Over the last one and a half years I’ve been involved with the SECOQC project. It’s goal was to provide a prototype of a quantum key distribution network. Such a system would provide unconditional security, thus wouldn’t be isn’t vulnerable to improvements in computing power as traditional cryptography.

The final presentation of the prototype happened this Wednesday. The last days and nights before that were filled with applying the last fixed but finally it was worth the time. But let the newspapers do the talking: orf, heise, der standard, sueddeutsche, Austrian Telekom News. There was quite good news coverage in german-speaking Europe (and some eastern europe countries) but sadly the news didn’t seem to have jumped over the pond (at least some American physicists were at the presentation so it got noticed anyway).

Feels strange to know that something that big and cutting-edge is finally successfully finished.. and that I’m an unemployed student agai

From the BSD that claims of itself:

Only two remote holes in the default install, in more than 10 years!

from its latest changelog (4.3):

Assorted improvements and code cleanup:

• ..
• TCP responses to highly fragmented packets are now constructed without risking corruption of kernel memory.

Erm, colour me confused but a network-triggered memory corruption sounds like a remote hole. At least it shouldn’t have been placed in the ‘code cleanup’ section.

As mentioned in part 1 my task is implementing a mail and campaigning module. I started out with a pure Ruby on Rails application and moved to a mixed Java/Rails applications as Ruby’s communication libraries where just lacking mandatory features. I choose Java/Hibernate/Spring as the combination should provide me with most needed features through an easily extend- and configurable framework. What are my findings so far?

More…

One of the components of the system developed here at Blackwhale is an fairly advanced web mail/campaigning and analytics system. The first iteration of that component was fully implemented in Ruby on Rails. Writing the front end was fairly easy and fast, a perfect opportunity for Rails to display its strengths. On the back end and communication part on the other hand I stumbled into various problems:

• Compared to PHP, Python or Java there are just too few communication libraries. And even the libraries that exist are lacking fundamental features and almost all of them come without useable documentation. That there is no encryption (SSL or TLS) support in the whole Ruby 1.8 mail libraries is an outright shame. The IMAP library is so clumsy that a web company sells their own (still not perfect library) through their online store and they seem to make a good buck with it.

  On the Java side is just a completly different picture: Lots of libraries, even documented ones are available. After having to touch the TMail (rail’s MIME mail handler library) API using javax.mail is a heavenly gift. And it seems that the TMail generated MIME messages were invalid in a couple of cases. Not the best feature of a support library. Also the chance of finding unsolved known bugs and errors seems to be lot smaller in Java.

• This brings me to another point: I might change my opinion on Java’s constraints on its users. Java tries hard to prevent errors (i.e. the forced exception catching). I always thought that that took too many stylish possibilities away from the user, but by now I must confess that I think that this is exactly what I want from something that I’m using on the network side. I’m a lazy programmer, I want to be reminded and forced to write secure and stable code. This is the quite different to Ruby and Rails ‘make it easy for the programmer’ attitude.
• Background processing is hard. As Ruby on Rails is not multi-thread safe you can’t just spawn a thread if you need to perform some longer running task. Another disadvantage of using a single-process model is that the long running request will occupy one rails worker (i.e. rails cluster process) until it has finished - in our case that costs us around 60MB of memory per long running request, even if it is just waiting for some simple SMTP feedback. If you can find a situation where you can delay the execution of a network related task (and if you don’t you’re not thinking) for two seconds, 6 requests per seconds will DoS a standard rails cluster.

  The only solution that’s actually usable is BackgroundRb. But projects that just change their background communication system just don’t sound to production-grade ready for me. Also the admin start/stop scripts for their background server didn’t work too well for me.

• For a language that interferes it’s object’s attribute types directly from the database the ActiveRecord layer is weak. Don’t get me wrong, I understand that the Simplicity is needed to make it easily usable but I ran into various situations where I’d love to have a full blown ORM behind me. One feature that is needed quite often by our application is inheritance. ActiveRecord only offers single table inheritance, and even there you have to make sure that each row is valid (ActiveRecord should have all needed information to do that by itself BTW) or you will run into problems later on. One problem is, that it tries to abstract too much functionality away from the database while not provided as advanced interfaces by itself. Data integrity handling? Abstracted away by rails, so all databases can be used the same. The drawback is, that the data constraints and relations are fully handled by rails and not passed on to the database. Any process that might produce invalid data (e.g. a faulty rails component) might corrupt the data. Rails is able to handle that cases by itself (due to ducktyping and very few default checks), but access that data with any other framework and it blows up directly into your face.
• Transaction handling. Just try it. Then cry. Also I’m not sure if Transaction handling is even done on database level or in Rails (as done with constraints). If the later is true, it’s acutally not worth anything as soon as more processes try to access the database.

The library and documentation problems where the main reason for me to reimplement the mailing and campaigning backend in Java. The front end is still a Rails application — which is exactly what Rails is for. As I’m no friend of blown-up EJB based solutions I’ve choosen a simple Spring and JPA based solution for that problem.

I’m currently testing the last features and replacing the Ruby code part by part. As soon as I’ve done that another blog post will examine the two implementations, how much time was spent on coding them and how they perform when compared to each other.

Ruby on Rails uses Ruby 1.8 which still lacks support for STARTTLS or SSL. This was added in Ruby 1.9, but as this release is designated to be unstable (and only the road to a stable Ruby 2.0) Rails 2.0 doesn’t support running with it.

What to do? It’s a shame that a web framework like Rails doesn’t support secure transmission of mails.

So I rolled my own Ruby on Rails plugin that extends the base Net::SMTP class with STARTTLS features. You can just call Net::SMTP.enable_tls (or do the same with an instance variable) to enable secure communications.

