -i wnn</b><br />legacy_run 20:50:28 lrc:/etc/rc2_d/S94Wnn6<br />root@hexagon# <b>/etc/init.d/Wnn6 stop</b><br />root@hexagon# <b>mv /etc/rc2.d/S94Wnn6 /etc/rc2.d/_S94Wnn6.DISABLED</b><br /></pre><br />hopefully this has given you an idea of how best to approach hardening a solaris 10 system. the one thing not covered here is patching, which i will describe in another post. depending on how tightly you want things locked down initially, you can either manually turn off certain services or you can use sun's provided toolkit, and edit the default settings. this gives you a lot of flexibility, but i now have a system i feel safe about connecting to my router and assigning an IP address...<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/hardening" rel="tag">hardening</a>, <a href="http://www.technorati.com/tag/sun" rel="tag">sun</a>, <a href="http://www.technorati.com/tag/solaris" rel="tag">solaris</a>, <a href="http://www.technorati.com/tag/sparc" rel="tag">sparc</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com5tag:blogger.com,1999:blog-22530044.post-1142247661655663612006-03-13T10:52:00.000+00:002006-03-16T03:44:28.553+00:00plasma flickringat the weekend, my friend <a href="http://occular.livejournal.com/">alex</a> came round, and we toook some amazing pictures of one of those little plasma-ball toys that barry has in his front room. they were taken with alex's digital nikon slr, and at shutter speeds varying from 1/10 to 2 seconds. they really look beautiful, and with a tripod and some preparation they could probably even be improved...! the thumbnails below link to the photo-set on <a href="http://www.flickr.com/">flickr</a>:<br /><br /><a class="box" href="http://www.flickr.com/photos/redlex/sets/72057594080779345/"><img src="http://static.flickr.com/43/111636945_617fa33d32_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/37/111636346_a7674f8d74_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/43/111636270_ae0f756d1c_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/41/111636093_66305684c1_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/50/111640320_378ed96dd8_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/41/111639953_b0bda27c19_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/41/111639953_b0bda27c19_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/40/111639311_319a095077_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/41/111639171_e981aa80d9_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/54/111638653_22e69ac041_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/49/111638263_e6d4d9b0b8_s.jpg" style="border: 1px solid white;" /><img src="http://static.flickr.com/41/111637896_711296e2e4_s.jpg" style="border: 1px solid white;" /></a><br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/plasma" rel="tag">plasma</a>, <a href="http://www.technorati.com/tag/photos" rel="tag">photos</a>, <a href="http://www.technorati.com/tag/pretty" rel="tag">pretty</a>, <a href="http://www.technorati.com/tag/ball" rel="tag">ball</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1142045790794394632006-03-11T02:43:00.000+00:002006-03-11T20:29:30.906+00:00trees in a forestthis is a really nice photograph, taken by my friend rob. he's an amateur photographer, looking to make it professionally. he took this with a <a href="http://www.hasselblad.com/index.asp">hasselblad</a> medium format camera. it was shot on kodak film, and scanned with an <a href="http://www.imacon.dk/sw3032.asp">imacon 949</a>. adobe <a href="http://www.adobe.com/products/photoshop/main.html">photoshop</a> was used to adjust the gamma curves because the film used is hard to scan, although no other retouching or other editing was needed.<br /><br /><a href="http://static.flickr.com/43/110693917_bc62a10e70_o_d.jpg" title="trees in a forest"><img class="box" src="http://static.flickr.com/43/110693917_bc62a10e70_m.jpg" width="240" height="240" alt="trees in a forest" /></a><br /><div class="caption">trees in a forest - copyright © 2006 robert phillips</div><br /><br />for more technical details, or if you would like to get a print made, or see his other work, <a href="mailto:robertdphillips@gmail.com">email him</a> directly..