Lubuntu 12.10 looks great

0 comments

The changes from Lubuntu 12.04 to 12.10 are slight, but aesthetically important.

The overall distro feels even stronger and more stable with more uniform icon sets for all applications (including pcmanfm), a simplified login and updater, a streamlined Lubuntu Software Center, and more robust drivers.

Also, I just found a nice tip for setting up a keyboard shortcut for locking your screen and another nice tip for adding fonts.

Lubuntu 12.10 countdown

0 comments

Icenium looks promising

0 comments


The world of mobile application development is a sea of constant flux.  There are so many services, tools, and toolkits that it seems overwhelming at times.  For example: Appcelerator, PhoneGap Build, Trigger.io, The-M-Project, appMobi, RhoMobile [Motorola], DragonRAD [IBM], MoSync, Corona, Wink, Tiggzi, Ludei, AnyPresence, Sencha Touch, jQTouch,  ...the list goes on and on...

A new kid on the block is called Icenium (currently in beta) and pulls a lot of the features from various services mentioned above into an attractive end-to-end workflow.  Here are some highlights:

  • HTML5 CSS3 JavaScript mobile development (a.k.a. Hybrid)
  • Apache Cordova (formerly called PhoneGap) -- proxy bridge similar to Trigger.io
  • Desktop IDE (Icenium Graphite [Windows-only]) or Cloud IDE (Icenium Mist) with version control -- somewhat similar to Appcelerator and Cloud9
  • Real-time simulation (iPhone 4S and Samsung Galaxy S II; Graphite also includes iPad and Android 7" Tablet simulators) -- somewhat similar to RIM Ripple
  • Real-time debugging (via WebKit Web Inspector) -- similar to Weinre
  • Cloud builds (iOS 4.3+ [iPod, iPhone, iPad], Android 2.2+, Kindle Fire) -- similar to, but less extensive than, PhoneGap Build
  • Automatic device sync (via Icenium Graphite/Ion and Icenium LiveSync) -- similar to Adobe Shadow

Backed by a moderately sized company (Telerik) with an attractive, intuitive desktop and browser-based IDE and a full service offering, including debug, simulation, build, and packaged deploy, it's shaping up to be a formidable contender in the mobile arms race.


From the Icenium website:
"The challenge for developers is building applications that work across [all mobile] platforms, since each platform requires different tools and languages. Code written for one platform may not be reusable on another platform. Web developers have solved for this by building websites that are designed for mobile devices — the mobile web. These mobile websites are compatible with mobile browsers on different platforms.  However, the mobile web has limitations. Mobile websites can’t access many of the device capabilities, are not distributable through the Apple AppStore or Google Play, and require a data connection at all times.
"Icenium is an Integrated Cloud Environment (ICE) created to enable web and mobile web developers to target the most relevant device platforms regardless of the operating system they are using. As a cloud-based development environment, Icenium abstracts away the platform dependencies, enabling developers to focus on their ideas and the content of their applications, not the management and configuration of their development environment. By leveraging Apache Cordova — an open source framework for mobile devices — Icenium enables developers to use their existing skills in HTML and JavaScript to build compelling applications for the most relevant mobile platforms, including iOS (iPhone, iPad and iPod) and Android (phones and tablets). The integrated device simulator enables developers to rapidly iterate their ideas and see their changes the way they would look and feel on iOS and Android devices without having to deploy their application to physical devices. When the time comes to see the application running on a real device, Icenium has integrated device deployment making it easy to move from a simulation to the real thing. As development continues, Icenium LiveSync™ synchronizes changes in the code editor with the Icenium Device Simulator and all connected devices so they can be instantly viewed without having to rebuild the project.

"Icenium is being built to eliminate the complexity associated with cross-platform mobile development. As a cloud-based development solution, web and mobile web developers no longer have to worry about downloading, configuring and managing SDKs. All of that is managed in the cloud. For the first time, developers can focus solely on writing the code that brings their ideas to life, and those ideas can reach users on the most relevant device platforms in the world."
As a nice bonus, their documentation is surprisingly well thought-out and informative.  However, detailed examples and code samples are lacking.  For example, it's disappointing that the only two provided sample apps (Coffee App and Airlines App) come with the following disclaimer: "Note that these apps do not represent best practices and therefore its structure should not be used for real-world applications."