Honestly I didn’t write all the code on my own but searched the net and adapted some around-floating patches to this plugin as this is the easiest way of providing the needed TLS support to rails.

So if you need it, just grab it from here. More Information can be found in the plugin’s README file. Have fun and share your improvements to the plugin.

I wanted to upgrade on project of mine to Ruby on Rails 2.0 to automatically get some security and performance upgrades. So how to do it? My first try was:

1. checkout a new copy of my project from the SCM
2. upgrade the used rails version to EdgeRails
   (through executing “rake rails:freeze:edge” twice)
3. adopted the RAILS_VERSION variable in config/environment.rb
4. Got a “500 Internal Error” without any usable logging information on starting the Rails server (”script/server“)

So what? I upgraded everything as planned and got an error without any real debugging help. What to do now?

After some googling around I found Mislav Marohnic’s excellent r2check.rb script. Just run it in your Rails directory and it will report a lot of errors and deprecated features that might hit you. One of those reported errors was the new notation for singular resources, after it converted my resources.rb the application finally started (albeit I had to fix some errors in the restful_authentication plugin, but nothing to heavy). So now I’m running Rails 2.0.1 and some pages really fell a lot faster.

Thank you very much for that script!

I own an iPod for the last three years, happiness fluctuated in that time (mostly because of Apple’s crappy customer service). Lately I became fed up with Apple’s proprietary stance, especially its repeated attempt to make the iPod unusable from platforms other than Windows and MacOS got on my nerves.

I was able to circumvent the other short comings as the iTunesDB which a little painful to use through Linux as well as the limited audio codec choice the firmware offered.

I knew about the alternative firmwares like rockbox and iPodLinux but my earlier attempts where rather frustrating installation was hard, usability not as good as Apple’s and the battery life-span suboptimal.

The day before yesterday I retried rockbox and am very positively surprised: I suspected another cryptic command line installation routine but got a graphical tool (rbutilqt) which allowed a single-click installation. The same tool downloads all needed files and firmwares, also it used for installation of new themes. This is the first advantage above the normal iPod: rockbox has theming support.

The first impression isn’t too impressive for rockbox: it just shows a simple navigation list in a way to small font. I never thought that my iPod’s display would be that high-resolutioned..

The first configuration step was to select a better theme. I don’t want to hear the critics (you know who you are) that will claim that the only good looking and usable themes look like aqua-ish or media player-ish copies. At least they work better than the normal iPod GUI, which in hindsight now looks rudimentary. The theme that I currently use shows details as battery state in percent, estimated rest battery capacity in hours, acute volume information. Apple could copy that. The drawback is that while the ‘Currently playing’-screen is themeable (and some themes are great) the music selection screen is just the list, rendered in a way too small font (which is configurable, but changing it might break some themes). Rockbox could copy Apple’s simple music selection. I use my iPod as a music player, not as a small computer.

Are there other advantages from using rockbox? Quite a few! Crossfading and volume normalization are features that you can easily get used to. Also rockbox supports around 15 different audio formats (compared to the original iPod’s four), of which I use at least ogg and flac regularly. I can also get 10-12h of playback time out of my iPod - I don’t have the times ready for the original firmware as it didn’t really state it.

And desecrating an Apple product is also quite fun..

Approximately one week ago I claimed that I was happy replacing Ruby on Rails with a conglomerate of Java frameworks. I’ve got wiser. Even with maven2 it’s too hard to get even a simple mavenized spring2, acegi, spring-jpa-hibernate configureation to work.

So I’m back to Rails. By now I feel more comfortable in the framework, but there are still some open issues but most things just work (TM).

You’re an atheist?

Only on Christmas or Easter,
the rest of the time it doesn’t really matter

House, M.D.

The last four days back home in Carinthia passed too fast.. and as soon as I was back in Vienna work covered me again.  I’ve finally finished my climbing lessons, didn’t even miss one of them. Now I hope that I can find the motivation to visit those halls of pain again. I’m more than a little bit proud of my discipline, I even attended each Pencak Silat class until now - alas my performance in those ain’t the best.

I spent most of today’s afternoon coding a quite simple web application using JavaServer Pages with a Spring2, Hibernate and Java Persistence Architecture back-end.  Security is handled through acegi, packaging through maven. Although this is more time-consuming compared to the last Ruby on Rails application I coded but there’s less Voodoo involved. Overall the resulting system feels more secure and stable.

As I tend to break hardware every now and then I bought Dell’s CompleteCare pack for my new notebook computer. It comes with an comparable price tag to common insurances: approx. Euro 250 for 3 years.

Yesterday I got time to read the insurance policy  (which is issued by London General Insurance Company Limited), there were some disappointments in it:

CompleteCare - accident protection part:

• While the insurance is world-wide the notebook will only be replaced in some countries. Those include most European ones but the United States are excluded. If an accident happens in one excluded country it is my task to get the notebook to an included country where London’s Insurance agent might do the repair.
• The insurance is limited to three insurance claims
• Buckles and scratches are excluded as well as damages done through fire
• As soon as repair is done by anyone except an accepted agent the insurance warrant is void
• no war or terror related damages will be repaired

CompleteCare - burglary related part:

•  The same country specific limitations occur - so I should be covered but wouldn’t get a new computer if I’m in the U.S.
• The insurance only covers burglaries as long as there was an actually attack (against my person) or housebreaking is involved. If the notebook gets stolen at a airport the insurance won’t hold.
• If I leave the notebook at work it’s not enough if the work room is secured, the notebook must be stored in a safe deposit box or such.

Needless to say that I’m not really impressed.

I do understand that the computer is only replaced in countries where there’s Dell support available but why are the United States excluded?

The burglary insurance is next to useless as long as the “kingston lock security chain” is not a valid protection measure (as noted in the policy). But hey, what do expect of a company with a Ltd. in its name?