Sunday, July 29, 2007

New computer shopping

So I've been thinking about pickup up a new PC for a while now. It's annoying that I have five computers, and feel the need for another.

  • MacBook G3 - bad screen (and three years old and really slow)
  • MacBook with Core 2 Duo - this is my main day-to-day laptop for email/web. However since it runs OS X, it is pretty poorly suited to do my MythTV development
  • Dell Dimension 4550 bought in 2003 - This is my main MythTV box. I could probably use this as my main target, but I reformat the disk about once a month to load new KnoppMyth images, so I wouldn't want to use it as a long term development workstation. It's also my only PC that runs MythTV, so I can't use it for development while I'm expecting it to tape the newest episode of whatever crap I watch on network television.
  • Dan's old Pentium 4 1.7GHz. The motherboard on this box is from 2001 and it causes a kernel panic when trying to load KnoppMyth. I updated the BIOS to the latest version available (from 2003) and it still doesn't work.
  • Dad's old Pentium 2 400 MHz. Not a bad little PC. I'll probably keep this around as my Windows box (which I still use occasionally for microcontroller development and other Win32 specific tools)

So if anybody's looking for a generic PC to do do web/email (), come talk to me so I can alleviate the guilt of buying YET another computer.

If I was going to buy a new computer, I wanted to get a Dell, since it would support their efforts to ship Linux based products. Would also like to buy only hardware that uses one of Intel's newer video chipsets (such as the 965G), since they are the only vendor around shipping good completely open source video drivers. I have no urge to get a system with an Nvidia card if for my application an Intel card would work just fine. In my particular case I am interested in support for MPEG acceleration functions through Xvmc such as motion compensation and iDCT.

So fortunately Wikipedia has a breakdown of the Intel chipsets and what features they support:

http://en.wikipedia.org/wiki/Intel_GMA#Table_of_GMA_graphics_cores_and_chipsets

Overlapping this with the product offerings from Dell, and unfortunately it looks like the Ubuntu offerings are all with nVidia cards. The ones that ship with an nVidia card (which you can't exclude from the price) appear to also have the Intel graphics support but for the G33 chipset, which is older and doesn't have the features I want.

So I get to choose between a Dell Linux PC that has the closed-source nVidia driver or to not support Dell at all by going with some other vendor that ships a 965 chipset based system with Windows.

Enough ranting. I need to deal with the more immediate problem that I have five PCs and the only one that can get any Internet access is my MacBook. On the upside, it looks like Verizon is finally willing to offer DSL without dialtone for $25.00/month, but their website appears to be broken so I can't order it.

Saturday, July 28, 2007

Most vote machines lose test to hackers

The California Secretary of State discovers what computer scientists have been saying all along - that electronic voting machines are riddled with security flaws and susceptible to vote manipulation without any form of detection.

http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/28/VOTING.TMP&tsp=1

There's talk of decertification of all the machines, but it probably won't happen because the local election boards spent millions on them.

CUPS bought by Apple

It is pretty old news now relatively, but the CUPS printing project was bought out by Apple a couple of weeks ago.

http://apple.slashdot.org/article.pl?sid=07/07/12/1342258&from=rss

While I am generally in support of commercial support for open-source projects, the outright purchase of the project (since all the copyrights were assigned to a single party and transferred to Apple) is something I typically approach with some skepticism. Sure, it could be a good thing if the company continues to make it publicly available - corporate backing for the open source developers who normally would have to work on something else to pay their bills. It could also be a path to closed-sourcing a project, effectively killing it since all the mainline development gets done on a closed-source distribution and the open source version stagnates.

However, the project just did a new release, and so far it looks very promising:

http://www.cups.org/articles.php?L479

The project has picked up support for Apple's bonjour protocol, LDAP/SSL, Kerberos, and a host of other features. So while it's still a bit premature, it looks like a best case scenario - Apple paying for developers to add features that benefit the entire community.

Saturday, July 21, 2007

How my girlfriend spends Thursday nights...



Trivial Pursuits

http://catandgirl.com/view.php?loc=460

What we do in secret....

http://catandgirl.com/view.php?loc=469

More fun with encrypted resume guy

So I got another email from the guy last week with the encrypted resume. We told him we weren't interested and I expected to never hear from him again.

