I’m like, totally CIA here

Sometimes you have one of those moments where you realize just how incredible the world is that we live in today. For example, The Bourne Supremacy was on television the other day, and I caught the scene where Jason Bourne was breaking in to the home of a former agent of the same clandestine program to question and then murder him… or not… or something. It’s a Bourne movie, what else would he be doing?

Anyway, the guy’s condo was awesome. I really like modern minimalist architecture, and this guy’s condo fit the bill. I had to know more. I managed to remember that his name was Jarda and Bourne was in Munich, so I fired up the Googles and went at it:

Google search for “bourne supremacy film locations“.

Click the very first result (ZOMG that was easy).

Hrm, not recognizing anything on page 1

Page 2BINGO!

And some clues…

By now it should come as no surprise that the ‘Munich’ house of Jarda, the other remaining Treadstone operative, is also Berlin, on Kaiserstrasse, in the Wannsee district.

Google “Kaiserstrasse Wannsee” because, why the hell not?

Ok, so that’s a map, and there’s satellite imagery. Cool, but how can I get a better view? I think Bing has aerial photography from little planes or something. Let’s try that.

And there are the condos.

Like, whoa.

Rubygems, HTTPS, and jRuby OpenSSL LoadError

UPDATE: It seems there was enough clamor over the unannounced change that a reversion to HTTP was warranted. The advice below isn’t needed currently, but may become relevant in the future, should HTTPS end up back in the mix without a suitable workaround.

Rubyists have been dropping by #rubygems this morning experiencing issues with jRuby and gem install. The issue is related to Rubygems.org’s switch to forcing HTTPS on connections to their Gem repository. Specifically, there is a recursive issue with jruby-openssl when trying to install Gems from Rubygems.org: you need jruby-openssl to install jruby-openssl.

If you attempt to install a Gem in any version of jRuby prior to 1.7 that doesn’t already have jruby-openssl installed, you will receive a LoadError error that looks something like this:

Exception `LoadError' at /home/username/.rubies/jruby-1.5.1/lib/ruby/site_ruby/shared/jruby/openssl/autoloads/ssl.rb:8 - OpenSSL::SSL requires the jruby-openssl gem

The trouble is, you’ll get this message even if you’re trying to install the jruby-openssl gem. Uh oh.

The root of the problem is owed to two factors

  1. Prior to jRuby 1.7, OpenSSL support was not included in jRuby core because of crypto export constraints
  2. Rubygems.org recently switched to forcing HTTPS as a means of increasing security in the rubygems ecosystem

The jRuby devs have worked through the crypto export issue, so updating to jRuby 1.7 will solve the problem; you no longer need jruby-openssl, period. If you’re stuck on an older version of jRuby and need to get gem install working again, you can use this horrible, hacky work around:

Download the jruby-openssl .gem file (using something like wget/curl) and install it from the local file like so:

wget http://production.cf.rubygems.org/gems/jruby-openssl-0.7.7.gem
gem install --local ./jruby-openssl-0.7.7.gem

Be sure to replace the version number with one compatible with your version of jRuby. Also, understand that there are no guarantees that the URL schema above will remain in place. Rubygems are an API, so the implementation may change. The long term solution is to move to jRuby 1.7.

He’s no Don Draper

Anyone who has seen Don Draper’s iconic Carousel speech knows that nostalgia is a terribly effective agent for emptying consumers’ pockets. Apparently, a reader at Daring Fireball saw a correlation between Don’s work and a recent advertisement for Internet Explorer.

Take a moment to watch both the Carousel speech and the Internet Explorer ad before you move ahead. I’ll wait.

I don’t doubt that the agency responsible for the advertisement had this in mind when they scripted this piece. Unfortunately, the ad falls flat for me.

I grew up in the 90s. I saw a lot of things I remember fondly when I watched the ad; if not with a chuckle at the absurdity of the 90s aesthetic. I did feel connected with the images, but why didn’t I feel connected to the product?

Don Draper tells us we should be nostalgic, but not because we have a strong sentimental attachment to film slides. We feel what we do because of what the Carousel delivers. We insert our slides, dim the lights, and we are taken back to “a place where we know we are loved”.

Sob.

Unfortunately, yeterday’s Internet is gone. Internet Explorer cannot bring it back. Therefore, the product fails to deliver on the promise of the ad. That, I think, is the disconnect, and it’s the reason the ad falls flat for me.

Why be evil.rb?

