Commissaire at DevConf 2017

Commissaire had a presence this year at DevConf.cz. Checkout out our video as well as other really cool stuff.

Advertisements

More Editors/IDE’s

In my last post I talked about not being able to find a good Python editor/IDE other than vim. Nothing has really changed since then but there was another editor and IDE that was brought to my attention which I failed to point out. Let’s talk about them!

Editors/IDE’s

Emacs

While talking with Tim Bielawa I was reminded about Emacs since it’s what Tim uses. Emacs has such amazing integration that people sometimes say it’s an operating system itself! I’ve really only ever given Emacs two real shots at being my main editor. The first time was when I was just starting to get into programming and was reading a lot about what other programmers and system administrators used. At first it seemed a lot easier than vi but I ended up running with vi/vim since, at the very least, vi seemed to always be present on every Linux/BSD box I worked with by default. The second attempt was after I promised a few Emacs users at work that I’d give it another fair shot. I said I would use Emacs when I’d normally use vim for a full week knowing that it would force me to learn more about the editor. It wasn’t easy to stop trying to use mode editing but I was able to code without feeling too contained by the editor (Note: the contained feeling was me not knowing the editor well, not Emacs itself. It was really obvious that Emacs is a powerful editor). My biggest gripes from the week long test were around needing to install emacs on systems for use (which is sort of a silly one, I admit) and I felt some of the commands were way to long. I don’t remember the last one off the top of my head but I do remember that one command had a bunch of dashes and was frustrating every time I needed to use it. I think it’s about time I try it again and see if I can overcome my hurdles trying to use it efficiently. Who knows, maybe third time’s the charm!

Cloud9

Cloud9 is really cool. It’s not your grandfather’s IDE by any stretch. As the name implies the application exists out in the cloud (They use Openshift). I love the idea that I can start editing code with full IDE features from any machine I’m currently occupying. I have not tried using Cloud9 with a tablet (with keyboard of course!) yet but if that works then this thing would have rockstar status in my mind. I’ve used it for a few projects for both ease of use and to test out some of the features Cloud9 boasts. Being that it is on Openshift the IDE has it’s own platform letting you install tools and dependencies. There are also some collaboration features which I have not tried out yet mainly because I’m not sure how that works when you are using Github (IE: can they push code under your name or are they restricted?). I would use Cloud9 a lot more if it wasn’t for the Internet. While Cloud9 is pretty responsive in most cases but due to some point in the network connection between “here” and “there” things slow down or stop responding for a second or two. If this was something other than coding I probably wouldn’t care that much … but this is coding. Any hiccups while editing breaks concentration and slows down progress. One other issue I noticed was the lack of preferences across ones instances. Say you have two projects in Cloud9. Each project has it’s own IDE instance. If you want to set preferences for both IDE instances you will have to open each on it’s own and set them. You can not set any kind of global default preferences for all your instances. Hopefully they will add that functionality as I’m pretty positive I’m not the only person who finds that a bit weird. Over time Cloud9 and similar IDE’s will find ways to speed up and add better preference support but until then, in my mind, Cloud9 is straddling the line between full contender and really cool tech preview to keep my eye on.

Why I Chose NewsBlur

Not all that long ago Google Reader closed it doors pushing millions of users off the platform. Many users were frustrated to lose their long time place to get their news not all that different from someone in yesteryear losing their favorite newspaper.  The whole thing was far from ideal but did go to teach users that you can’t expect cloud services to last forever (which is a good wake up call). But in the fall of Google Reader came many possible replacements which added their own spins on how one reads news. Feedly, The Old Reader and NetVibes were a few of the popular replacements. But I settled on NewsBlur and eventually became a paid user.

NewsBlur is mainly written by Samuel Clay (more on why I say mainly later).  He seems like a friendly, hard working fellow. He responds to bug reports and is active in his products community.  While this may seem like common sense just take a few minutes to look at random SaaS products on the Internet. You’ll find many of the developers are hidden behind customer service groups who, at worst, are outsourced and are more of a dead end than a way to get things fixed. Long story short, it seems like Samuel really cares about his product.

It is possible to have a Free account on NewsBlur. While you are limited to a specific amount of feeds many people will find the limits are higher than the feed counts they had in Google Reader. At the time of writing the limit is 64 sites.

