Shallow Thoughts : : tech
Akkana's Musings on Open Source Computing, Science, and Nature.
Mon, 17 Dec 2012
Conversation today with a bank person over the phone:
Me:
Can I get you to start sending me statements in the mail again?
Bank rep:
We've gone all online now! It's so easy and convenient!
Me:
I prefer to limit how much banking I do online, for security reasons.
Bank rep:
Oh, but we have two factor security! It's secure!
You can change your account name so it doesn't have to be your social
security number -- AND you can set a security question so only you can
reset your password!
Me:
Right.
(The conversation progresses. She promises to send me a statement,
but meanwhile it develops that there are some questions I need
answered that can't be done easily over mail and require an
online account. We proceed to set that up ...
Bank rep:
... and now you're at the password screen, right?
Me
(reviewing the list of security questions):
Um, you know that every one of your security questions is something
that anyone could look up, right? Last 4 digits of driver's license?
Last 4 digits of phone number? Last 4 digits of credit card?
Bank rep
(astonished):
What? Aren't there any that couldn't be looked up?
Me
(scanning through list again):
Well, the one on "last 4 digits of your best friend's phone number"
at least requires guessing who your best friend is before they
look up the number.
Seriously, every single one of their security questions was "last 4 digits of"
something that's either a matter of public record, or something that's
probably trivially available for $5 on shady websites.
Of course, you're thinking, you don't have to use the real 4-digit
numbers for any of these. No, of course you don't! You can make up
a number and use it as the answer for any of these.
In which case a better, more honest, security question would be:
"Please enter a 4-digit PIN."
Tags: security, web
[
14:59 Dec 17, 2012
More tech/web |
permalink to this entry |
comments
]
Tue, 07 Aug 2012
Quite a few programs these days use XML for their configuration files
-- for example, my favorite window manager,
Openbox.
But one problem with XML is that you can't comment out big sections.
The XML comment sequence is the same as HTML's:
<!-- Here is a comment -->
But XML parsers can be very picky about what they accept inside
a comment section.
For instance, suppose I'm testing suspend commands, and I'm trying
two ways of doing it inside Openbox's menu.xml file:
<item label="Sleep">
<action name="Execute"><execute>sudo pm-suspend --auto-quirks</execute></action>
</item>
<item label="Sleep">
<action name="Execute"><execute>sudo /etc/acpi/sleep.sh</execute></action>
</item>
Let's say I decide the second option is working better for now.
But that sometimes varies among distros; I might need to go back to
using pm-suspend after the next time I upgrade, or on a different
computer. So I'd like to keep it around, commented out, just in case.
Okay, let's comment it out with an XML comment:
<!-- Comment out the pm-suspend version:
<item label="Sleep">
<action name="Execute"><execute>sudo pm-suspend --auto-quirks</execute></action>
</item>
-->
<item label="Sleep">
<action name="Execute"><execute>sudo /etc/acpi/sleep.sh</execute></action>
</item>
Reconfigure Openbox to see the new menu.xml, and I get a
"parser error : Comment not terminated". It turns out that you
can't include double
dashes inside XML comments, ever. (A web search on
xml comments dashes will show some other amusing problems
this causes in various programs.)
So what to do? An Openbox friend had a great suggestion: use a CDATA
section. Basically, CDATA means an unparsed string, one which might
include newlines, quotes, or anything else besides the cdata end tag,
which is ]]>. So add such a string in the middle of
the configuration file, and hope that it's ignored.
So I tried it:
<![CDATA[ Comment out the pm-suspend version:
<item label="Sleep">
<action name="Execute"><execute>sudo pm-suspend --auto-quirks</execute></action>
</item>
]]>
<item label="Sleep">
<action name="Execute"><execute>sudo /etc/acpi/sleep.sh</execute></action>
</item>
Worked fine!
Then I had the bright idea that I wanted to wrap it inside regular
HTML comments, so editors like Emacs would recognize it as a commented
section and color it differently:
<!-- WARNING: THIS DOESN'T WORK:
<![CDATA[
<item label="Sleep">
<action name="Execute"><execute>sudo pm-suspend --auto-quirks</execute></action>
</item>
]]> -->
<item label="Sleep">
<action name="Execute"><execute>sudo /etc/acpi/sleep.sh</execute></action>
</item>
That, sadly, did not work. Apparently XML's hatred of double-dashes
inside a comment extends even when they're inside a CDATA section.
But that's okay -- colorizing the comments inside my editor is less
important than being able to comment things out in the first place.