Caius Durling shared some “hax” with the Ruby community that inspired some discussion over at Hacker News. I commented there, but it seemed like a decent topic for a blog post. One of the examples illustrates a means to define a method-local variable in the argument definition list:

  def output name=((default=true); "caius")
    "name: #{name.inspect} -- default: #{default.inspect}"
  end

  output() # => "name: \"caius\" -- default: true"
  output("fred") # => "name: \"fred\" -- default: nil"

Have a closer look at the method definition line. This code works because of the way parenthesis are handled. Much like in math, when parenthesis are encountered, we evaluate from the inside out. Fire up an IRB session and run this code:

((default=true); "caius")
default.inspect

The return value given for the first line is “caius”, which gets assigned to “name” in our argument list, but you can also see that default is set to “true”. Using the semi-colon statement separator only works because we’ve wrapped the whole thing in parenthesis. That’s why the return value is “caius”. We leverage Ruby’s last-line return value feature.

This might all seem trivial to you if you’ve been programming in Ruby for a while, but therein lies the crux of the discussion. If we only ever wrote code for ourselves, this would be a non-argument. If we expect other people to read and use our code, we should write in a way that is easy to interpret.

Like many viewpoints, the “wrongness” of this example is not black & white; it’s shades of gray. On one hand, you have the “anything that will eval is valid Ruby” view, and on the other you have the “If it’s not immediately obvious to a beginner, you shouldn’t do it” view. There may be better ways to express those two sides of the matter, but that’s the general idea.

The problem with this code (from the latter viewpoint) is that it crams too much program logic in to the argument definitions. This example uses parenthesis to force the evaluation of default=true; "caius" in the argument definition list. That’s only two statements, but it violates some common expectations:

  1. We generally expect argument definitions to be clear and readable, so that method definitions are self documenting (to some degree); this approach clutters the argument definitions.

  2. We expect argument definitions to sometimes assign default values.

  3. We expect program logic to appear in the body of a method, or to be DRY’d up in separate methods.

In this way, the example is not “incorrect” but awkward. To borrow an idea from the literate programming camp, I’d say that just because you can write awkward sentences with valid grammar, it doesn’t mean you should.

Side note: In Caius’ defense, he does say never to use these.

You have no idea what Steve Jobs would do

The iOS 6 maps kerfuffle has the Steve Jobs prognosticators out in force, all crying the same old song: “Steve would have never let this happen!”

Really, folks? Really?

Very few people — less than I can count on one hand — ever demonstrated any ability to understand what was going on inside Steve Jobs head. The vast majority of the tech punditry flat out disagreed with him. Most common geeks foamed at the mouth in rage over some of Steve Jobs’ actual decisions. Remember the whole “no native apps” on the original iPhone? How about the time Steve Jobs went all Jules Winnfield on Adobe Flash?

The only person who demonstrated any ability to understand Steve Jobs’ reasoning on anything more than a superficial level was John Gruber, and the community over at Hacker News (a place full of really smart geeks) waits with baited breath to tear his articles apart.

The truth is, none of us have any clue whether Steve Jobs would have released iOS 6 Maps in this state. What we do know was that he was hoppin’ mad over Android, and put the wheels in motion on the Apple/Google separation long before his passing.

This whole thing really has nothing to do with anything. It’s just a plea. A plea to stop invoking the name of a man who’s time was cut short in an effort to add credibility to your argument. Yes, iOS Maps suck, but they suck regardless of what Steve Jobs might, or might not, have done.

Cable television subscription rates falling; but where are they going?

BGR reports that 400,000 cable and satellite television subscribers ditched their service this year. This apparent declining trend is backed up by the graph over at NCTA (NTCA is a cable provider trade group). You can see from that graph that the number of cable television subscribers peaked in 2001. So where are these folks getting their entertainment?

Even more interesting is the graph of cable internet subscribers over a similar time period. It looks like cable internet started taking off at about the time television subscribers peaked. The graph below uses the data from NCTA/SNL Kagan.

Just go ahead and assume everyone knows your password

Fast on the heels of the LinkedIn password leak, eHarmoney also announced a password disclosure. Today, Last.fm is suggesting that users should change their passwords.

Not good.

Right now, a lot of you are thinking, “Who cares if hackers have access to my Last.fm account?” I agree. What’s the worst they can do there? Scrobble some music to your timeline, leading others to believe you have poor taste? Oh the horror!

But what if you happen to use the same password for LinkedIn/eHarmony/Last.fm as you do your email? Even if you’re one of those people who have no secrets, consider that your email is the key to a large part of your life. If you forget your bank password, how do you reset it? That’s right, through your email.

You might recall your friendly neighborhood IT guy mentioning something about secure passwords, and for years you’ve gotten by with the ol’ “yeah, yeah, I’m listening” response, but things are starting to get pretty serious. These types of breeches are becoming far more common. LinkedIn aren’t a bunch of schmucks. They’ve got a good team full of smart people, but security is hard. Security is ridiculously, insanely, absurdly, strikingly (is that even a word?) hard. Even the best are going to fail sometimes.

So what can you do? You can lend these guys a hand. Having your Last.fm account compromised isn’t a very big deal if your Last.fm password is different from all your other passwords. Keeping track of a unique password for every website you use sucks. I know that, you know that, and even the security guys know that, but it sucks less than having someone initiate a bank transfer for your entire life savings to an offshore bank who refuses to cooperate with the FBI. Let’s not find out what that’s like, eh?