Hi Devin

I am very good developer. If you can give any hint
about job leads, I will greatly appreciate that.

Thanks in advance
With regards
John

On Tue, 2007-07-10 at 12:27 -0400, Devin Heitmueller wrote:
> Oh yeah, and I followed the link to the brainbench
> certifications he provided and while it properly
> identified him as "John Smith" it said "There are no
> certifications on record" and "There are no tests on
> record". You would think he might verify his links
> before sending them to prospective employers?
>
> ==
> Devin Heitmueller
> Senior Developer

Maybe the hint I should give him is not to send people his resume encrypted without providing the decryption key?

GPLv3 and the Apache license

In Philadelphia today. Spending the afternoon at Bonte with Vikki while she writes a paper and I get some work done.

Was reading an interview with Jeremy Allison (the maintainer for Samba), and saw something interesting.

http://www.linuxworld.com/news/2007/071707-interview-allison.html

Apparently the new GPLv3 is compatible with the Apache license. This is a good thing, since one could assert that generally it was not the intent of the Apache group to be incompatible with the GPL.

As a result though, I got to reading the GPLv3 for the first time. I especially like section 12:

12. No Surrender of Others' Freedom.

If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.

This solidifies something that was only inferred in GPLv2. If you can't legally comply with some term of the license, the entire license is void - therefore you fall back on copyright law and have no right whatsoever to redistribute. Companies can't cherry pick sections and say they don't apply to them, then turn around and distribute the GPL software anyway.

Thursday, July 19, 2007

WTF?


unsigned long d;
int i;
d=0;
for(i = 1; i < (int)strlen(s); i++) d += (unsigned long)s[i] * (unsigned long)s[i - 1];


Wednesday, July 18, 2007

Feelin' crappy

Left work at 5pm yesterday because I though I was going to fall over from exhaustion, and I didn't think it would make a good impression on my coworkers to fall asleep at my desk. Still all screwed up though because I went home and went to sleep, so I was awake at midnight.

I also missed the PerlMongers NY meeting last night because I was too tired to go.

Overslept today and didn't get into work until 10pm. Argh.

The big company party is tonight. Should be fun. The office should be relatively quiet tomorrow as a result.

Tuesday, July 17, 2007

More insomnia

Been up since 4am. Can't sleep. Very annoying. One one hand perhaps I should just go to work now since I'm not getting any sleep anyway; on the other hand I have to contend with the notion that I have only gotten about two hours of sleep so far and I have to be at work in two hours for a full day. Ugh.

On the upside, I watched four episodes of Grey's Anatomy and got caught up on the perl5-porters mailing list.

Monday, July 16, 2007

Stable is good

Oluseyi, Packy and I worked late and pretty much got the project stabilized by 10pm. Came up with what seems like a pretty good plan of attack for the next big push. The rest of the week shall be... interesting.

Lunch with Dan at the diner. Grilled cheese and fries. Tried to figure out how to schedule the upcoming projects.

Tracked down a couple of subtle race conditions that I had been seeing on and off for the last few days. They're the sort of things that you see go across the screen for a split second, and you ask yourself, "what was that?" And then you look closer and it doesn't do it again. And part of you wants to breathe a sigh of relief that maybe it was just your imagination. But deep down you know the truth. There is a bug in there somewhere, and it knows you're watching.

Sunday, July 15, 2007

Baltimore Aquarium

Went to Philly for the weekend. On Saturday Vikki and I went to the National Aquarium in Baltimore. Very fun. Had not been there since the mid eighties. Walked around the inner harbor, got ice cream.



This is our new fish friend, George. See how colorful he is?



Watched two episodes of Carnivale today. Only two episodes left until extreme disappointment and anger.

Thursday, July 12, 2007

Should we hire him?

Some people make it an uphill battle to hire them, even if they may in fact be competent. Note the names have been changed to protect the idiotic.

