Ron's Blog

Back when the university cellphone policies were changed, I took advantage of it to get myself a Blackberry Storm. I was tempted to get an iPhone, but ultimately decided against it because of the hoops you have to jump through to install third-party apps. I got spoiled by my old Palm, which had a huge developer community and tons of great apps you could install without worrying about approval from Big Brother. I've given up on the Palm for other reasons, so the Blackberry platform seemed to be the best remaining choice.

I picked up the Storm because I wanted a nice big screen and I've never been a fan of the tiny physical keyboards and trackballs on the other Blackberry models; the Storm seemed like it would be the easiest conversion from the stylus-based operation of the Palm. The device seemed pretty cool from testing a co-worker's newly arrived one. So I plunked down the money and ordered one...

This is sort of scary.

For those not familiar with security terminology, this article states that websites which allow uploading of Flash files are vulnerable to a security hole that lets bad guys run code that has all the security accesses of the webserver combined with those of the unsuspecting person who runs that file.

For instance, an attacker could send a specially coded Flash attachment to their victim in a gmail message. When the victim loads the attachment, it gets to do anything the gmail server could do with the victim's account; reset the password, delete messages, send messages (spam!), etc.

The scariest part is that there's not really a fix without significantly changing the way Flash works behind the scenes. In the meantime, you should avoid flash that isn't directly provided by the website you're going to. For instance, the Flash slideshow on the WOU homepage is OK because we wrote it, but if you go to somebody's personal website like "http://www.wou.edu/~joeblow" then you should be careful unless you personally know that Joe Blow isn't the kind of person to play nasty tricks.

Actually that's not really the best example, because even if Joe Blow has one of these malicious Flash files on his webspace on our server, it wouldn't profit him much because there's nothing much our webserver can do other than show you web pages. The WOUPortal and the Sun Java Email system are on separate servers, so they wouldn't be vulnerable to Joe Blow's attack. Of course, Joe Blow could send you a Flash attachment in an email, and if you open it in the Java email system, it could do nasty things to your email account.

This security hole isn't easy to exploit, but it is theoretically possible. I recommend limiting the Flash files you run on the Web; there are browser extensions to help you do that. If you use Firefox, an extension called NoScript can block Flash files (and malicious javascript code as well) on all sites except those you designate as safe. If you use Internet Explorer, you can install Toggle Flash, a toolbar button that lets you turn Flash off and on whenever you want. Instructions for both are available in (ironically enough) a flash video on the page I linked at the top of this entry. Don't worry; Foreground Security is a reputable company, so the video is safe to watch.

So I got dinged on my performance review for not blogging enough. Justifiably; as you can tell from my archives I haven't hardly made any entries at all for a while.

Anyway, time to start getting more active again.

Fair warning: this entry will make little or no sense to you unless you work in UCS and do PL/SQL programming.

I've made a change to wou_util.wou_ldap.vnum_to_uid, specifically to the way it deals with V-numbers that are attached to multiple user accounts. Before, if you passed a usertype as the optional second parameter, and it couldn't find a uid matching that type, it would still return a uid if it found one of another type that had the given V-number.

As of today, passing the second parameter will make the function behave more strictly; if a user account of the given type cannot be found, the function will return zero even if there is a user account or another type that has the given V-number.

In other words, passing a usertype to vnum_to_uid() means you want a matching uid only if it also matches the given usertype.

If you only pass a single parameter, the function will behave exactly as before; if multiple accounts are found, it will return the last one found. This is usually the most recently created account, but don't rely on that always being true.

Oh, and one other note: there is a new usertype, "Alumnus". All LDAP accounts of people who have graduated from WOU have this type. It is possible for someone to have both Student and Alumnus, for example if they graduated and then returned for a Masters program.

On Saturday all three air conditioning units in the server room shut down, and the place rapidly turned into an oven. Our servers put out a lot of heat, and have to be kept cool to prevent Bad Things from happening... and so when the air handlers stopped, Bad Things started to happen.

Luckily, only a couple of servers had actual hardware damage, and those didn't have anything critical on them. Several more servers shut down ungracefully or started behaving erratically. Luckily our two biggest servers, cougar and sundown, never actually crashed, but since our main network infrastructure server did, nobody could get to cougar or sundown.

Since I live so close to campus, I got called in, but it was Paul Lambert and Dave Diemer who did most of the heavy lifting. Once the major problems were cleared away, then I could do my thing. Dave was still working on three servers until the next morning, and I was up until really late babysitting the webserver, which seemed to go catatonic every few minutes for no apparent reason. We'll still be cleaning this up for a while.

My new keyboard got here yesterday and I installed it without much trouble. This mini is far easier to upgrade than any laptop I've ever worked with -- just unscrew two screws, lift the keyboard, pop a couple of little latches and unplug the cable and the old one's out, then reverse the process and the new one's in. The ribbon cable was a little hard to get lined up right, but I got it after a few tries.

The new keyboard is much, much better than the old one. The keys are offset like a standard keyboard, and the punctuation keys are in their normal places rather than shoehorned into odd corners or converted into function-key combinations. My typing speed is way up, even though the keys are slightly narrower. Here are pictures of the old and new keyboards together that someone posted to a forum; the topic includes instructions on how to get and install the keyboard.

I've also been delving more into Linux. Like I said a few posts ago, it's a lot easier than it was in the past -- however, all the geeky stuff is still there under the hood, ready to be poked and prodded and reconfigured. More on that later.

My 2GB memory module arrived today (thanks Joanie!) and I installed it in all of two minutes, one of which was spent finding the right screwdriver. This machine is incredibly easy to upgrade. The keyboard will be nearly as easy to replace as the memory, though there's a couple of persnickety little tabs I'm going to have to be careful with. The keyboard isn't going to arrive until after Memorial day, though.

Oh, and I got VirtualBox installed without any of the finagling Michael had to do on his mini; Ubuntu 9.04 seems to have almost all the prerequisites installed already. Now I just need to figure out how to get a legal Windows CD and a drive that connects via USB-- Dell makes good machines, but even they couldn't squeeze a CD drive into this tiny box. It would have filled half the insides, even without the bigger power supply they'd have to put in.

Did I mention this thing doesn't even have a hard drive? Well, technically it does; it's just a solid-state one, like a USB stick. That means the machine doesn't have to burn a lot of power spinning a stack of metal platters, which in turn means I get over four hours of battery life even with the dinky little four-cell 32WH battery Dell put into the machine. It also means there's no need for a built-in fan, though I'm a little worried about the machine overheating and killing my battery (you do not want to get Lithium-ion batteries hot; leaving one in a car on a summer day can permanently destroy most of its capacity. For more on this see Battery University.) Ive taken to popping out the battery and running on AC only when I have a plug available; probably a bit paranoid, but I like this thing and you won't be able to get batteries for it forever.

I sprung for the extra-big 16GB drive, which may sound small compared to normal drives, isn't even a quarter full even with a full operating system, Open office, and a metric boatload of other programs. Put that in your cache and smoke it, Windows. If I ever start running out of space, there's an SD card slot for more space, plus I can always use some of the metric boatload of USB sticks I've accumulated over the years.

And I guess I'm old, because I remember when it was totally awesome that you could get a hard drive with 20 whole megabytes on it! Like, you could never fill that up for years, man! It was the size of a brick, and weighed about the same as one too. Now a thousand times that much fits on a couple of chips, and seems like not very much room. The eighties were a long time ago, and we live in the future now.