There are some social features provided by NewsBlur yet these features are not required nor forced into general workflow. For instance, there is a concept of the BlurBlog which looks like it could be fun. But I tend to read the news and share elsewhere. If I ever decide to use the BlurBlog functionality it’s there. Otherwise I can just use NewsBlur as a fantastic reader.

NewsBlur is Open Source under the MIT license (also known as the Expat License). This gives me peace of mind knowing if Samuel ever decided that he was done with NewsBlur I could export my feeds, setup my own instance, and continue using the product on my own infrastructure. Yeah, it’s not trivial but it’s possible which is a huge advantage given the last reader I used shut down.

No software is without it’s bugs but Samuel does a good job bug squashing. And if you are developer who wants to give a hand you can patch the issue yourself and submit the fix (another win for Open Source). At the time of writing there are 43 development contributors to NewsBlur. This is a much better solution than waiting for a customer service representative to reinterpret your bug submission to a developer so that the fix may be done someday in the future.

If you are still looking for a replacement for Google Reader give NewsBlur a chance even if it’s a second chance as the application seems to be enhanced weekly. If you like it, consider becoming a paid user. Can you can’t say no to Shiloh:

Introducing Flask-Track-Usage

A little while ago one of the guys on a project I work one was asking about how many people were using the projects public web service. My first thought was to go grepping through logs. After all, the requests are right there and pretty consumable with a bit of Unix command line magic. But after a little discussion it became clear that would get old after a while. What about a week from now? How about a month or year? Few people want to go run commands and then manually correlate them. This lead to us looking around for some common solutions. The most obvious one was Google Analytics. To be honest I don’t much care about those systems. While that one may not (or may be) intrusive on users I just don’t feel all that comfortable forcing people to be subjected to a third party of a third party unless there is no other good choice. Luckily, being that the metrics are service related, the javascript/cookie/pixel based transaction wouldn’t have worked very well anyway.

So it was off to look at what others have made with a heavy eye towards Flask based solutions so it matched the same framework we were already using. Flask-Analytics came up in a search. The simple design was something I liked but the extension was more so aimed at using cookies to track users through an application while we want to track overall usage. I figured it was time to roll something ourselves and provide it back out to the community if they could use it as well.

Here it is in all it’s simplistic glory: Flask-Track-Usage. It doesn’t use cookies nor javascript and can store the results into any system which you provide a callable or Storage object. There is also FreeGeoIP integration for those what want to track where users are coming from. The code comes with a MongoDB Storage object for those who want to store the content back into their MongoDB. Want to know a bit more of the technical details? Check out the README or the project page. Patches welcome!

Nexus 4 Mini Review

This Nexus 4 has only been with me a short time but I can already see why the guys and gals who got their hands on the original batch of devices have raved so highly about them. Here’s a short run down of my thoughts so far…

The Look

Nexus 4
Nexus 4 (Photo credit: abuakel)

The device is understated for what one expects from flagship devices. By that I mean the Nexus 4 is not meant to draw eyes to it or make you the talk of the cool guy crowd. It’s meant to look like a lot like every other Android device out there. Not exactly like others but close enough that by glancing it wouldn’t stand out. The main thing that does stand out when focusing on the device is the back due to it’s sparkle/glass look. It actually does make the device look special without forcing it’s ‘coolness factor’.

As a side note it’s nice to have fewer brand names thrown all over the back. I’ve had phones which had multiple brands plastered on it followed by reminding me (and everyone around me) the brands ‘involved’ in the device. The Nexus 4 says Nexus and has a smaller LG logo near the bottom. The front is refreshingly brandless. Bootup also avoids yelling about it’s Google and LG makers. I love it!

The Form

Like the look the form isn’t much different than many other current generation Android devices but does have a slightly larger screen than my previous SGS II. To be honest I really like that as I’ve grown accustomed to the general Android device slate. Where it does part ways with most of it’s siblings is in how well the build feels. It’s light without feeling cheap. It’s thin without feeling frail. I’m not totally sure why the back is glass (other than giving it a slightly different look on focused look) but I have to assume that ends up adding to the positive build feel.

General Usage

Blockbuster
Better than the app. (Photo credit: ario_)

Hopefully every Android device manufacturer is taking notice of this device because this thing is exactly how I want to use a phone. First off I didn’t have to spend time hiding a bunch of ‘value added’ applications that I’ll never use. The amount of telco bought devies I’ve had which forced me to keep NASCAR or Blockbuster installed even though I never used either is a sad number.

