Woes of moving to a more secure world

June 11th, 2017

If you haven’t noticed, my blog is now secure from the NSA peeking at your comments by the magic of TLS and Lets Encrypt !

But doing this, I forgot to update WordPress’s notion of what URL this blog lives on, and as a result comments posting didn’t actually work.

Sorry about that, and now it should work fine,

Script Day: “secure” password generated one liner

June 11th, 2017

Ever needed to create a “secure” password to register to a web site(1) and you couldn’t be bothered to invent a secure password? Just paste this command line to your terminal:

ruby -e 'puts [*"a".."z",*"A".."Z",*"0".."9",
  "!@#$%^&*()_+[]/-=.,".split("")
  ].shuffle[0..(ARGV.shift.to_i)].join' 16

The last argument is the number of characters to put into the password.


  1. that probably annoyingly require “at least 1 upper case letter, 1 lower case letter, 1 number and 1 special character” []

Script Day: AWS CLI with multiple accounts with ease

May 29th, 2017

Maybe you are a consultant and juggle multiple clients with Amazon Web Services deployments, maybe you just have accounts for all the start-ups you ever worked for, or maybe you just like to use 17 different AWS accounts for the free-tier usage, but eventually your ~/.aws/credentials file looks like an MS-Windows INI file.

At this point, running the AWS CLI is kind of annoying – you need to remember the correct --profile flag to set for each scenario, and bash will not complete these for you…

Bash aliases to the rescue!

Read the rest of this entry »

SSH-over-HTTPS for fame & profit

April 18th, 2017

In the past, I’ve discussed using SSH to circumvent restricted networks with censoring transparent proxies, but that relied on the restricted network allowing free SSH access on port 22 (what we call in the industry – the single network requirement for getting work done).

Unfortunately, there are restricted networks that don’t even allow that – all you get is the transparent censoring HTTP proxy (which has recently became the case with the free Wi-Fi on the Israeil Railways trains).

But fortunately for us, there is still one protocol which they can’t block, they can’t proxy and they can’t man-in-the-middle  – or else they’d break the internet even for people who only read news, search google and watch YouTube – that is HTTPS.

In this article I’ll cover running SSH-over-HTTPS using ProxyTunnel and Apache. The main consideration is that the target web server is also running some other websites that we can’t interrupt. The main content is based on this article by Mark S. Kolich, but since it only covers using plain HTTP and in addition to some simple changes in the example configurations I also wanted to cover getting an SSL certificate, here’s my version of the tutorial:

Read the rest of this entry »

Is Precise Canonical’s XP?

March 15th, 2017

Canonical, makers of the Ubuntu operating system, have just announced that their about to expire “long term support” version is getting a longer “security only” life extension.

Sounds familiar?

Like other vendors who have similarly offered such life extensions in the past, the new support contract will only be offered to corporations who subscribe to the pricey commercial support package (at $250/year per VM and $750/year per physical server).

Read the rest of this entry »

The GitLab system crash and what can we learn from that

February 1st, 2017

Yesterday night, GitLab’s hosted service (gitlab.com) suffered a database crash and the service went down for a day(1).

I’m not going to discuss the technicalities of the down-time (which is covered extensively in the blog post linked above), except to note that “shit happens” – my main take-aways from that are basically two:

  1. Don’t let tired people handle critical system issues, and if you ever find yourself juggling the third production issue at midnight after a full day of work – just say: “no, I’m not going to fix this – some one else must step in or we leave the system down for tomorrow”.
  2. The GitLab process for handling the failure was nothing short of amazing, and they deserve all the kudus for that: After figuring out how deep in shit they are, and posting a “sorry we’re down” page on the main web site, they:

I think this should be the standard from now on how to handle system crashes on your public facing application – 1000% transparency should be how these things are handled if you have any hope of recovering the trust of the community in your service.