Teaser: Their Video Player utility is coming soon.

Useful links

0 comments

Excellent overview of mobile development options: http://www.slideshare.net/peterfriese/cross-platform-mobile-development-11239246

Useful DVD video ripper: http://ogmrip.sourceforge.net/en/index.html (make sure to select "PC, High Quality" when encoding)

Popular DVD menu maker: http://www.dvdstyler.org/en/

Decent video editor: http://www.pitivi.org/

StelaPad goes open source

0 comments

For anyone interested in vector graphics and HTML 5 web technology, check out the newly open-sourced StelaPad project.

Moving to Aptana Studio 3

0 comments

I've used the Eclipse IDE for awhile now, and I've decided to give the Eclipse-based Aptana Studio 3 a try.  It offers some nice additional features and has returned to active development after the purchase of Aptana by Appcelerator.

That said, I'm being cautious since I wasn't all that impressed by the Appcelerator Titanium Studio IDE (too pushy on the marketing sales aspect).

So far, the only tweaks are setting the default theme to Tomorrow Night (Window > Preferences > Aptana Studio > Themes > Import) and add Aptana to my Lubuntu menu -- create a file called aptana.desktop in /usr/share/applications/ and add this text:

[Desktop Entry]
Type=Application
Name=Aptana Studio
Comment=Aptana Studio Integrated Development Environment
Icon=
Exec=/your/path/to/Aptana_Studio_3/AptanaStudio3
Terminal=false
Categories=Development;IDE;


Then, in Start > Programming, right-click on Aptana Studio and choose Properties.  Click on Change Icon, choose the Image Files radio button, and browse to the Aptana Studio folder to select icon.xpm
______________________

Update: The experiment was short lived....switching back to Eclipse.
 

Failed VirtualBox OS X attempt

0 comments

I had wanted to play around with the latest Mac operating system and this blog post regarding running OS X 10.7.3 (Lion) looked promising.  Furthermore, an updated post provided details for upgrading to 10.7.4.

After downloading the torrent file (a self-extracting archive) and extracting it (7z e MacOSXLion10.7.3.exe) I followed the YouTube video for applying the VirtualBox settings and gave it a whirl.  After a few minutes of the boot load process, I ended up with what a lot of other users reported: a black screen.

Ultimately, I'm convinced it's because I'm running an AMD processor, which Mac doesn't officially support at all and the forums strongly warn you against.

I guess I'll have to wait for my next computer upgrade to attempt another virtual "hackintosh".

As usual, Mac throws up more barriers for developers

0 comments

For any developer attempting to provide a uniform web experience for their users, testing on multiple browsers is essential.  Too often, I browse to a site that was clearly not tested for Firefox (although it works great in IE, or vice versa).  Most web developers have multiple browsers installed on their machines for this very purpose.  Historically, the most difficult browser to test on was Internet Explorer 7+, since it was only available on Windows operating systems.  Well, it appears Macintosh is now taking its cues from Redmond by dropping Safari 6 support for Windows.

From Wikipedia: "As of Version 6 Safari no longer supports Windows operating systems."

Boo!!!

As a Linux-based web developer, not only do I need a Windows virtual machine for IE testing, I now need to buy a Mac (ughh) or jump through hoops to virtualize it (ughh redux).

Comparing MV* frameworks

0 comments

For all you developers out there that haven't already decided on your favorite model view controller (MVC) framework, here's a great project that objectively allows you to compare many of them side-by-side: TodoMVC.

Mobile development truth ... pass it on

0 comments

A great preface from Jonathan Stark:

"Like millions of people, I fell in love with my iPhone immediately. Initially, web apps were the only way to get a custom app on the device, which was fine by me because I’m a web developer. Months later when the App Store was announced, I was jacked. I ran out and bought every Objective-C book on the market. Some of my web apps were already somewhat popular, and I figured I’d just rewrite them as native apps, put them in the App Store, and ride off into the sunset on a big, galloping pile of money.

"Disillusionment followed. I found it difficult to learn Objective-C, and I was turned off by the fact that the language was of little use outside of Mac programming. Xcode and Interface Builder were pretty slick, but they weren’t my normal authoring environment and I found them hard to get accustomed to. I was infuriated by the hoops I had to jump through just to set up my app and iPhone for testing. The process of getting the app into the App Store was even more byzantine. After a week or two of struggling with these variables, I found myself wondering why I was going to all the trouble. After all, my web apps were already available worldwide—why did I care about being in the App Store?

