Everything In Between

• On second thought, maybe I can’t remember which friend ‘cuz that sex dream had both friends in it. Or perhaps that’s just wishful thinking. #
• Boonesses. My head hurts. :( And I even had lunch and everything. Usually I’m just starting to think about breakfast now. That is so unfair! #

Security provisions are one of those “things” that Mac users have been snooty about—for good reason—for decades. However, I’d dare say that, even though the UNIX architecture of the underpinnings of Mac OS X is much more secure than most other popular operating systems (cough, Windows, cough), much of the security benefits that Mac users have enjoyed are really security-by-obscurity, which is not very secure at all. With the added popularity of Mac OS X, lots of responsibility suddenly shifts from the vendor (Apple, Inc.) to the individual users (this means you) to keep your data secure.

Apple has been on point, however, providing good security utilities built right into the operating system and easily available to end users. Of most common use is probably “Secure Empty Trash” which securely deletes files that you put into the trash. The counterpart to this function available in the Finder is, too few Mac users know, the srm or secure remove command-line utility.

srm can be thought of as simply a version of rm that overwrites file data before unlinking it from the file system. It comes with a few more options than rm comes with all geared towards tweaking just how it overwrites files. My favorite is -m, which the manual page says:

overwrite the file with 7 US DoD compliant passes (0xF6, 0×00, 0xFF, random, 0×00, 0xFF, random)

I had the perfect occasion to use srm today: I was transporting my SSH private key from one laptop to another via a temporary drive. I wanted to securely remove all traces of the private key file from the temporary drive after installing it in the new computer. (See this SSH public key tutorial if you don’t know why this might be important.)

After copying the private key file over, removing it securely looks like this:

srm -m private_key_file

It’s that easy.

To be confident that your file is truly overwritten with garbage, you can use the -n option. This is one way to retain a file, but completely corrupt it. Observe:

Meitar:~ meitar$ cat testfile
Hello world.
Meitar:~ meitar$ srm -mn testfile
Meitar:~ meitar$ cat testfile
?
 ?)c?I
      P?Meitar:~ meitar$

That garbage you see after the second invocation of cat shows that the file really was trashed, that is, overwritten with garbage data. Now, a simple rm testfile can do the rest of the work.

As always, man srm will give you all the other juicy details.

• I alternate btw being amused and annoyed at the fact that it’s very difficult for people to grok the concept of asynchronous communication. #
• Why is it that it starts raining tasks when I’m approaching a deadline? Like, seriously, EVERY TIME. On the up side, that’s a good excuse…. #
• @laughingrhoda That already exists in the form of a NewSignificantOther. Kind of like http://www.makemylogobiggercream.com/ but even SEXIER. #
• Officially open sourced tonight are chkrelease and git-archive-all, 2 of my web site deployment utilities. Details: http://github.com/meitar #
• Um, poll time: A bit >1/2 of my followers are sex people, the rest tech people. Does this mean at any time 1/2 are confused by my tweets? #
• @lanej0 ROTFLMAO! That’s hilarious! Also, woah, I’m suddenly using Internet slang from the 90′s again. #
• I just had a sex dream involving at least 1 of 2 friends, but I’m too awake to remember exactly which friend. That’s ok, I have hot friends. #

• Over the past few months I’ve discovered I was right all along. I’m not lazy, I just need to start my days at my own pace to be productive. #
• @sheershir OTOH, I’ve been far less productive than I had hoped today because I got sidetracked trying to make a recursive archiving script. #
• Github = cool! Hosting git-archive-all.sh there, it wraps git-archive makes archive of repo and all its submodules http://tinyurl.com/6hh4ht #

• So envious of all the kink goings on in my timeline. :( On the up side, I implemented a neat coffee-cup feature for v0.1.2 of chkrelease.sh #

• Holy craps! Mr. Incredibubble just put my head inside a bubble! #
• Sydney’s Hyde Park on the weekend is awesome. I just walked by a half-human size Chess match. #
• @CurvaceousDee I think that storm you mentioned made it to Sydney. I’m sitting at an outdoor bar at Cockle Bay sipping beer to avoid rain. #
• Am I’m post Sydney Aquarium and dinner and train ride home comfort all wrapped up on bed. But now…ennui! #
• Alas, my Google fu is failing: does anyone know where I can get a list of keyboard bindings that map to process signals? CTRL-C=SIGINT, etc. #
• Missed the bus and ran out of battery charge on my iPod and I havn’t even really woken up yet. I hope today gets better quickly. #

• Holy craps it’s already 1:15 and I’m just getting up. I didn’t realize I was that sleepy. Kinda bummed that half my day is already shot. #
• Whoever said the Hitachi Magic Wand was only for girls was clearly doing it wrong. And on that note, organic food expo today! Maybe…. #