<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/trees" rel="tag">trees</a>, <a href="http://www.technorati.com/tag/photograph" rel="tag">photograph</a>, <a href="http://www.technorati.com/tag/forest" rel="tag">forest</a>, <a href="http://www.technorati.com/tag/colour" rel="tag">colour</a></div>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1142039646334457452006-03-11T00:54:00.000+00:002006-03-16T11:58:18.716+00:00niagara fallsi am currently running one of sun's new <a href="https://www.sun.com/servers/coolthreads/t2000/index.jsp">sun fire t2000</a> servers, as part of an evaluation and review programme. sun are allowing qualified individuals and companies to try the system for sixty (60) days before buying one. this can only be a good thing for sun, since it ought to get people who would not normally specify sun kit to have a look. as far as cost goes, the server retails at around usd 10K depending on configuration. this is actually pretty cheap for a system of this quality and power. think of it this way - how much would a 24-way PC system cost? and in a 2U form factor chassis as well?<br /><br />the specification of my machine is listed as <em>medium</em> and has a niagara T1 processor. this is a six core ultra SPARC T1 cpu, each core of which runs at 1 GHz and has four 'coolthread' execution units, giving a total of twenty four (24) processors. the machine also has 8 gigabytes of ram and two 73 gigabyte serial attached SCSI (SAS) drives. the technology is known as <em>cool</em>threads because the system only consumes seventy five watts (75W) at full load. this isn't the highest spec, either - it is possible to have t2000 configurations with eight T1 cores, running at 1.2 GHz, giving 32 coolthreads. note that there is <em>no</em> floating point processor in the T1, although the system does have a cryptographic accelerator built in.<br /><br />so, when the box arrived yesterday, i unpacked it immediately...<br /><br /><span class="full-post">the shipment consisted of: the server itself, a rack-mounting kit, two utp patch cords and two uk power cords. there is no real documentation shipped, just a small warranty booklet and a set of packing notes. it does, however, have a whole set of neat little diagrams on the top of the chassis explaining common maintenance tasks, like replacing fans or installing more ram modules. i downloaded the <a href="http://www.sun.com/products-n-solutions/hardware/docs/Servers/coolthreads/t2000/index.html">documentation</a> from sun, and read the <a href="http://www.sun.com/products-n-solutions/hardware/docs/pdf/819-2546-10.pdf">install guide</a> first.<br /><br /><div class="box"><img src="http://static.flickr.com/37/104979200_a4c823c556.jpg" /></div><div class="caption">the sun fire t2000 'coolthreads' server</div><br /><br />it turns out that on power being supplied initially, it will go into the lights-out management mode (<a href="http://www.sun.com/products-n-solutions/hardware/docs/pdf/819-2550-10.pdf">ALOM</a>) and stay there. this must be accessed via the serial management console, which is the <em>only</em> active port on the box as shipped.<br /><br />to get into it i needed an RJ45 (sun) to DB9F (PC) <a href="http://hardwarebook.net/cable/serial/ciscoconsole9.html">null-modem cable</a>. unfortunately, nothing of the kind came in the box. still, a trip to maplins and application of a soldering iron and a few hours later (yes, i'm that bad at soldering, <em>and</em> i had help!) a cable was ready. it turns out that this is what is commonly called a 'cisco console rollover cable' and they are almost always available on ebay. i enabled the network management port and booted into the open firmware <code>ok</code> prompt, and then into solaris. sun don't configure Solaris for you, although they do install it, however the configuration is as simple as setting IP address parameters and location details, so it didn't take long until i had a working, networked server. annd here is the proof:<br /><br /><pre>adk@hexagon$ <b>prtdiag</b><br />System Configuration: Sun Microsystems sun4v Sun Fire T200<br />System clock frequency: 200 MHz<br />Memory size: 8184 Megabytes<br /><br />========================= CPUs =========================<br /> CPU CPU <br />Location CPU Freq Implementation Mask <br />------------ ----- -------- ------------------- -----<br />MB/CMP0/P0 0 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P1 1 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P2 2 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P3 3 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P4 4 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P5 5 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P6 6 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P7 7 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P8 8 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P9 9 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P10 10 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P11 