"On top of all this, Apple can—and does—reject apps. This is certainly their prerogative, and maybe they have good reasons. However, from the outside, it seems capricious and arbitrary. Put yourself in these shoes (based on a true story, BTW): you spend about 100 hours learning Objective-C. You spend another 100 hours or so writing a native iPhone app. Eventually, your app is ready for prime time and you successfully navigate the gauntlet that is the App Store submission process. What happens next?

"You wait. And wait. And wait some more. We are talking weeks, and sometimes months. Finally you hear back! And...your app is rejected. Now what? You have nothing to show for your effort. The bubble.

"But wait, it can get worse. Let’s say you do get your app approved. Hundreds or maybe thousands of people download your app. You haven’t received any money yet, but you are on cloud nine. Then, the bug reports start coming in. You locate and fix the bug in minutes, resubmit your app to iTunes, and wait for Apple to approve the revision. And wait. And wait some more. Angry customers are giving you horrible reviews in the App Store. Your sales are tanking. And still you wait. You consider offering a refund to the angry customers, but there’s no way to do that through the App Store. So you are basically forced to sit there watching your ratings crash even though the bug was fixed days or weeks ago.
Sure, this story is based on the experience of one developer. Maybe it’s an edge case and the actual data doesn’t bear out my thesis. But the problem remains: we developers have no access to Apple’s data, or the real details of the App Store approval process. Until that changes, building a native app with Objective-C is a risky proposition.

"Fortunately, there is an alternative. You can build a web app using open source, standards-based web technologies, release it as a web app, and debug and test it under load with real users. Once you are ready to rock, you can use PhoneGap to convert your web app to a native iPhone app and submit it to the App Store. If it’s ultimately rejected, you aren’t dead in your tracks because you can still offer the web app. If it’s approved, great! You can then start adding features that enhance your web app by taking advantage of the unique hardware features available on the device. Sounds like the best of both worlds, right?"

Source: O'Reilly

Weird line wrapping in bash shell

0 comments

The other day I was working on a new remote server and I noticed the text of long commands was wrapping to the beginning of the same line -- very annoying.  It took awhile to find the obscure solution so I thought I'd pass it along.

Genealogy tips and issues

0 comments

I'm a big fan of new Family Search but there are three major features that are missing by design:

  1. Creating nice family history charts
  2. Finding available names to take to the temple
  3. Exporting family history data
Each of these represent a widespread need and I'm really surprised new Family Search doesn't offer them but apparently the site is geared towards a specific goal and leaves the rest of the features for affiliate tools (that said, I still can't figure out why #2 isn't included by default).

To resolve these issues, I recommend the following:

  1. Tree Seek is a great free service for creating nice looking family history charts
  2. Ancestors Waiting is another wonderful free service that quickly identifies temple-ready names in your lineage
  3. ?? - all I want is a simple web-based or Linux-based application to download my new Family Search data but alas, I can't find a free service that provides that simple task.  Any suggestions?  Also, I wouldn't mind paying a nominal annual fee for securely sharing genealogy work among the members of my family but the GUI needs to be clean and simple.  (AncestrySync looks promising, but doesn't support Linux)



Normalizing all my audio files with ReplayGain

0 comments

ReplayGain is a nice standard for normalizing the volume levels in your audio files.  Unfortunately, each audio format has its own library and tools to use it.  For example:

  • ogg vorbis: vorbisgain
  • mp3: mp3gain
  • aac (possibly also mp4 audio, m4a, and whatever other extensions Apple uses): aacgain
  • flac: metaflac --add-replay-gain
  • wavpack: wvgain 
Fortunately, I came across a nice tool called rganalysis that applies Replay Gain to all your audio formats at once.  To install:
cd ~
sudo easy_install -U plac
sudo easy_install -U quodlibet
sudo easy_install -U mutagen
git clone git://github.com/DarwinAwardWinner/rganalysis.git
cd rganalysis

To test, try something like:

./rganalysis.py --dry-run <path to music>

To run, use:

./rganalysis.py <path to music>


The full set of command line options can be found here.