Next, the device is fast. Really fast. I’ve been on the Tegra everywhere bandwagon and now I’m thinking Snapdragon really may be where it’s at for phone size devices. Then there’s the fact the device is running stock Jelly Bean. This means no Sense, TouchWiz, etc… Just Android the way it was meant to be. No extra value is added which makes it much more valuable.

Most of the applications the one expects are there so I won’t jump into them but Google Now is something I can see using pretty often. Don’t get me wrong, this is not my first Jelly Bean device. I have a Nexus 7 which I’ve been very happy with, but the Google Now software on a device that only has wifi access does not do Google Now justice.

The camera seems quite good so far. To be fair I have not used it much yet but here is a test photo I took in moderate to low light in a coffee shop. For a more in-depth look at the camera look at TechRadar’s review.

Medium/Lower to low light indoor photo. No flash.

Some Downsides

Nothing is perfect but wow does the Nexus 4 come close! Two of the three downsides are minor and only are noticeable one time only.

SIM Size

The first thing I did after charging the new device was to pull the SIM card from my old device for use in my new one. I should have noticed when reading about the Nexus 4 that it uses a Micro-SIM. Not a big deal but it did require a run to the closest telco store to get one.

English: GSM Micro SIM card vs. GSM Mini SIM card
(Photo credit: Wikipedia)

Initial Usage

There was a decent amount of updates ready to be installed upon first usage. An OS update along with many application updates. It would be nice if Google could use the latest ROM when shipping new batches. Again, not a big deal at all but still would be nice.

Storage

This is what kept me from buying it originally. The storage is capped at 8 or 16g which doesn’t sound like a good deal for those of us who keep our music library with us at all times. There are options that limit this as an issue. Using Google Music, Amazon Cloud Player, Subsonic, Pogoplug, etc.. can keep your music collection within reach as long as you have a data connection but each has it’s own downsides as well. My annoyance is generally with the quality of the music player for the services. It’s not that they are bad players but they are feature poor compared to many of the locally players.

tl;dr

Reign Of The Android
(Photo credit: JD Hancock)

If you are in the market for a new Android phone right now then there is no better option than the Nexus 4. While not perfect it’s downsides are few and are heavily overshadowed by how well the device works both in terms of physical feel and software. A real Jelly Bean experience, great build quality, no telco lock in and really fast. Did I mention you don’t have to put up with apps forced on you by telcos? Assuming that the device is currently available in your region there is not a reason to avoid it. Go get it!

Hello Raspberry Pi

I couldn’t help it. I’ve watched other open source friends rave about playing with the Raspberry Pi but had yet to really jump in on it all. See, I bought a GuruPlug a while back and had kind of a bad experience with it. You know, overheat and shut off. In fairness the manufacturer of the device did provide a hardware fix quite a while later, but I’d already moved on and forgotten why I bought the device in the first place. It took the consistant praise from online friends and one conversation with my friend Andrew to get me to take the plunge.

Yesterday it arrived in a nondescript package. A simple yellow padded envelope. Opening it up I saw two small boxes. Funny thing is the larger of the two boxes is actually the wall plug. But I didn’t have time to do anything other than prepare an SD card with raspbian on it. But today I’ve thrown it on the network (headless) and have an ssh connection in to update the default system.

Now I’m at a bit of a loss or, I should say I’m not sure where to start. I picked up a breadboard, wires and LED’s to do a little playing around. I’m just not sure what I want to do for a longer term project. I’d like to start working with some sensors and pick up more knowledge in that space. I have some more components on the way but it will be a while. Maybe I’ll snag a Arduino while I wait.

What I Want From a Home Theater PC/Digital Media Receiver

A few years ago I sat down to figure out how much I was paying in cable versus the amount of time I was using it. I found that I really only watched a handful of shows and could probably save money by buying the seasons. In other words I was a normal casual TV watcher. The next course of action was easy because for me it was a no brainer. I cut cable. I haven’t wanted to go back.

Today I use a PS3 to watch Netflix and Amazon while relaxing at home. On the go its Android devices to watch Google Play and Netflix. These are great services and, overall, I’m happy with the content they provide (though Netflix seems to go up and down in terms of stability..).

