test - Dave's Blog

Search
My timeline on Mastodon

Tweet from David Risney

2016 Sep 16, 12:10
@ericlaw "Any A.I. smart enough to pass a Turing test is smart enough to know to fail it." http://www.goodreads.com/work/quotes/2440580-river-of-gods 
PermalinkComments

Tweet from Justin Wolfers

2016 Sep 13, 12:05
Here comes the latest income and poverty statistics... Be prepared to adjust your talking points... http://www.census.gov/content/dam/Census/library/publications/2016/demo/p60-256.pdf 
PermalinkComments

Tweet from David Risney

2016 Aug 30, 1:46
Turning up @Kevecca's plug them on latest comedy bang bang http://www.earwolf.com/episode/atlantis-dire-warning/ 
PermalinkComments

Tweet from David_Risney

2016 Feb 16, 2:06
OK Go's beef with YouTube led to latest video release on Facebook: http://www.adweek.com/news/technology/why-ok-go-went-facebook-only-debut-its-buzzy-zero-gravity-music-video-169599 …
PermalinkComments

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Tweet from David_Risney

2015 Oct 7, 10:17
An interesting history of car manufactures cheating emissions tests: http://arstechnica.com/cars/2015/10/volkswagens-emissions-cheating-scandal-has-a-long-complicated-history/ …
PermalinkComments

Tweet from David_Risney

2015 Sep 25, 12:21
Additional article info suggest the VW emissions cheating is likely intentional and not a bug http://www.bloomberg.com/news/articles/2015-09-25/volkswagen-said-to-manage-faked-test-results-from-german-offices …
PermalinkComments

Retweet of adamakraft

2015 Jul 5, 12:52
@samplereality The @ConfederateBot is a new protest bot that retweets pro-Confederate tweets as if they were pro-Nazi.
PermalinkComments

Retweet of lizzyns

2015 Apr 10, 9:59
Yo' mama contest with Sigmund Freud pic.twitter.com/lzucszBr1A
PermalinkComments

Retweet of covernode

2015 Apr 6, 6:26
Shut it down infographics nerds, the greatest chart possible has been made pic.twitter.com/LZr6KRwhJP
PermalinkComments

Retweet of codinghorror

2015 Mar 30, 1:19
Pastebin single-payment lifetime accounts on sale. Check out pastebin's greatest hits: http://pastebin.com/trends/all 
PermalinkComments

Retweet of latest_is

2015 Mar 23, 8:01
OK Go - Red Star Macalline Commercial - YouTube https://www.youtube.com/watch?v=PjquJ5hi6zE&list=PLFdTtsxKP2oEFFk9xId-AXqAPE2Dp92VY&index=2 …
PermalinkComments

Retweet of latest_is

2015 Mar 18, 9:38
The cord-cutter's guide: calculate what it would cost to get all of your TV online http://www.theverge.com/a/online-tv-stream-price-guide …
PermalinkComments

Retweet of FioraAeterna

2015 Mar 7, 3:51
"This assert would've saved me hours of debugging. Why was it off?" *git blame* commit: "disable assert that caused test failures" *sobs*
PermalinkComments

Retweet of latest_is

2015 Mar 1, 3:08
Why Silicon Valley has a chance to dominate the auto industry - Vox http://www.vox.com/2015/2/23/8092141/silicon-valley-dominate-cars …
PermalinkComments

Retweet of latest_is

2015 Feb 10, 6:35
Automating Tinder with Eigenfaces http://crockpotveggies.com/2015/02/09/automating-tinder-with-eigenfaces.html …
PermalinkComments

Retweet of OtherDanOBrien

2014 Nov 20, 6:02
[Testing Cat-Human Translator] Scientist: Cat, what is your name? Cat: I AM KANG THE DESTROYER Owner: It's not working. His name is Socks.
PermalinkComments

Debugging anecdote - the color transparent black breaks accessibility

2014 May 22, 10:36

Some time back while I was working on getting the Javascript Windows Store app platform running on Windows Phone (now available on the last Windows Phone release!) I had an interesting bug that in retrospect is amusing.