11 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P12 12 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P13 13 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P14 14 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P15 15 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P16 16 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P17 17 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P18 18 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P19 19 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P20 20 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P21 21 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P22 22 1000 MHz SUNW,UltraSPARC-T1 <br />MB/CMP0/P23 23 1000 MHz SUNW,UltraSPARC-T1 <br /></pre><br /><br />as you can see, i have 24 cpus ready to do whatever i want. i have been waiting for this technology ever since i first read about it in <a href="http://blogs.sun.com/roller/page/jonathan/20040910">2004</a> so i have some pretty good ideas about how to utilise it. although sun seem to be promoting this as an enterprise class web and web application server (which it will perform fine as.) <strong>but</strong>, i think that it would make an excellent <em>network security appliance</em>. i intend to run an array of security applications and services to see how well it copes. this would include network IDS and IPS sensors and management servers, which can take advantage of the virtualisation technology available in solaris 10. also, some kind of all-in-one firewall and dmz protection device with deep packet inspection and virtualised ingress and egress firewalls, using all four gigabit ethernet ports. it also has crypto acceleration, which is ideal for several other security tasks.<br /><br />my <em>first</em> job is to secure and harden the stock solaris 10 install that it came with. i have to turn off all the default services, such as <code>telnetd</code> and <code>rlogin</code>, only then will i be able to start thinking about allowing <code>hexagon</code> onto the internet, and doing something useful. more on this as i run the tests and build the environments to test them...<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/sun" rel="tag">sun</a>, <a href="http://www.technorati.com/tag/server" rel="tag">server</a>, <a href="http://www.technorati.com/tag/sparc" rel="tag">sparc</a>, <a href="http://www.technorati.com/tag/review" rel="tag">review</a>, <a href="http://www.technorati.com/tag/install" rel="tag">install</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com3tag:blogger.com,1999:blog-22530044.post-1141471839087624512006-03-04T04:40:00.000+00:002006-03-04T11:30:39.136+00:00wake me up!i'm notoriously bad at getting up, and since i pawned my last ipod (don't ask...) i don't have any way of waking up to a selection of music in the morning. i decided this wouldn't do at all, and i was getting tired of the awful ring-tone my phone used as its alarm noise. now, my macintosh has itunes, and a set of nice loud speakers. howevber, i'm running OS X 10.3.9, so no <a href="http://www.apple.com/macosx/features/automator/">automater</a> for me. i do have a working knowledge of <a href="http://www.apple.com/applescript/">applescript</a> though, and itunes is chock-full of applescript-awareness, so i decided to write a little script to work as an alarm clock.<br /><br /> <span class="full-post">the script is really very simple. to use it, open up the <em>script editor</em>, which lives in the <em>/Applications/AppleScript/</em> folder. enter the following text, exactly as shown:<br /><br /><pre>-- iWake<br />-- <br />-- slowly raise itunes volume to wake up.<br />-- call from batch processing every morning<br />-- <br />-- author: andrew kennedy<br />-- created: 02 march 2006 09:54<br />-- <br />-- copyright (c) 2006 nevada systems<br /><br />property wake : 30 -- time in minutes to wake up in<br />property vol : 100 -- volume setting<br />property step : 1 -- delay in seconds between volume changes<br /><br />on run<br /> -- get current volume<br /> tell application "iTunes"<br /> set vol to sound volume<br /> set sound volume to 0<br /> end tell<br /> <br /> -- set wake time in minutes<br /> set step to (wake * 60) / vol<br /> <br /> -- start itunes<br /> tell application "iTunes"<br /> play<br /> end tell<br /> <br /> -- slowly raise the volume<br /> repeat with counter from 0 to vol by 1<br /> delay step<br /> tell application "iTunes"<br /> set sound volume to counter<br /> end tell<br /> end repeat<br />end run<br /></pre><br /><br />you can test this script out by choosing <em>compile</em> and then, making sure iTunes is running but paused, press <em>run</em> at the top of the script editor window. what should happen is that the itunes volume will be reset to zero, and then start playing, while slowly raising the volume back to the original level over the next ten minutes. assuming you see the volume drop and iTunes start, you can (rather than wait ten minutes) just quit the iWake application, but make sure it's <strong>not</strong> the script editor.