P.S. Audacious is a nice audio player that supports ReplayGain by default.  Also, to convert wav files to flac, use the following command:
flac --best *.wav
P.P.S. If you just want to normalize all audio for any audio player (actually modifying the audio file waveform), you can use normalize:
normalize-audio *

Context menu option to add a song to audacious playlist

0 comments

Personally, I like the Audacious audio player.  It's simple, supports ReplayGain, automatically adds multiple selected files to the playlist, and is popular.

Recently, I wanted to add a couple songs to an already playing playlist.  Although I could just select the file(s) and then drag them to into the player, I wondered if I could create a right-click context menu to add them to the playlist instead.  It turned out to be really easy:

Follow this guide and instead of their brasero command line example, use:

audacious -e %U
Then, when editing the .desktop files, change the "Name" line to:
Name=Audacious Playlist
and add the following line:
Icon=audacious

Base64 quirks

0 comments

Base64 is an amazing text-based encoding scheme.  That said, it has its quirks.

For example, RFC 2045 states "Encoded lines must not be longer than 76 characters" but that add excessive processing overhead when, say, converting a 3MB image to base64.  However, if you don't add line breaks at all, some browsers and rendering engines choke on large data sets.  So, a general rule of thumb is to add a line break char ("\n") every 8191 characters (or every 8000 to keep it simple and allow some cushion).  This should fix any browser/renderer issues and make the data much more readable in formats such as SVG.

Another issue: adding base64 data to JSON is problematic because JSON doesn't allow line breaks within a single key/value pair (line breaks are generally stripped out automatically).  Viewing a JSON file with a large base64 encoded object will typically give you garbled lines.  I've tried a number of editors (gedit, leafpad, tea, eclipse, nano, emacs, scribes, geany) for a decent read-only viewing experience and the best options I've found so far are vim and SciTE.

Note: if you plan on using SciTE, install it and then from the menu choose "Options > Open User Options File" and enter the following:

open.filter=All Files|*.*
line.margin.visible=1
line.margin.width=3+
title.full.path=1
title.show.buffers=1
split.vertical=0
wrap=0
buffers=20
check.if.already.open=1
position.maximize=1
font.base=$(font.monospace),size:11

Finding the right NoSQL database

0 comments

At work the other day I needed a simple database to store some JSON data.  I figured I'd use the opportunity to review the various NoSQL databases available and choose my favorite.  My needs were simple:

  1. Must support Windows and Linux
  2. Must have a cross-domain read/write RESTful API (preferably without complicated JSONP callbacks)
To save you the two days of searching it took me, I'll summarize my findings here:

  • MongoDB - no writeable REST interface
  • OrientDB - version 1.0 was released this week but was too buggy and the REST interface wasn't cross-domain
  • CouchDB - I couldn't find any mention of a RESTful API in their documentation
  • ArangoDB - alpha quality, not meant for production
  • Riak - doesn't support Windows
  • Cassandra - no REST interface
I was starting to lose hope when I remembered a friend mentioned ElasticSearch awhile ago so I figured I would try it out.  VoilĂ  - It worked great!  Its REST API fit well with jQuery AJAX and it supports both Windows and Linux.

I'll update this post soon with some code samples and instructions on how to install an excellent Dashboard GUI.

P.S. ElasticSearch isn't perfect.  As with anything, there's a few gotchas to be aware of.

Compiling PhantomJS 1.5 on Webfaction

0 comments

Webfaction is a cool web host because they allow you to compile source code and run custom binaries.  One example of when this might be useful is to run PhantomJS.  Normally, you would download and install the pre-compiled version as described in an earlier post, but I ran into a bug the other day that was fixed in trunk and I couldn't wait for 1.5.1 to be released so I compiled PhantomJS on Webfaction myself and thought I'd share it in case it's useful for anyone else:

mkdir -p $HOME/src

cd $HOME/src

wget 'http://ftp.tux.org/pub/X-Windows/ftp.hungry.com/chrpath/chrpath-0.13.tar.gz'
 
tar -xzf chrpath-0.13.tar.gz
 
cd chrpath-0.13

mkdir build

./configure --prefix=$HOME/src/chrpath-0.13/build

make && make install

cp $HOME/src/chrpath-0.13/build/bin/chrpath $HOME/bin

cd $HOME/src

git clone git://github.com/ariya/phantomjs.git && cd phantomjs
 
git checkout 1.5
 
./build.sh

cp $HOME/src/phantomjs/bin/phantomjs $HOME/bin


To test:

phantomjs --version
 

Evolution of a PHP backdoor evasion

1 comments

I came across a rather clever PHP obfuscation technique today that I thought would be worth sharing.  Every web server administrator knows it's a constant battle to keep the bad guys out and the cat and mouse game continues to escalate.  For example:

