From the QWANtify Blogs
Welcome my second rambling about using Ruby on Rails!
I have MySQL configured correctly now. It was very easy to do with the MySQL GUI Admin tool. Unfortunately the tool it’s self isn’t very stable. It would lock up a lot when viewing users. I’m afraid I may have to uninstall the Ubuntu install packages version and install it my self. Like I’ve had to do with Apache, Subversion, and RubyGems.
What’s that you say? Yes I did just say I had to manually install Apache and Subversion. It turns out Ubuntu only has Apache 2.0 available and not Apache 2.1 or 2.2. I’ve seen many posts about people complaining about it, but no sign from the Debian or Ubuntu people that they will do anything about it. So I had to go install it my self. OH this also broke SVN because I used Apache to access Subversion so then I had to download my own Subversion and build it my self. Turns out that was for the best too because again the Ubuntu version was 1.3 and the latest SVN is 1.4. So Ubuntu / Debian is on my naughty list right now. Still it is much easier to work with than any of the other distros so I would use it over any other Linux. Of course right now I am starting thing about buying a Mac Mini just to run as a server. ;-) If only Apple did cost so much. I just can justify spending that much on hardware when I can build a better box for less.
Luckily I found this one blog that has to articles on this. THIS talks about installing Apache 2.2. THIS talks about taking that Apache 2.2 and installing Subversion. I did have to do a few things different though. I use SSL so when I configured Apache I also had to do —enable-ssl. Also when I built Subversion I had to make sure I had the Development Files for Neon which I did use the Ubuntu Software Management tool to get. If you don’t do that then Subversion cannot access a repository over http or https. David Winter thank you for the two awesome articles and you are my new hero.
So why did I need Apache 2.2. Good question. After I got MySQL configured I tried to setup Mongrel Clusters. That was simple and easy thanks to RubyGems and the quality of Mongrel and Mongrel Cluster. Then I tried to load balance my Mongrel Cluster behind Apache. The suggested way to do that is use Mod Proxy Balancer, but that requries Apache 2.1 or Apache 2.2 and NOT Apache 2.0. Thus I spent another weekend to find this out and then going through manually building Apache 2.2 and Subversion.
Now though I can tell you all I have an awesome server stack. Apache using Mod Proxy Balancer talking to Mongrel Clusters. Why is this so cool. Well now I will automate my build using Capistrano.
I’ll save that for next time. ;-)
Filed in: Team Member Blog
I recall a few weeks ago, one of my wife’s brothers was visiting and installing a piece of software on her computer. I casually mentioned as he was downloading that he should grab the MD5 checksum so that he could compare it against the downloaded file. He said that he didn’t even know what that was.
Verifying a checksum is a fairly important step in validating that a file that you have downloaded is definitely the file you expect it to be.
Here’s how it works:
- The person with a file for download will use an MD5 utility to generate an MD5 hash.
- The file and the text of the hash will be put onto a server for download.
- The downloader downloads the file to his or her computer.
- The downloader uses an MD5 utility to generate an MD5 hash of the downloaded file.
- The downloader compares his or her results to the posted MD5 hash. If they are the same, then the file is legitimate. If the hashes are different, the downloader should not open the file.
Of course, this does mean that there has to be a certain level of trust between the downloader and the website from which the file is downloaded. Files and checksums can be replaced to look legitimate when they may include viruses or other worms in them.
On a Linux system the utility md5sum is usually installed by default. For Windows systems there are various third party utilities that can be downloaded to calculate hashes. One is called digestIT and can be found at http://www.kennethballard.com/modules/xproject/index.php?op=viewSummary&pid=2. The md5sum command line utility has a Windows version which can be found at one of a number of links listed on OpenOffice.org’s website http://www.openoffice.org/dev_docs/using_md5sums.html.
The output of an MD5 hash is a 32 byte hexidecimal number which can be a little tough to manually inspect, but the Windows programs usually do the comparison for you. Some websites have started using SHA1 hashes (which generate 40 byte hexidecimal numbers) instead since SHA1 is more secure and harder to find hash collisions for. Many of the Windows programs will also perform hashing for this and other algorithms. In Linux, the OpenSSL program can calculate many different hashes.
The actual algorithms aren’t too complex, but the discussion takes up a fair amount of space. I may post about those at a later time.
I’d encourage everyone to use the checksums when they are available. Even if you’re downloading from a trustworthy website, you never know if the files have been surreptitiously replaced. It’s a good security habit to get into.
Filed in: Team Member Blog
I am Kevin Runde and this is my first post. I joined QWANtify last year and am loving it here. I was blogging for a little bit on LiveJournal about my experiences using Ruby on Rails. This blog is going to continue those adventures.
So here is what I have been upto with Rails and Ruby lately. I have started working on some apps with friends and ran into common issues. I needed a Subversion repository, Test Server, Continuous Integration, etc. I was looking at getting a Virtual Server at some places like Rails Machine, but I had some computers sitting around at home and couldn’t justify spending the money for a Virtual Server. So I have setup a machine at home!