I had just finished a work item to get accessibility working for JS WinPhone apps when I got a new bug: With some set of JS apps, accessibility appeared to be totally broken. At that time in development the only mechanism we had to test accessibility was a test tool that runs on the PC, connects to the phone, and dumps out the accessibility tree of whatever app is running on the phone. In this bug, the tool would spin for a while and then timeout with an error and no accessibility information.

My first thought was this was an issue in my new accessibility code. However, debugging with breakpoints on my code I could see none of my code was run nor the code that should call it. The code that called that code was a more generic messaging system that hit my breakpoints constantly.

Rather than trying to work backward from the failure point, I decided to try and narrow down the repro and work forwards from there. One thing all the apps with the bug had in common was their usage of WinJS, but not all WinJS apps demonstrated the issue. Using a binary search approach on one such app I removed unrelated app code until all that was left was the app's usage of the WinJS AppBar and the bug still occurred. I replaced the WinJS AppBar usage with direct usage of the underlying AppBar WinRT APIs and continued.

Only some calls to the AppBar WinRT object produced the issue:

        var appBar = Windows.UI.WebUI.Core.WebUICommandBar.getForCurrentView(); 
// appBar.opacity = 1;
// appBar.closeDisplayMode = Windows.UI.WebUI.Core.WebUICommandBarClosedDisplayMode.default;
appBar.backgroundColor = Windows.UI.Colors.white; // Bug!
Just setting the background color appeared to cause the issue and I didn't even have to display the AppBar. Through additional trial and error I was blown away to discover that some colors I would set caused the issue and other colors did not. Black wouldn't cause the issue but transparent black would. So would aqua but not white.

I eventually realized that predefined WinRT color values like Windows.UI.Colors.aqua would cause the issue while JS literal based colors didn't cause the issue (Windows.UI.Color is a WinRT struct which projects in JS as a JS literal object with the struct members as JS object properties so its easy to write something like {r: 0, g: 0, b: 0, a: 0} to make a color) and I had been mixing both in my tests without realizing there would be a difference. I debugged into the backgroundColor property setter that consumed the WinRT color struct to see what was different between Windows.UI.Colors.black and {a: 1, r: 0, g: 0, b: 0} and found the two structs to be byte wise exactly the same.

On a hunch I tried my test app with only a reference to the color and otherwise no interaction with the AppBar and not doing anything with the actual reference to the color: Windows.UI.Colors.black;. This too caused the issue. I knew that the implementation for these WinRT const values live in a DLL and guessed that something in the code to create these predefined colors was causing the issue. I debugged in and no luck. Now I also have experienced crusty code that would do exciting things in its DllMain, the function that's called when a DLL is loaded into the process so I tried modifying my C++ code to simply LoadLibrary the DLL containing the WinRT color definition, windows.ui.xaml.dll and found the bug still occurred! A short lived moment of relief as the world seemed to make sense again.

Debugging into DllMain nothing interesting happened. There were interesting calls in there to be sure, but all of them behind conditions that were false. I was again stumped. On another hunch I tried renaming the DLL and only LoadLibrary'ing it and the bug went away. I took a different DLL renamed it windows.ui.xaml.dll and tried LoadLibrary'ing that and the bug came back. Just the name of the DLL was causing the issue.

I searched for the DLL name in our source code index and found hits in the accessibility tool. Grinning I opened the source to find that the accessibility tool's phone side service was trying to determine if a process belonged to a XAML app or not because XAML apps had a different accessibility contract. It did this by checking to see if windows.ui.xaml.dll was loaded in the target process.

At this point I got to fix my main issue and open several new bugs for the variety of problems I had just run into. This is a how to on writing software that is difficult to debug.

PermalinkCommentsbug debug javascript JS technical windows winrt

The 5 Things To Do About the New Heartbleed Bug

2014 Apr 9, 9:06

Its time to get a password manager.

PermalinkCommentssecurity password technical

The Dollar-And-Cents Case Against Hollywood’s Exclusion of...

2014 Apr 8, 7:01


The Dollar-And-Cents Case Against Hollywood’s Exclusion of Women - Applying the Bechdel Test to movies over the past 40 years.

PermalinkComments
Older Entries Creative Commons License Some rights reserved.