In the mean time, get yourself some tools to help you out. I like 1Password. It works on PCs, Macs, iPhones, iPod Touches, iPads, and Android phones…. . I’ve been using it for a couple of years now, and I’m not sweating any of these disclosures.

EDIT: Another friend of mine recommends LastPass. I’ve been happy with 1Password, so I don’t have any reason to stray, but if you’re not feeling 1Password for any reason LastPass is probably worth a shot.

The product guy’s shame

Sometimes I read sites like HackerNews and I feel like I die a little bit. A developer writes an uppity missive about why he won’t be my technical guy. A product guy returns fire in kind. Neither of them have a clue.

I’m in the “product guy” community, so that’s who I’ll speak to. A few choice quotes from the product guy rant:

YOU are easily replaceable. You’re just the coder who builds the thing. Once MVP is launched and the company raises funding, you could easily be replaced because I guarantee you there are thousands of engineers just as good as you.

If your “coders” are replaceable cogs, I dispute that your product is worth a shit. A lot of what defines a good developer is their ability to grok a business idea and bring meaningful contribution to the product as it is developed. With every keystroke, a developer has the option to make the product better or worse.

The product guy, on the other hand, is the DNA of the company. He forms the vision, culture, management. You can’t replace that.

You’re right. Good product guys have a vision of the product that steers the ship. You can’t build a great product on iteration alone. You need an overall vision. This, however, does not automatically make every other person in the organization meaningless drones.

The best products result when the visionary understands how to communicate their ideas to the development team, who internalizes these ideas and uses them to guide their efforts at every moment. The happiest moments in my day come when a developer pushes a commit/feature that fits exactly with my vision, but isn’t an explicit result of some directive I gave. These super-developers can infer good ideas from my product direction. I don’t treat them like drones and, what do you know, they don’t act like it.

I imagine that in this product guy’s view, developers are just there to do his bidding, but this marginalizes the developer, forcing them to perform the equivalent of ditch digging. Programming isn’t easy. Those that can do it are generally smart people. Do you think the best developers want to work for someone who wishes to marginalize them in this way?

Because I share my vision with developers, and empower them to guide the product, I cannot simply discard them. If I do, I throw away a significant investment as well as an asset. They need me, I need them, and the product is better as a result.

Walk a mile in Egor’s shoes

This was a rough weekend for Egor Homakov. Right now, some of you are questioning my framing of this weekend’s events as rough for Egor and not Github. After all, he went and violated Github’s ToS. There’s a tone of arrogance that rings through in his posts, but I suspect a portion of this can be attributed to his broken English. Recognition may be what motivated him to take the path he did (public disclosure), but I don’t mean to judge him. I can identify with Egor to some degree, because I’ve worn his shoes for about a year now.

Some time late last year, while working on a systems automation project, I discovered a DoS vulnerability in a fairly common piece of voice network hardware. This particular hardware is commonly used in telecommunications to provide voice interconnets between VoIP networks and legacy systems. There are thousands (maybe tens of thousands) sitting on public IP addresses. This particular vulnerability causes the gear in question to crash spectactularly, invoking a core dump and cold boot. The really nasty part is that the “exploit” doesn’t require any special skill. I’d say there’s a fairly high likelihood that someone else could stumble upon this, just like I did, provided they were using the same toolchain. Maybe they have.

I disclosed the vulnerability to the vendor in March of last year (2011). Last time I tested, the issue remains. I disclosed through a third-party that has a VAR relationship with the manufacturer, so I don’t have any direct insight in to their handling of the issue. There’s a small part of me that desires to make an example out of one, or the both, of them.

It makes me pretty angry. I have some idea of how many of these devices are out in the wild. They’re in use by some very large companies. Exploiting the vulnerability causes the device to become unavailable for 3-5 minutes at a time. An attacker would only need a handful of hosts to keep a device offline for a long while, even if the device operator actively blocked attacking hosts. Mitigating the attack would take some pretty significant retooling of the network configuration because of the service that is exploited. This is telecommunications hardware. Imagine taking down a large company’s entire call center for a couple of hours. How big of a check do you think they’d write to make you go away?

So here I sit, knowing that this problem exists, but worrying public disclosure could make me an outsider really quickly. Maybe Egor is just young and naive. Maybe he has guts. I don’t know him, so I can’t say, but I can tell you that knowing about a major security exploit is an uncomfortable position to be in. This is doubly so when you are ignored after disclosing it.

Before you judge him for the way he handled the situation, take a step back and make sure you understand which side of the table you’re sitting on.

Oh really, IE? I didn’t know you were a fan.

Debugging app interface in IE7, courtesy of Nolan Meyers.