Tags: web, xml
[
19:20 Aug 07, 2012
More tech/web |
permalink to this entry |
comments
]
Tue, 24 Apr 2012
When I upgraded to Firefox 11 a month or so ago, I got a surprise:
I couldn't invoke firefox from other applications any more.
Clicking on a link in an app such as xchat just gave me the Firefox
Profile Manager dialog, instead of opening the link in the browser
I was already running.
I couldn't find anything written about it, so I've been putting up
with it, copying each link then switching to the desktop where Firefox
is running and middleclick-pasting it into the browser. But this morning,
I did a new round of searching, and finally found the answer, in
bug 716110.
and its duplicate,
716361.
Quoting from bug 716110::
[The developers] changed the -no-remote flag's behavior in a
surprising, backward incompatible way. Before, it just meant "start a
new instance." Now, it also means "don't listen for remote commands."
Apparently the change went in for Firefox 9, because of
bug 650078.
Indeed, that was the problem. I have multiple Firefox profiles, so
I use -no-remote -P profilename when I start Firefox, so
each profile doesn't conflict with one that might already be running.
But with Firefox 9 or later, you can't do that. Instead, run your
first, primary profile without -no-remote; then if you start up other
profiles later, run them with -no-remote so they don't conflict with
the first one. That works okay for my typical usage, fortunately: I
have a main Firefox window I run all day, and only start up other
profiles for short periods.
But since not everyone uses this model, fortunately, some upcoming
Firefox version will fix the problem by adding a new runtime flag,
-new-instance, to do what -no-remote used to do:
start up a window for a new profile, rather than talking to the
running Firefox. Here's the new --help text:
| -no-remote | Do not accept or send remote commands; implies -new-instance.\n
|
| -new-instance | Open new instance, not a new window in running instance.\n
|
The web
Command
Line Options page doesn't seem to have been updated yet, but
perhaps it will when the Firefox with the fix is released.
Of course, it would have been much simpler if Firefox just honored
the -P flag and used whatever profile it was given, as suggested by a
commenter
in bug 650078. But bsmedberg replies that the complexity of the code
makes that difficult.
The new arguments look more sensible than the old -no-remote, though
it's frustrating that it was so hard to find information about changes
like this. All three bugs are filled with comments from people who,
like me, lost a lot of time trying to figure out what broke and how to
launch URLs remotely after the change. Thanks to Ryan for clarifying
the issue and filing the bug to fix the problem, and to Jed, who added
the new flag with his first Mozilla patch. Hooray for open source!
Tags: firefox, mozilla
[
10:26 Apr 24, 2012
More tech/web |
permalink to this entry |
comments
]
Mon, 09 Apr 2012
I've been fiddling with several new Android devices, which means
I have to teach myself how to use adb all over again.
adb is the
Android
Debug Bridge, and it's great for debugging. It lets you type commands
on your desktop keyboard rather than tapping them into the soft
keyboard in Android's terminal emulator, it gives you a fast
way to install apps, and most important, it lets you get Java stack traces
from crashing programs.
Alas, the documentation is incomplete and sometimes just plain wrong.
Since I don't need adb very often, I always forget how to use it
between sessions, and it takes some googling to figure out the tricks.
Here are the commands I've found most helpful.
Start the server
First you have to start the adb, and that must be done as root.
But adb isn't a system program and probably lives in some path like
/home/username/path/to/android-sdk-linux_x86/tools.
Even if you put it in your own path, it may not be in root's.
You can probably run it with the explicit path:
$ sudo /path/to/android-sdk-linux_x86/tools/sudo adb start-server
or you can add it to root's path:
# export PATH=$PATH:/path/to/android/android-sdk-linux_x86/tools
# adb start-server
If you're also running eclipse, that probably won't work the first time,
because eclipse may also have started an adb server (that gets in the
way when you try to run adb manually). if you don't see
"* daemon started successfully *", try killing the server and
restarting it:
# adb kill-server
# adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Keep trying until you see that "* daemon started successfully *" message.
Connecting
$ adb usb
Occasionally, this will give "error: closed". Don't panic -- sometimes
this actually means "I noticed something connected on USB and automatically
connected to it, so no need to connect again." It's mysterious, and no
one seems to have an explanation for what's really happening. Anyway,
try running some adb commands and you may find you're actually connected.
Shell and install
The most fun is running an interactive shell on your Android device.
$ adb shell
It's just busybox, not a full shell, so you don't have nice things like
tab completion. But it's still awfully useful.