I got an email from Shannon asking for her help:

Can one of you guys open this dude's resume please? He sent it in some
Linux format and refuses to send me a format I can open.
-----Original Message-----
From: John Smith [mailto:jsmith@uic.edu]
Sent: Tuesday, July 10, 2007 9:41 AM
To: techjobs
Subject: Antony's resume

Hi

I have attached my resume & cover letter for your review.

Thanks
With regards
John

I'm certainly willing to help if the file is in some unknown format that is Linux centric (LaTeX perhaps? troff?). I'm admittedly a bit surprised when she said "refuses to send a format she can open".

So I ask for the file and the thread of conversation she had with him. It goes something like this (reformatted for clarity):


Hi

I have attached my resume & cover letter for your review.

Thanks
With regards
John

So far so good.

John,

The link in the attached document does not appear to lead to a resume. Please send resume as an attachment.

thanks

Hmmm... I've done that before.

Hi Shannon

Thanks for responding to my application. My resume is attached to the PDF cover letter. In the acrobat reader, you can see an attachment tab.

If you click on the attachment tab, you can see the enc- resume.

With regards
John

He embedded his resume inside the PDF as an attachment? Why would he do that? Why not just make a separate PDF? I didn't even know you could embed attachments in PDFs.

John,
I do see the resume in the attachment tab, but I am unable to open it.

thanks

Some unrecognized file format? Perhaps he embedded an Word 2007 document and Shannon doesn't have the plugin?

Hi Shannon

Thanks for the reply.

That is a new format AES used in Linux. If you have Linux machine or a friend who uses Linux, you will be able to open it.

Thanks in advance
with regards
John

Uh, ok. He can certainly generate PDFs since he managed to embed his resume in one. Why not just send it as PDF? Well naturally Shannon wondered this too:

John,

I am the first person in the line who reviews resumes, and in order to do so I really need to have your resume in a format that I can open. So, if you would please send it in Word or PDF or even copy and paste into the email that would be helpful. Otherwise it's likely that it will not get reviewed.

Thanks

to which he replied (and this is where it gets good)

Hi Shannon

Thanks for the reply.

I am very very good Linux developer as it is shown in my certifications. I am just trying to see whether you are ready to allot 5 minutes of a Linux person in your company to read my resume.

TIA

He's a "very very good Linux developer?" Note the double use of the word "very". It's a shame we're only looking for very very very good Linux developers.

So this is where I come in. By this point Shannon is ready to just throw the thing in the garbage. She sends me the file, and so I run the UNIX tool "file" against it to check the format:

$ file resume.aes
resume.aes: data
$

Well that isn't very helpful. So I open it in emacs, and it's a binary file. So I hexdump it, and I see the leading bytes are "Salted__". Uh oh. As I should have guessed from the file extension, it's encrypted. Fortunately I know a little something about encryption.

So we know three things at this point:

  • He embedded file the file in a PDF attachment - almost nobody would notice the resume was even there
  • He gave no indication the file was encrypted
  • He gave no indication as to what encryption tool he used on the file (GPG? Gcrypt? OpenSSL? Loopback-aes? some other obscure file encryptor I've never heard of?)
  • He gave no indication of what cipher strength or chaining was used other than suggesting it was AES (the Advanced Encryption Standard)
  • There is no mention of the encryption key necessary to decrypt the file

Always liking a puzzle, I did a quick Google and found out that files with the leading bytes "Salted__" is a formated used by OpenSSL enc (not surprising). So with no knowledge of the cipher format (and the file format itself does not specify), I run it against all the available ciphers.

#!/bin/sh

for x in -aes-128-cbc -aes-128-cfb -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-ecb -aes-256-ofb -aes128 -aes192 -aes256 do
    echo "trying $x"
    openssl enc $x -d -salt -in resume.aes -out foo -k ""
    file foo
done

No joy. At this point I feel the guy has made me jump through way too many hoops. Let us not forget that this is just to view his resume. I have no idea whatsoever whether he is competent.
Of course I don't know the password, but I figure maybe he just used a blank password to make someone go through the work of decoding the file.