• Bizarre morning. First a dream, then network trouble and now pushing back against scope creep. Oh wait, that last one is par-for-the-course. #
• Hilariousness: “You can’t go back. There’s no option to arrange by penis.” http://www.thewebsiteisdown.com/ Also, sadly, sort of accurate. #
• @unspeakableaxe We were explicitly told that Sydney’s subways ran “all night.” Apparently “all night” doesn’t include the hours of 1-5 AM. #

Today I had the opportunity to toy around with more of Apple’s WikiServer (aka “Teams Server) intranet-building suite of applications. I already gave the wiki feature a pretty thorough treatment, so this time I set my sights on a simple user-specific (as opposed to group-specific) feature.

In my office of approximately twenty-some-odd employees, we’ve just begun using the groups’ blog feature to replace all-staff emails for interesting items that are not business related. This has actually been a huge boon for several reasons, not least of which is the productivity boost we can enjoy thanks to moving from a push system (relatively annoying, if occasionally interesting emails) to a pull system (web browsing, RSS feeds, all generated from the Apple WikiServer group blog). Out of the box, only one feature was missing from the group blog: user profile pictures (“avatars”).

If you only turn on the group wikis and blogs features in Apple’s WikiServer, you’ll find that whenever someone posts a comment to a wiki page or a blog post, a generic profile picture will appear next to their comment. If you give that person’s user account a profile picture in Workgroup Manager, you’ll see that generic profile icon turn into a broken question mark. It turns out that this is because the user profile pictures are served by a completely different web service than the group’s wiki and blog is served so if that server isn’t running none of these images will be served up to the browser.

Fixing that is simple enough: simply turn on the appropriate server—the User Weblog server—by opening Server Admin, navigating to the Web Service settings, and enabling the “Blogs” service for users under your web site, then clicking save. For the default web site (*), all that checkbox technically does is remove the comment in the /etc/apache2/sites/0000_any_80_.conf file that reads:

#        Include /etc/apache2/httpd_users.conf

The /etc/apache2/httpd_users.conf file enables the use of your web site’s /users URL paths. In practice, this means that you’ve now allowed anyone with a user account in your Open Directory database to create a new hosted, personal weblog on your server. This may be what you want, but it wasn’t what I wanted—all I wanted was user profile pictures on the groups features.

As it happens, everything behind the /users URL is actually a completely different web server (really an instance of Twisted Python) that’s accessed via a ProxyPass directive. This turns out to be really handy, because it means we can intercept requests for these URLs and redirect them before they ever get to the Twisted “User Weblog” server.

By examining the source of the wiki page on which a user’s profile picture icon appears, we can see that the URL path to the user’s image is retrieved by accessing a URL that looks like /users/username/icon.jpg (where username is the user’s full Unix username). So, with the following lines of Apache RewriteRule magic, we can enable only the serving of these user profile avatars but not let users create their own personal blogs:

#### We are ONLY using the /etc/apache2/httpd_users.conf file to
#### enable per-user avatar icons sourced from our OpenDirectory
#### user database. So to avoid the messy instance where people
#### create their own blogs we will redirect anything except the
#### image icons themselves to a 403 Forbidden error page.
<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/users
        RewriteRule !^/users/[A-Za-z]+/icon.jpg [F,L]
</IfModule>

The magic happens in the lines that begin with RewriteCond and RewriteRule. The RewriteCond rule examines the incoming URI and only continues processing if it begins with “/users”. That’s important because the next line, the RewriteRule returns a 403 Forbidden error for any and all requests that do not match a URI that starts out like /users/username/icon.jpg. In other words, without the RewriteCond directive, the entire web site would only be able to serve user profile pictures, and without the RewriteRule, all the URLs of the User Weblog server would be available (such as those to create new personal weblogs).

With both in place, however, I can get exactly what I want out of the Weblog Server. No more and no less.

• Everyone from the States is making fun of me for saying “No worries” even though I used to say that to them well before I came to Australia. #
• Why is it so difficult for people to use styling features other than bold, italic and underline? Just spent 30mins deleting extraneous tabs. #
• You know what makes me sad? Working at (multiple) webdev shops where intranet pages have links that say “click here” as their anchor text. #
• Favorite quote of the day: “(imitating a hypothetical subcontractor) Well we don’t actually do quality work. It adds too much overhead.” #
• @unspeakableaxe You mean that blackened water that passes for coffee in NYC? Pffft! You don’t know coffee if you don’t know café no-refills. #
• @ProblmLikeMaria Or your other option is to embrace the wearing of ripped jeans. #