You can also install apps. On some devices (like the Nook, where I
haven't found a way to allow install from non-market sources), it's
the only way to install an apk file.
$ adb install /path/to/appname.apk
If the app is already installed, you'll get an error.
Theoretically you can also do adb uninstall first,
but when I tried that it just printed "Failure".
But you can use -r for "reinstall":
$ adb install -r /path/to/appname.apk
There is no mention of either uninstall or -r in the online adb documentation,
though adb -h mentions it.
Update: To uninstall, you need the full name of the package. To get
the names of installed packages (another undocumented command), do this:
adb shell pm list packages
Debug crashes with logcat
Finally, for debugging crashes, you can start up a logcat
and see system messages, including stack traces from crashing apps:
$ adb logcat
Logcat is great for fixing reproducible crashes. Sadly, it's not
so good for random/sporadic crashes that happen during the course
of using the device.
You're supposed to be able to do adb logcat -s AppName
if you're only interested in debugging messages from one app,
but that doesn't work for me -- I get no output even when the
app runs and crashes.
Tags: android, programming
[
10:32 Apr 09, 2012
More tech |
permalink to this entry |
comments
]
Wed, 30 Nov 2011
I recently set
up bitlbee on a new machine. Things worked fine, mostly -- but here
are a couple of tweaks that should speed things up when moving a bitlbee
configuration to another machine.
Sharing configuration files
I get so tired of re-authenticating with Twitter every time I move
to a new machine, disk, or distro. And it turns out you don't have to!
Your configuration is in /var/lib/bitlbee/yournick.xml,
and you can copy that file to other machines and it will work just
fine -- with one caveat.
Assuming you have bitlbee set up to run as a user named "bitlbee",
rather than as root (the default is bitlbee), you'll need to make
sure the /var/lib/bitlbee/yournick.xml file is owned
by the bitlbee user. If you just copy it as root,
you'll get an error like "The nick is (probably) not registered".
You can fix it with chown bitlbee /var/lib/bitlbee/yournick.xml
Hiding timestamps
On the new machine, every new tweet had a timestamp added.
Timestamps look like this:
<NatGeo> [20:26:24] Elusive marbled cat filmed: http://t.co/oOo3Xa81
<OliverSacks> [20:28:09] Happy Thanksgiving week! Check out Dr. Sacks's new blog post about Gabby Giffords and what he is reading now: http://t.co/kZCTx53h
These timestamps add clutter and make the lines too long.
But googling for bitlbee timestamps
only gets a lot of people who couldn't figure out how to suppress them
and ended up writing scripts to hide them in various IRC clients.
Turns out bitlbee has a perfectly straightforward way to hide them.
Go to your &bitlbee tab -- you know, the one that always opens first
that you have to close manually every time after it finally opens the
#twitter tab (I wish I could find a way to auto-close it!) and type:
set display_timestamps 'false'
That's it! Timestamps-b-gone.
You can see more bitlbee variables by typing set in the
&bitlbee tab, or get help by typing help there.
Tags: bitlbee, twitter
[
19:13 Nov 30, 2011
More tech |
permalink to this entry |
comments
]
Sun, 09 Oct 2011
A group of us were commiserating about that widely-reviled
feature, Google Instant. That's the thing that refreshes your Google
search page while you're still typing, so you always feel like you
have to type reallyreallyfasttofinishyourquerybeforeitupdates.
Google lets you turn off Instant -- but only if you let them set and
remember your cookies, meaning they can also track you across the web.
Isn't there a more privacy-preserving way to get a simple Google
page that doesn't constantly change as you change your search query?
Disable Instant
It turns out there is. Just add complete=0 to your search
queries.
How do you do that? Well, in Firefox, I search in the normal URL bar.
No need for a separate search field taking up space in the browser window;
any time you type multiple terms (or a space followed by a single term)
in Firefox's URLbar, it appends your terms to whatever you have set as
the keyword.URL preference.
So go to about:config and search for keyword, then double-click on
keyword.URL and make sure it's something like
"http://www.google.com/search?complete=0&q=".
Or if you want to make sure it won't be overridden,
find your
Firefox profile, edit user.js (create it if you don't have one
already), and add a line like:
user_pref("keyword.URL", "http://www.google.com/search?complete=0&q=");
Show only pages matching the search terms
I use a slightly longer query, myself:
user_pref("keyword.URL", "http://www.google.com/search?complete=0&q=allintext%3A+"
Adding allintext: as the first word in any search query tells
Google not to show pages that don't have the search terms as part of
the page. You might think this would be the default ... but The Google
Works in Mysterious Ways and it is Not Ours to Question.