So I send this reply to Shannon, which I accidentally happen to put the candidate on the CC:

From: Devin Heitmueller
Sent: Tuesday, July 10, 2007 12:23 PM
To: Shannon Barnett
Cc: john@uic.edu
Subject: RE: John's resume

Hello Shannon,

I took a look at the file you forwarded. The candidate does not give any indication as to what tool he used to do the encryption (openssl, gcrypt, loopback-aes, etc.), but the "Salted__" header suggests he used a derivative of "openssl enc". He gave indication as to what cipher suite he used (the cipher is AES but there is no indication as to the key strength or block type [cbc,ecb, etc]), so I ran it through all the AES ciphers available (see script below). As far as I can see from your email thread he didn't provide a passphrase to decrypt the file, so I just tried a blank password. I don't have time to run it through John the Ripper.

I've got better ways to waste my time than attempting to brute-force a file just to look at a resume that very well may suck. If he's too stupid to know that the whole point behind HR is to filter resumes so I don't have to then just tell him to fuck off.

Thanks,

==
Devin Heitmueller
Senior Developer

I can't imagine why Matt doesn't take me to meet customers.

This prompts a reply from the candidate. I think he can sense I'm a bit irritated.

Hi Devin

Please do not be so angry about this. There are so many consulting companies putting up website just to collect your resume and your whereabouts. My point is that most of the HR is not able to find the right candidate. I think that it is a good way to find out the people you have to work with in case you are selected.

I have attached my resume if you are still interested.

encryption is 256-cbc-aes.

With regards
John

Uh, ok. You think it might have been easier to just type the name of the company into Google after the fifth or six correspondence with HR? We have won awards for our products after all and are quite prominent in the Google rankings when you search on our company name.

Also note, he states what encryption format was used, but as of this point he still hasn't given me the decryption key. He follows his previous email a couple of minutes later with the following.

Hi Devin

This is the whole point of getting attention from HR because HR receives lot of resumes. Anyway the encryption is aes-256-cbc and the password is "hyundaiVeracruz". Anyway I have attached the resume.

With regards
John

Yeah, so it was all a test. Naturally when HR receives alot of resumes, the prudent course would be to make your own as hard to read as possible. And I guess we passed. Except now we're so pissed off that we don't want anything to do with the guy.

The irony is that when I finally decrypted his resume, he doesn't seem half bad. I probably would have brought him in for an interview. Except now we know he's an asshole.

One final email:

Hi Shannon

I am really sorry about this if you feel that I misbehaved. I was trying to avoid a situation that happened in my employment where I had to work with people who can even differentiate the less than & greater than symbol. It looks like you have a good team and you are real not a fake website. If you are considering me as a candidate, please let me know.

Thanks in advance
With regards
John

Awww how cute. He's apologizing. And he acknowledges that we're not a fake website. That's so nice.

Well there kids, I hope you have enjoyed my little digression into the fun of hiring, and I apologize for the very long post. I just couldn't do it justice without giving you the opportunity to see the whole thread.

Time for a vote! How should we reply? Should we still consider him as a candidate? Text 1-800-555-1212 and:

  • Enter GOFORIT if we should bring him an interview and possibly hire him
  • Enter NOTHANKS if Shannon should politely email informing him we are no longer interested
  • Enter ENTERTAIN if we should bring him in for an interview with no intention of hiring him just so we can mock him.
  • Enter FUCKOFF if I should email him and tell him we are no longer interested, perhaps less politely
  • Enter JOBOFFER if I should email him a job offer, but encrypt it with his own password, but reversed

Or you can just cast your vote in the comments section of this post.

Tuesday, July 10, 2007

OpenMoko

The latest iPhone frenzy turned me on to the OpenMoko project:

http://www.openmoko.org/

This is basically a completely open source Linux based phone solution. It's still in the early stages, but looks pretty interesting, especially given how Apple has built the iPhone to not allow third party applications. They have a development preview device available for $300, and a full dev kit for $450 (includes JTAG dev board).

As a fortunate coincidence, the OpenMoko software platform also runs on the HP hx4700, which is the handheld I own and started gathering the necessary parts last week to load Linux onto (see http://www.handhelds.org/projects/hx4700.html for more info). That said, I should be able to do some dev on that device, which would be portable to the OpenMoko phone. They also have a QEMU based emulator.