<br /><br />now, save the whole thing as an application somewhere useful. i chose to put mine in <em>~/bin/iWake.app</em> which is in my path. you will need a way to run your alarm clock, at whatever time in the morning you want woken up. i use the Unix cron daemon, which is part of the BSD package installation on OS X. go to the terminal, and run the command <code>crontab -e</code> and you will be presented with a blank editor window, probably <em>vi</em>. now, add the following text (to the end of the file if there is anything there already) and save it.<br /><br /><pre>##<br /># adk cron entries<br /># modified 2006/03/04 -5h00<br />##<br /># wake up with itunes in the morning at 09h00<br />00 09 * * 1-5 osascript <em>/Path/to/your/saved/iWake</em><br /># and at 10h30 weekends<br />30 10 * * 0,6 osascript <em>/Path/to/your/saved/iWake</em><br /></pre><br /><br />make sure that you replace the path after <em>osascript</em> with wherever you saved the script. if you're not sure how to use vi, paste the text into another editor and modify it there, then copy the whole thing to the clipboard and just press the following keys in order <b>G</b> <b>o</b> <b><i>[command]-V</i></b> <b><i>[escape]</i></b> <b>:wq</b> <b><i>[enter]</i></b> when vi appears, and you should be told <em>crontab: installing new crontab</em> when finished. for help on changing the times and days look at the <a href="http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/crontab.5.html"><em>crontab(5)</em></a> man page.<br /><br />you now get woken up gently by your favourite music. which is good. as an exercise for the reader, i would suggest modifying the script to choose a particular playlist, since this version just resumes whatever was playing when itunes was paused. next time, a sleep timer that <em>drops</em> the volume...<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/itunes" rel="tag">iTunes</a>, <a href="http://www.technorati.com/tag/applescript" rel="tag">AppleScript</a>, <a href="http://www.technorati.com/tag/cron" rel="tag">cron</a>, <a href="http://www.technorati.com/tag/alarm" rel="tag">alarm</a>, <a href="http://www.technorati.com/tag/wake" rel="tag">wake</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com0tag:blogger.com,1999:blog-22530044.post-1141183841329074662006-03-01T03:29:00.000+00:002006-03-01T03:30:41.336+00:00MAKE.MONEY.FASTi'm a (pretty good?) web programmer by now, and i've amassed a bunch of skillz over my time served in the industry. i started working on perl cgi scripts in 1992 when nobody knew what the web was, let alone perl or cgi. i then moved on to java in 1995 when it arrived, and tried my hand at javascript in the first browsers that supported it. i remember creating my first site with frames and javascript rollovers back then, because the client wanted something modern and flashy. i coded a netscape server api library that accessed a database over odbc on a dec alpha running nt 3.51 when such things were cutting edge. you get the idea, i've been doing web applications for a long time now, over ten years anyway.<br /><br />so, as you might have seen from the development environment posts, i'm also fluent in the latest java and java enterprise apis, and the associated libraries. things like struts, jsps, servlets, mysql/jdbc and so on. i'm even able to turn my hand to php when the need arises. what, though, can i do with this hard-won knowledge? i believe the official MBA term would be to <em>monetize my skill set</em> or something like that. oh, and i don't want to have to go to an office for 0900, wear a suit or interact with people on a daily basis.<br /><br /><span class="full-post">the answer turns out to be freelance bit-work. i've been working from home on a web application for a friend's small business, and i thought there must be a lot of people in his situation. he wanted some custom software, but couldn't pay the tens of thousands of pounds for a full-scale j2ee solution, with oracle, weblogic, and all that kind of heavyweight server-based junk. i started looking at the <a href="http://www.rentacoder.com/">rent-a-coder</a> site to see what it was like, and found that there were plenty of likely candidates.