I took an old 1 GHz AMD with 512 MB and put Linux on it. I first tried Fedora Core 6. That didn’t go well. First I had to download 5 disk images and burn them, after I already did the DVD image and realized the old computer didn’t have a DVD drive. Then it wouldn’t install. The best I can tell is that my NVidia card caused issues. So one weekend shot. Next I tried Gentoo. That installed, but wouldn’t update correctly. Another weekend shot. Then I installed Ubuntu. It worked and had lots of documentation about how to make my NVidia card work too.
So now I have Ubuntu and started getting all of the services on it I needed. I first got Subversion installed and had that working via SSH. I didn’t like the SVN+SSH solution with Windows. It sucked so I installed Apache and signed my own certificate so now I have Subversion working over https and NOT http. AWESOME!!!
This past weekend I decided it was time to install Rails. There I hit a weird issue. Ruby Gems in not an installable package!! Why? Because the Debian developers have issues with a ruby package manger when they have their own package manager. I am getting really sick of Linux developers deciding to not support something because they don’t like it. This is one of the biggest issues with Linux. Alright I’ll get off my SOAP BOX for now. So I got Ruby Installed. Built Gems and installed in manually. Then I used Ruby Gem to install the rest of rails as it should be done. Last night I installed MySQL and started setting it up. I love how by default the security is very tight. PLUS you get good error codes you can look up to figure out how to adjust the security.
After I have MySQL configure correctly. I will get some of my apps running. Then I plan to start using Mongrel Clusters and Deploy Capistrano.
I’ll let you know how that goes!
Filed in: Team Member Blog
Email is a wonderful communication tool. It’s also a wonderful way to spam people, phish for their personal information, and to be a general nuisance. What if instead of having spam filters to filter out all the unwanted email, all you have to do is filter out any email messages for which the sender can’t prove his or her identity?
I can send email to anyone anywhere in the world and claim that I’m someone I’m not. It’s really not that hard to falsify email message headers and even the TCP/IP packet headers to look like the data is coming from someone else. This should be a huge red flag to everyone who uses email, but for some reason it’s usually overlooked.
There is a decent solution to this problem. There is an open standard for PGP (Pretty Good Privacy) called OpenPGP (the open source GNU implementation is called GnuPG or GPG). If you’re interested in all the gory details, the RFC is available [RFC 2440]. Many people have heard of PGP, many have not. Of those that have heard of PGP many may not know exactly what PGP does for you or how it works.
So, what does PGP actually do? PGP allows a user to digitally sign and/or encrypt and decrypt data. Sounds pretty simple. The standard allows a user to generate a public/private key-pair with which pieces of data can be digitally signed or encrypted. It allows for a bunch of different key generation, hashing, and encryption algorithms.
To start with a user needs to generate a key-pair. The key (no pun intended) to generating a nice and secure private key is to make sure that enough random entropy is created during the key generation and that a strong passphrase is used. Key generation algorithms use the random byte generator of the underlying operating system to generate sufficiently secure keys. The operating system usually generates securely random bytes by sampling data from the various system interrupts (you can find the source code from the random byte generator in the Linux kernel fairly easily). This means that the more typing and mouse movements are performed during key generation, the better the random bytes should be. A strong passphrase is necessary so that in the event that the private key is compromised, it will be exceedingly difficult for someone to guess or crack the passphrase so they can emulate your digital identity.
After the key-pair is generated, the public key should be exported into one of the OpenPGP keyservers. The main keyserver can be found at http://keyserver.veridis.com:11371/. It doesn’t really matter too much which keyserver the key is exported to. All of the OpenPGP keyservers replicate with one another. By exporting the public key, it will be available to anyone who wishes to import that key to validate a signature or identity.
Now that everything is setup, things can be encrypted and signed! Email is probably the thing that PGP is used for the most. By signing email messages with your private key, a user who receives the email from you can import your public key and use that to verify that the email was actually signed by you. Encrypting email goes one step further. By encrypting an email with the recipient’s public key and then signing the entire encrypted email with your private key, the recipient is assured that the email they receive came from you and could not be viewed by anyone else since they do not have the private key necessary to decrypt the message.
This is all well and good, but how do you prove that your public key really is yours? The OpenPGP standard includes a trust model. The GNU Privacy Guard handbook calls this trust model the “web of trust”. Everybody is allowed to sign any public key. Generally, you would only want to sign someone’s public key if you knew them personally. When you import a public key you can view the signatures on that key. It’s possible that someone you know has signed keys that you haven’t signed and when you notice this you may want to sign that key also. Eventually, this model of key signatures should build a web of keys that you have signed either because you trust one of the signers either directly or indirectly. To go along with this, you can privately set various trust levels on each public key so that when you view emails signed with someone’s key, you will know to what level you trust that signature.