I just read about the newer BoxeeTV after hearing about it in some podcasts. I like it’s idea but, for me, it still isn’t what I really want out of an entertainment device. I like the idea it uses cloud storage because it should make it easier to stream the content to other devices as well (at least in theory). It’s nice on general functionality now, but I can’t see it as a long term solution. I still have two issue with the designs of Boxee and the like that keep me waiting to put down money on a dedicated HTPC/DMR.

When I want to watch something that I will be paying for I want to feel like the customer. I want to feel like I’m getting the best price for the item I’m purchasing. Simple concept. So far I’ve yet to see a device which makes me feel this way. Instead, I feel like I get access to one or more video services where I can pay their price if I choose to buy/rent/subscribe. Most of the time I know what I want to watch and what I really want the device to do is search across all the services I have accounts on for the best price. Am I a Netflix member and it’s there? Great! Take me there! Is it, $0.50 cheaper on Google Play than Amazon VOD? Let’s buy it from Google then. In the end I don’t much care who is providing the content so much that it’s legal, I am getting it at the best price and am able to access it when I want to watch it. As a bonus it would be nice to tell the difference between watching it because it’s in a subscription and owning a watch it forever license.

The other item is not something a HTPC/DMR company can really influence directly in my opnion. I believe that when I purchase a video online I’m actually purchasing a license to stream the content. Not all services are available on all devices (as I eluded to before with Amazon not being on my tablet). Why can’t I import my licenses from provider A to provider B? At the very least why can’t I do it if provider A changes its business to something else (or goes out of business)? The quick argument against license import/export would probably be about how a customer could move away to another service but, honestly, that wouldn’t be a major problem. In fact, it could be a benefit  Someone who moves  is likely moving over to make the other service the sole provider of their content due to price/convenience/access for their specific situation. This would mean future revenue from the person. The original seller wouldn’t lose the money already made by selling the license and would gain back bandwidth by not needing to stream the content to the user. The also consumer wins here as well as they can gain the best access and use the service(s) they wish to use at any time. It’s not remotely like this today and I’ve been burnt in the past by companies deciding to change direction and cut access to purchased content. For this reason I can’t see any of the devices (or services) today as a long term buy nor a replacement for buying a blue ray or dvd.

The closest option seems to be XMBC but it also seems to be more channel focused instead of content focused and the issues around future access still exist from the big players. Things do seem to be moving in the right directions but, for now buying content in a physical media format is the safest bet for watching later.

Simplicity Over Beauty. Functionality Over Features.

I’m a fan of many of the services that allow the legal purchase of music online. One service that I’ve come to enjoy over the years is emusic which, for quite some time, didn’t provide a way to download music other than through their website and desktop downloader.

As seems common, a developer decided to scratch his own itch and release a mobile downloader application. If it wasn’t for his application I could have easily moved over to Amazon MP3 or Google Music just based on the ease of purchase and growing selections. Fast forward a year and emusic figured out people wanted a mobile downloader. A beta was released.

And it was buggy and had features that, as a user, I really don’t care about while having oddly implemented features that seemed core to the downloader experience. Let me explain: I wanted to search, purchase and download music. I think that those three actions are nearly universal for a music purchase and download app. Here is the list of features for the official emusic application:

  • Listen to any MP3 files stored on your phone through the music player
  • Get song recommendations based on your listening habits
  • Create playlists tailored to your every mood
  • Browse an artist’s dossier (discographies, biographies, photos, features, and related artists) while you listen to music
  • Access eMusic’s unique charts
  • Search eMusic’s catalog and listen to track samples
  • Download music
  • Listen to eMusic Radio (available to U.S. members only)
  • Save for Later
  • Access account details

(Source)

This is how I ended up feeling about the emusic application: it searched, purchased (or crashed), downloaded in a weird filename format (or crashed), wanted to search my existing library to give recommendations (sort of weird) and listen to samples (or crash). When the application crashed there was a possibility that emusic would think I downloaded the song when I didn’t receive it meaning I would need to contact to support and ask for a redownload.

The ‘weird format’ may sound, well, weird but it’s true. I’m someone who likes to listen to music in many settings. The two most common ways I listen to music are from a laptop or via my phone. Obviously this means I’m at least using two different music players (right now it’s Nightingale and Player Pro) and the need to organize music is important. When I download via the emusic website or via the indie developers app I get a nice directory structure with artist and songs named in a way that makes sense to me. When I download from the emusic mobile application, well, see for yourself:

In fairness many of the crashing bugs have been fixed and it’s a better client than it was but I still buy and download using the third party app developers application. It’s simpler, stable and let’s me do the three tasks I need out of a downloader.