Looks like it has alot of potential, although probably limited to the geek crowd. As some random forum comment noted, Apple sold more iPhones in the first weekend (half a million) than will EVER be sold of this device.

Monday, July 9, 2007

Obsessive compulsive at work

So this evening at around 6:30 I was trying to get something to work, and needed to remove a couple of conflicting function definitions. The next thing I found myself writing a series of sed routines to replace every ACE CString in the codebase with STL strings [simultaneously converting fast_rep() method calls to c_str() and removing redundant c_str() calls where the result was just being converted to an STL string anyway]. Well, it's 11:14pm and I committed 6439 lines of changes across 19 commits. Not quite what I had in mind. Ouch. What the hell was I thinking??

Need food. No money. Have to stop at ATM so I can buy bread on the way home.

Sunday, July 8, 2007

Home from the Shore

On Saturday, went to memorial services for Victoria's uncle. Afterwards had dinner with her extended family. Then Vikki, Cortney, Michelle and I went to the Inkwell for some dessert. Went home, saw Lauren and Greg's new apartment in Neptune.

Today went to the beach in Sea Girt with Vikki, Michelle, Lauren, Greg, Julie, Brian, and two of Lauren's other friends. First time I've been in the ocean in quite a while. It was 94 degrees and I think I got some sunburn despite the SPF 50 I put on twice while I was there.

Back in New York City. Doing some cleaning. Getting ready for work tomorrow.

Wednesday, July 4, 2007

Why Userspace Sucks—Or 101 Really Dumb Things Your App Shouldn’t Do

Ran across a great article by Dave Jones about his profiling of Linux userspace applications. It should be mandatory reading for anyone who does Linux development:

https://ols2006.108.redhat.com/reprints/jones-reprint.pdf

Left the office at 3pm yeterday and saw Transformers with Dan and Jae yesterday. Not bad, but not as good as the first one.

Went to Veselka with Vikki last night for diner. Yummy.

Spending 4th of July here in New York. May go see the fireworks.

Monday, July 2, 2007

Monday

Still can't sleep, so ended up finally watching Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb. Good flick.

Work closes at 3pm tomorrow for Independence Day. A nice change.

Looked at flights/hotel for Vegas. Looks pretty reasonable. Will probably book my trip tomorrow.

Sunday, July 1, 2007

Weekend roundup

I was specifically instructed to not do any work this weekend. So what better to do than build an old fashion fort in my living room?



Went to the movies on Saturday and saw Sicko. Pretty depressing. It was especially fun to see the looks on the faces of the Canadians, French, and British patients when he asked them how much they paid for their hospital visits (ranging from confused looks to laughter).

Also, per recommendations over Friday lunch a few weeks, I rented Pan's Labyrinth and watched it Friday night. It wasn't bad.

Spent the afternoon today lounging on the grass in Washington Square Park. Played some scrabble with Vikki, listened to the live music in the background.

Took a stroll through Staples by Astor Place and found a bunch of closeout items. They had a 52x CD-ROM drive for $5.99, a Sony CD-RW for $14.99, a Maxtor 80 GB portable USB hard drive for $69.00. Picked up a 512MB SD flash card for $14.99. Also walked through CompUSA and found Trendnet PCI and USB 802.11g cards for $24.99 not including a $20.00 rebate. Five bucks for a wireless card is pretty damn good (I don't need the latest newfangled 802.11n support).

Going to see if I can get Linux running on my HP Ipaq HX-4700 handheld. It's a couple of years old but it looks like it's actively supported and I like the idea of a Linux handheld that has 802.11 and Bluetooth support. All sorts of possibilities for wireless sniffing projects.

Also need to book my trip to Las Vegas in August for DEFCON 15.

Friday

Something really good happened at work on Friday, I guess. It's what you might consider a best case scenario for a startup. For me it means a lot more work and pressure to deliver.

Victoria came to New York for the weekend. We broke out all the new cookware I got for my birthday (Thanks Family!), and made some vegetarian tofu stir fry using the wok and rice cooker. Yum. Discovered the hard way though that brown rice takes WAY LONGER to prepare than white rice.