<br /><br />the other three sites that i'm registered on as a developer are: <a href="http://www.getacoder.com/">get a coder</a>, <a href="http://www.getafreelancer.com/">get a freelancer</a> and <a href="http://www.scriptlance.com/">script-lance</a>. so far, i have two projects active on rent-a-coder, and several projects that have reached the shortlist stage on get a coder. i'm not sure about the other two sites, but i'm bidding on them at the moment and will see what comes up. one problem i've noticed is that a lot of indian, chinese and eastern european developers and <em>teams</em> of developers use these sites. they seem to be able to put in extremely low prices, which is the benefit of offshore outsourcing, i guess, but makes it hard for me to be competitive <em>and</em> profitable.<br /><br />anyway, i'm working on two projects right now, and the buyers seem really friendly and have been pretty clear about what they wanted, and accepted my advice about what was and wasn't possible. the sites encourage communication using their message boards/forums so that disputes and arbitration when a disagreement occurs about scope can be resolved by referring to what each party actually said. when a project starts, your IM alias is given out, and this makes simple back and forth chat easier, but i have been summarising any decisions on the site so there is a permanent record. one thing to watch out for is people trying to get their college assignments and homework done on the cheap. i worked for my degree (well, a little) and i have big problems with someone trying to submit work that they just paid someone else to do.<br /><br />another type of project to avoid is the 'clone' request. this usually involves a (probably teenager) asking for a clone of amazon/ebay/myspace/<em>insert-commercial-site-here</em> and offering the princely sum of, say, fifty dollars. i wonder if they can even comprehend the amount of money that a company like amazon spends on their e-commerce web service? <em>avoid!</em> with regard to payment for <em>real</em> projects, the site will escrow the full bid amount from the buyer at the start. this means i am sure i'll get paid at the end (assuming i deliver an acceptable product...)<br /><br />something i'd like to have clarified is the position on open source libraries. i <em>believe</em> that the GNU <a href="http://www.fsf.org/licensing/licenses/lgpl.html">LGPL</a> (lesser GNU public license) allows me to sell software that links to libraries with that license. also, since i provide source code for my app and unmodified binaries (which have freely downloadable source anyway) for libraries i use, i interpret the apache <a href="http://www.apache.org/licenses/LICENSE-2.0.html">ASL</a> (apache source license 2.0) as allowing me to distribute, say, jakarta commons httpclient with my application. i'd <strong><em>REALLY</em></strong> like to get this properly clarified.<br /><br />the ebay <a href="http://developer.ebay.com/DevProgram/developer/sdk.asp">sdk</a> and api download seems to get away with distributing apache <a href="http://ws.apache.org/axis/">axis</a> (the web services api, more on this and the ebay development platform some other time) and a whole load of jakarta commons libraries, so they must think it's legal, and in this case, i'm going to redistribute the ebay sdk anyway, so the licensing issues are theirs. it's a grey area though, and i need to be careful. i don't want richard stallman coming round to my house with a bunch of the FSF hired goons! <br /><br />i'm really pleased with my discovery of rent-a-coder work, and i'm pretty sure it's a good way for me to make money doing something i enjoy. so far, admittedly, i haven't won any bids on the other sites so i'll just have to keep bidding, but at least i'm going to be productive. i'll update with some more information about my interactions with get a coder, get a freelance and script-lance when they happen, and also report on the outcome of my current projects when i'm finished.<br /><br /><div class="technorati-tags"><a href="http://www.technorati.com/tag/freelance" rel="tag">freelance</a>, <a href="http://www.technorati.com/tag/devenv" rel="tag">devenv</a>, <a href="http://www.technorati.com/tag/programming" rel="tag">programming</a>, <a href="http://www.technorati.com/tag/rentacoder" rel="tag">rentacoder</a>, <a href="http://www.technorati.com/tag/software" rel="tag">software</a></div></span>grkvlthttp://www.blogger.com/profile/08567288684267343287noreply@blogger.com4