So why didn’t emusic decide to license/buy the downloader that the developer released? I’m not totally sure but I have a an inkling that they wanted to show they could outdo the simple app. Pretty interface, more features, samples, etc. As a user I care less about how it looks and much more about how functional the application is.

Today I still use the indie developers emusic downloader instead of the official app and I recommend it’s use over emusics official app. I want an application that let’s me get the music I want and delivers a consistent user experience (read: simple flow and doesn’t crash). If it’s not pretty or doesn’t have every single cool feature under the sun, well, I’m ok with that.

Basic Web Security For The Average User

The Web has been around long enough that Web applications are a part of most everyone’s daily life. Even when a user is on a mobile device they could be interacting with Web services. Sadly there are still many applications and services out there which are lacking what should be the minimum security. Luckily there are some work around users can do to try and protect themselves when applications have less than stellar security practices.

Secure Socket Layer (SSL)

What is it?

SSL keeps the Web traffic between you and the originating server encrypted meaning its harder for someone else to see the data while it is in transit. If SSL is not in use the the Web traffic is viewable by anyone on the wire.

Can I increase my safety?

The best defense is diligence. Whenever you are going to be entering data, login or after you have logged in it’s best to make sure you see ‘https:’ at the start of the url.

For Firefox and Chrome users the EFF provides an extension called HTTPSEverywhere which attempts to keep your browsing over SSL where possible.

Cookie Flags

What is it?

Cookies are utilized to help identify and store small bits of information on the client side (your browser). Over the years there has been a few flags added to cookies that help keep them from getting to the wrong people as easily. These flags are Secure and HttpOnly. Secure tells the browser that it should only pass the cookie to the server if the connection is using SSL. If it isn’t using ng SSL the cookie does not get sent with the request. HttpOnly keeps the cookie out of the hands of javascript only giving it back to the originating server directly over HTTP/HTTPS requests.

Can I increase my safety?

Right now I’m not aware of any extensions which force cookies to be HttpOnly on the browser side. If you are aware of a good mitigation please comment.

Cross Site Scripting (XSS)

What is it?

OWASP defines XSS like so:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

(Source)

Can I increase my safety?

By installing NoScript or something similar and utilizing Google Safe Browsing you can lessen the chance of successful XSS attacks but it is far from a silver bullet. There is work being done to to attempt to make XSS attacks much harder but it’s not currently in use.

Cross Site Request Forgery

What is it?

Cross site request forgeries happen when a browser on one page makes a request to a different site to attempt to do something on behalf of the user. There are many cases where this vulnerability is used by developers as functionality but that doesn’t make it any less dangerous.

Can I increase my safety?

Wikipedia has a good page on the subject:

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones.

(Source)

Password Hashing

What is it?

When an application stores passwords it should do so in a way that it doesn’t actually know the password you’ve entered. It may sound odd but it’s pretty trivial to do this for application developers. Yet sometimes they forget to implement this hashing (or the application is ancient and never was updated to do this).

Can I increase my safety?

The best defense a user can do to protect against disclosure is to use different passwords for each site. Understandably this can sound scary: people feel like they have to remember too many passwords already. Thankfully there are applications which can help generate and, store and remember these passwords and let you remember just one. Here are a few popular choices:

External References

What is it?

It’s very common for Web applications to include javascript, images or css from other locations. The reason for this is either to increase performance by using the browser’s cache, utilization of a content delivery system, including ads/analytics or, in some cases, laziness. The problem for the user comes when the remote content becomes unsafe or the content acts in ways the user is not OK with.

It can also cause problems for the application including the content. For more information see my previous post over trusting others to host your content.

Can I increase my safety?

Being that, in most cases, the external references are required for the application to work it is quite hard to fully add protection in the browser but there are still some things that can help.

One more thing…

While not specifically related to the bare minimum of remote web application security it’s important to keep your browser and extensions/plugins updated with the latest patches and supported versions. This can help protect against sites which are hosting browser based exploits for one reason or another (of course, don’t purposely go visit such a site!). For plugins, Mozilla provides a great plugin check page which seems to work for Chrome to some degree as well. Go check your versions!