  1. at the time of writing, the service is still not up, but its not yet even 24 hours since the crash happened []

Polymer Runtime Application Configuration

January 18th, 2017

When creating web applications, we often need to have some parts of the application configuration for the deployment environment – usually web service API endpoints have different URLs in different environments, such as using a production web service in production and a locally hosted web service during development.

Such a feature is implemented in many web frameworks and building tools for web applications, such as Gulp or Grunt. Unfortunately, when building applications using Google’s Polymer SDK, there are no such features available – reviewing the Polymer documentation one, there isn’t even any mention of how one handles such mundane tasks as configuring API URLs, except hard-coding them(1).

Developers have tried to solve this problem in different ways, from adding “environments” feature for Polymer’s internal build tool; abusing “behavior modules”; or using “app globals” custom element with complex code to share application-level state. None of these features work well or elegantly (except maybe the environments feature, if it ever gets implemented).

Here is the solution I came up with – with many thanks to Daniel Tse that described part of the implementation in this article – just using the core Polymer elements iron-ajax and iron-meta and without any custom code. Its not the most elegant thing that can be done, but it is relatively simple and works well. Its main down-side is that the application configuration is not embedded in the application during build time but loaded from an external file when the application loads – this may even be a required feature in some scenarios but its not the generally accepted practice.

Read the rest of this entry »


  1. all iron-ajax examples, as an obvious example, use hard-coded URLs []

מתכון: קציצות עוף וסלרי ברוטב סלרי חמצמץ

January 13th, 2017

מסתבר שאין לי פה מתכון לקציצות עוף, סוג של קציצות שאני די מחבב, אז הנה משהו שערבבתי לי לאחרונה. הרוטב היא קצת חמוץ וכדי לאזן את זה – גם קצת מתוק, אז תשימו לב. בנוסף הכמויות הן לדי הרבה אוכל – אני מכין בד”כ לשלושה אנשים ואוהב שנשאר לקחת לארוחת צהריים במשרד, אז קחו את זה בחשבון.

Read the rest of this entry »

Googlephobia Paints The World Red

June 4th, 2016

This is an open letter to Chris Fisher from Jupiter Broadcasting (and friends) regarding the recent tirade against Google “winning” the court battle against Oracle for the use of the Java APIs.

A short summary for the uninitiated:

After Oracle bought Sun including their Java implementation, they sued Google who implemented (some of) the Java APIs for use in the Android operating system, for copyright infringement in some source code, copyright infringement on the API definitions themselves and a couple of software patents they held about how to implement some Java behavior. Round one: Some source code was ruled infringing, APIs were found non-copyrightable  and patents were found not-infringing. Round two: A federal court (that normally rules on patent issues) held the ruling of copying (for Oracle) and patents (for Google) but ruled APIs copyrightable and Google infringing on that. Third round: a jury found that Google’s use of the Java APIs was fair-use and no damages should be awarded.

After the last jury decision, there was a lot of back and forth on the internet, notably one Ars Technica article (“op-ed”), by an Oracle lawyer claimed that the result boils down to nullifying any and all open source licenses:

if you offer your software on an open and free basis, any use is fair use.

Then we come to Chris Fisher – as the host of his Linux Action Show podcast, he has spoke out against Google many times in the past, but this tirade in the discussion of the Oracle vs. Google action in the most recent Linux Action Show #419, really demonstrates well the extents of his Googlephobia (LAS #419, 0:46:42):

Read the rest of this entry »

Script day: persistent memoize in bash

September 10th, 2015

One type of task that I often find myself implementing as a bash script, is to periodically generate some data and display or operate on it – maybe through a cron job, watch or simply a loop. Sometimes part of the process is an expensive computation (could be network based, IO intensive or simply subject to throttling by another entity). The way to deal with issues like that in modern programming languages is a caching technique known as “memoization” (based on the word “memorandum”) in the results of an expensive call is retained in memory after the first time, and returned for future calls instead of running the expensive calculation. We also need to clear the cache every once in a while, but that’s another issue.

So, how to implement in bash?

Read the rest of this entry »


Spam prevention powered by Akismet