Back in the good 'ol days, attackers would use simple code that could be easily detected:

$backdoor = phpinfo();
Antivirus and antimalware scanners caught on quickly and detected these infections with relative ease.  So, the attackers upped the ante:
eval(gzinflate(base64_decode("U0lKTM5Oyc8vUrBVKMgoyMxLy9fQtAYA")));
By obfuscating the payload it became a little more difficult to analyze.  So, the good guys started looking for eval, gzinflate, and base64_encode statements.  In response, the attackers obfuscated those signatures as well:
$g = strrev("etalf"."niz"."g");
$b = "bas"."e64"."_de"."code";
eval($g($b("U0lKTM5Oyc8vUrBVKMgoyMxLy9fQtAYA")));
By breaking up the decoding mechanism, signature-based detection was much more difficult.  Still, the critical eval component was a glaring red flag, so the attackers hid that as well:
preg_replace("/rAnDOm745/e","phpinfo()","rAnDOm745");
By using the eval modifier of the preg_replace function (that "e" on the end of the regexp statement), a string could be substituted and evaluated as PHP code.  Clever, but the attacker lost their payload obfuscation in the process.  So, as a final knockout punch, the attacker obfuscates the payload as well:
preg_replace("/rAnDOm745/e","Vu3HaJMsade30qrvbeMEw9"^"r\x17R\x2b\x0A\x2e\x22\x1c\x13DX\x13\x40\x19\x02\x1f\x0c\x03\x22m\x5e\x02","rAnDOm745");
I know what you're thinking...that's a bizarre mishmash of nonsense.  At first glance it looks like base64 encoding (alphanumeric chars & equal signs) on the left and hexadecimal encoding (backslash x then two chars --> \x##) on the right.  Both guesses would be wrong.  Go ahead and plop it into a php file and see what happens...

Yeah, phpinfo() ran.  How?  It turns out, PHP strings have some really obscure bitwise operators.  If you put a caret (^) between two PHP strings (double-quoted, not single quoted), you can perform a bitwise XOR.  A what?  Let me explain.  Let's say you have a "V" char.  This can be represented in binary as 01010110.  Yeah, so what?  Well, let's say you have a "r" char.  This can be represented in binary as 01110010.  So what, again, right?  Well, let's put these binary values on top of each other:

01010110
01110010

Now, for each column, if the values on top and bottom match, set a 0.  If they don't match, set a 1.  So you end up with something like:

01010110
01110010
__________
00100100

Ok, now what?  Well, take that final result and convert it from binary back into ASCII.  What do you get?  A "$" char.  Weird!  I know.  It turns out, if you echo that "nonsense" in the preg_replace replacement field:
echo "Vu3HaJMsade30qrvbeMEw9"^"r\x17R\x2b\x0A\x2e\x22\x1c\x13DX\x13\x40\x19\x02\x1f\x0c\x03\x22m\x5e\x02"
you get
$backdoor = phpinfo();
Pretty wild, huh?  Now if you put all the pieces together, preg_replace is taking a temporary string and replacing it with a bitwise XOR string and then evaluates that string as PHP.

Of course the actual payload of the "Web Shell by Orb" (WSO) backdoor I found on the server was much more complex than a simple phpinfo call.  Ughh...I hate spammers.

...hope this tutorial didn't bore too many of you but it took me a few hours to break this apart so I thought it might save someone else the headache.

P.S.  It's going to be pretty tough to look for a signature of this kind of attack.  The find/replace string can be totally randomized and the spacing around the two strings and the caret can be random as well (..." ^    "...).  Also, in bitwise XOR, every char can be represented in a number of ways.  So:
"M"^"\x22" = o
"s"^"\x1c" = o
Your best bet is to disable eval and disable //e altogether.