The largest problem with the adoption of at the very least digitally signing email messages is that a lot of email programs do not come with PGP/GPG support built in. I currently use Mozilla Thunderbird as my email program with the Enigmail OpenPGP plugin. Underneath the covers Enigmail uses GPG. I’ve been trying to get into the habit of signing my email most of the time. Even though most people don’t use OpenPGP aware email programs, I’m hoping that this raises awareness of the necessity to verify that the email that we receive everyday is really being sent by the person claiming to have sent it. I’d also advocate for encrypting messages, but that requires the recipient to also have an OpenPGP key-pair.
One thing that’s left in the background of all this is that a PGP key can also be used to encrypt and decrypt local data. If you have some files on your harddrive that you want to be secured, go ahead and encrypt them using your own public key. The files cannot be decrypted unless someone has both your corresponding private key and your passphrase.
In a nutshell, digitally signing email is a good thing. It helps to validate the sender of the email. The OpenPGP standard has a nice trust framework built in to help people decide how much they trust the identity of the sender. Encrypting email and signing it provides even more protection of the contents of the message.
Below are some extra resources about OpenPGP.
Filed in: Team Member Blog
I made it to the Barcamp on Saturday and it was great. I really wish that I would have been able to stay longer, but I was only able to attend on Saturday afternoon.
From the beginning, the Barcamp embraced the Wiki concept. All planning information was kept updated on the Barcamp Madison Wiki page and it continued to be used throughout the event. When checking in, one of the people manning the registration desk was entering attendees names into the Wiki along with sessions to let everyone know that the person had arrived. As everyone chose when and where they wanted to hold their sessions, someone was putting an electronic version on the Wikis. During the event, people updated the Wiki with new information.
The Barcamp was well attended. Though the goal was to get 400 people to the Barcamp, at last count 128 people were added to the “Present” portion of the Wiki. I have to say, it really seemed like more than that were there.
I did manage to lead two sessions right away in the afternoon. The first session I gave a presentation about Gentoo Linux. There weren’t too many people there, maybe 15 – 20, but they all seemed to be pretty interested. Hopefully they enjoyed the presentation. The presentation is available on my website for download [tech.fradkin.com]. The second session I threw out there because there were no Ruby on Rails sessions listed. I ended up just facilitating a nice discussion about Ruby and Rails. There was enough interest that a bunch of us holed up in the Hack Room for an extra 2.5 hours and discussed Rails 101. I let others take over to demonstrate Rails for those who had never seen it.
There were a bunch of people with cameras taking all kinds of pictures and video. If you head over to flickr and check out all the images tagged with barcampmadison, you’ll see some of the action. I even found some pictures of myself.
Just before I left the Barcamp, one of the organizers, Ken Rheingans, asked me if I’d consider being one of the Ruby on Rails Community organizers for Barcamp USA. I accepted. Now, I’m considering helping out with the Linux Community also.
So, put August 23 – 26, 2007 on your calendars now. Barcamp USA is at the Jefferson County Fairgrounds, just a hop, skip, and jump away from Madison. They’re expecting around 5000 people to attend from all over the US and even from overseas. As fun as Barcamp Madison was, I expect that Barcamp USA will be even more fun.
Filed in: Team Member Blog
def isItSnowing?
true
end
def howMuchSnow?
if isItSnowing?
puts“a ton”
end
end
howMuchSnow?
Filed in: Team Member Blog 6ruby
What does it mean to be random?
To most observers as long as numbers/characters/events don’t show any type of descernable pattern while being observed, those items would be considered to be random. Coin flips are random. Dice rolls are random.
There are official definitions of the word random.
From www.dictionary.com:
- Having no specific pattern, purpose, or objective
- Of or relating to a type of circumstance or event that is described by a probability distribution.
- Of or relating to an event in which all outcomes are equally likely, as in the testing of a blood sample for the presence of a substance.
Why is this even important? Randomness is the key to good security. Random numbers are used to generate keys used in encryption, they are used in generating hashes, they are used in stream ciphers, and in other areas of cryptography. In order for messages, data, and identities to remain secure, the random numbers and bytes need to be as unpredictable as possible.
This area of cryptography and mathematics is widely studied. People are becoming more and more interested in privacy and want their data to be secure.
There are many different ways to generate random data. Some are very predicable, some are unpredictable, some are fairly secure, and yet others are considered to be cryptographically secure. The need for the different types depends upon what kind of security is needed for your data.
Stay tuned to future entries about Randomness and how random data can be generated.
Sources:
Wikipedia(Randomness)
Wikipedia(Random number generator)
Wikipedia(Cryptographically secure pseudorandom number generator)
Bruce Schneier, Applied Cryptography
Filed in: Team Member Blog
MATC’s Spring IT Mentoring program has begun.
Filed in: Company Insight