Disable Instant Previews
Finally, just recently Google has changed their search page again to
add a bunch of crap down the right side of the page which, if you
accidentally mouse on it, loads a miniature preview of the page over on
your sidebar. You have to be very careful with your mouse not to have
stuff you might not be interested in popping up all the time.
A moment's work with Firebug gave me the CSS classes I needed to hide.
Edit chrome/userContent.css in your Firefox profile (create it
if you don't already have one) and add this rule:
/* Turn off the "instant preview" annoying buttons in google search results */
.vspib, .vspii { display: none !important; }
Really, it's a darn shame that Google has gone from its origins as a
clean, simple website to something like Facebook with things popping
up all over that users have to bend over backward to disable.
But that seems to be the way of the web.
Good thing browsers are configurable!
Tags: firefox, mozilla, web, google, annoyances, user interface
[
21:31 Oct 09, 2011
More tech/web |
permalink to this entry |
comments
]
Fri, 30 Sep 2011
So everybody's complaining about that new Facebook ticker. You know,
the thing that sits on the right sidebar and constantly and distractingly
updates with stupid stuff you don't care about and wouldn't be able to
click on quickly enough even if you tried.
My mom forwarded me a link to a neat page she'd seen with instructions on
removing the ticker using Adblock Plus.
A good idea -- I hadn't thought about using Adblock, though it does
seem obvious in retrospect.
But I don't currently have Adblock installed in the profile I use for
Facebook -- I keep Facebook separate from my everyday browsing,
since I don't want Facebook tracking all the other sites I visit.
Could I do the same thing with userContent.css?
It turned out to be quite easy. Copying the exact pattern didn't work,
but a minute or two with Firebug told me the CSS class of the ticker.
I edited chrome/userContent.css in my profile. If you don't
have one already, just look for userContent-example.css and create
a new file in the same directory without the -example part, named
just userContent.css. I added this line:
.tickerOnTop { display: none !important; }
Restart firefox, and presto! No more ticker.
Tags: web.firefox, mozilla, annoyances, user interface
[
20:58 Sep 30, 2011
More tech/web |
permalink to this entry |
comments
]
Sat, 24 Sep 2011
I suspect all technical people -- at least those with a web presence
-- get headhunter spam. You know, email saying you're perfect for a
job opportunity at "a large Fortune 500 company" requiring ten years'
experience with technologies you've never used.
Mostly I just delete it. But this one sent me a followup --
I hadn't responded the first time, so surely I hadn't seen it and
here it was again, please respond since I was perfect for it.
Maybe I was just in a pissy mood that night. But
look, I'm a programmer, not a DBA -- I had to look it up to verify
that I knew what DBA stood for. I've never used Oracle.
A "Production DBA with extensive Oracle experience" job is right out,
and there's certainly nothing in my resume that would suggest that's
my line of work.
So I sent a brief reply, asking,
Why do you keep sending this?
Why exactly do you think I'm a DBA or an Oracle expert?
Have you looked at my resume? Do you think spamming people
with jobs completely unrelated to their field will get many
responses or help your credibility?
I didn't expect a reply. But I got one:
I must say my credibility is most important and it's unfortunate
that recruiters are thought of as less than in these regards. And, I know it
is well deserved by many of them.
In fact, Linux and SQL experience is more important than Oracle in this
situation and I got your email address through the Peninsula Linux Users
Group site which is old info and doesn't give any information about its
members' skill or experience. I only used a few addresses to experiment with
to see if their info has any value. Sorry you were one of the test cases but
I don't think this is spamming and apologize for any inconvenience it caused
you.
[name removed], PhD
A courteous reply. But it stunned me.
Harvesting names from old pages on a LUG website, then sending a
rather specific job description out to all the names harvested,
regardless of their skillset -- how could that possibly not be
considered spam? isn't that practically the definition of spam?
And how could a recruiter expect to seem credible after sending this
sort of non-targeted mass solicitation?
To technical recruiters/headhunters: if you're looking for
good technical candidates, it does not help your case to spam people
with jobs that show you haven't read or understood their resume.
All it does is get you a reputation as a spammer. Then if you do, some
day, have a job that's relevant, you'll already have lost all credibility.
Tags: spam, headhunters, tech
[
20:30 Sep 24, 2011
More tech |
permalink to this entry |
comments
]