Scott Yang's Playground

It was a bit unexpected yesterday. It has been over 24 hours now but the shock lingered on. From the home page of Apple Inc yesterday:

Steven Paul “Steve” Jobs, February 24, 1955 – October 5, 2011 — R. I. P.

Jason Freedman on how to email busy people, as we all know busy people don’t have time for all your emails and they do say “crap, Ctrl-A, Delete and let’s start again”.

1. Subject Lines Matter
2. Use Your Company Email Address
3. Remind Him of Context
4. Limit Your Entire Email to 5 sentences or Less
5. Make Your Ask Explicit
6. Respond Immediately
7. Include a Short, Professional Signature

Need to remember that the next time I email.

Via Hacker News. Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass.

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.

I would hope an update to fix the exploit would be released soon, although sandboxing has already proved to be insecure which makes future exploits easier. Meanwhile, I’m going back to browsing by telnet hostname 80.

Via Hacker News. Setting up PHP-FastCGI and nginx? Don’t trust the tutorials: check your configuration! I have in fact written quite a few tutorials and published automated scripts that are vulnerable. Seems the easiest way to prevent this issue is by adding a try_files statement (or a if (-f $request_filename) if Nginx -V < 0.7.27) into location ~ \.php block. For example

location ~ \.php$ { # For nginx -V >= 0.7.27
  try_files $uri =404;
  fastcgi_pass localhost:8080;
  ...
}
location ~ \.php$ { # For nginx -V < 0.7.27, i.e. Debian 5
  if (-f $request_filename) {
    fastcgi_pass localhost:8080;
  }
  ...
}

Don’t Distract New Programmers with OOP.

The shift from procedural to OO brings with it a shift from thinking about problems and solutions to thinking about architecture. That’s easy to see just by comparing a procedural Python program with an object-oriented one. The latter is almost always longer, full of extra interface and indentation and annotations. The temptation is to start moving trivial bits of code into classes and adding all these little methods and anticipating methods that aren’t needed yet but might be someday.

Haven’t I seen that all too often on that project that I have worked on over the past 10 years?! Premature optimisation is the root of all evil. Unnecessary architecting the solution won’t be too far from that.

Via James Yu’s farewell blog post on his startup employee life at Scribd.

This brings us to the most important quality that enables impact: trust. Without trust, employees aren’t empowered. And without empowerment, there can be no impact… This is exactly the reason why startup hiring is difficult: the amount of trust required in the candidate is magnitudes above that of large companies.

It is so hard when you are evolving from one to two.

Went and watched Unknown with Vivian at Westfield Eastgarden today — something that I would never been able to do with a day job. 10:40am in the morning with bunch of oldies in the cinema, and almost felt like one as well.

As of the movie — acting was good and Liam Neeson was great. It was a bit boring at the beginning, where you know about it all from the movie trailers. Dr. Martin Harris went into coma for 4 days, and everything changed for him when he woke up. Identity stolen, wife stolen and being treated like a lunatic in Berlin. Then the action starts — that’s how much the trailer has told us. There is however a big twist in the plot in the final act, which tells us why everything happened the way it happened, which was a surprise. The ending is a bit weak, but strong deliverance of the story nevertheless.

Moral of the story: don’t ask the taxi driver to load your suitcases!

According to Google Analytics, out of 6 web properties that I have the tracking script, they receive a total of 26,170,964 visits and 72,950,295 page views in 2010. Some sites went up and up, and some sites went down and down (like this very blog). Managing all that has certainly burnt all my mid-night oil last year. Now I have a little bit more time this year — hopefully I can push that number up a bit further. 100 million page views this year? One can surely hope :)

Bought an ATA from Cormain back in January. It’s ugly, but it works. Connected to our new Billion 7800N ADSL2+ router and makes calls via PennyTel. No problem what so ever until a week ago. Suddenly VoIP stopped working. I am also unable to connect to ATA’s web admin interface to figure out what might be wrong. I thought the ATA is dead. Nasty cheap product! I thought maybe I bought a lemon and now need to file a warranty claim.

Interestingly though, that when I disconnect the ATA from WAN interface, I could connect to its admin interface via the LAN port. However right after I connect LAN port to my ADSL hub, any request to admin interface would timeout. That’s weird, so I turned on syslog to log the system message to my external syslogd, and then connect the LAN port. Wow — heaps of log messages. Here is a snippet:

Mar  3 22:26:24 CDUaUdpStack::OnReceiveFrom(803fa460, 334)
Mar  3 22:26:24 from:50.22.171.5, port:5112, len=334, REGISTER sip:xx.xx.xx.xx SIP/2.0^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1614305573;rport^M Content-Length: 0^M From: "152" ^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "152" ^M Contact: sip:123@1.1.1.1^M CSeq: 1 REGISTER^M Call-ID: 2269038874^M Max-Forwards: 70^M ^M
...
Mar  3 22:26:24 CUserAgent::SendTo(806f9750, 234, 5112, 50.22.171.5, 0, encryptType=0, udp, 0)
Mar  3 22:26:24 to:50.22.171.5, port:5112, len=234, SIP/2.0 403 Forbidden^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1079254239;rport^M From: "152" ^M To: "152" ;tag=2cfa115b^M Call-ID: 807709011^M CSeq: 1 REGISTER^M Content-Length: 0^M ^M

Repeat the above for around 15 times per second! What appears to be happening is — this host 50.22.171.5 has been sending me SIP registration message at the rate of 15 times per second, and my VoIP ATA is merely replying back with 403 forbidden message at the same rate. My ATA is pretty much DoS’ed — I am denied of my VoIP service, because it has been too busy servicing bogus requests!

So once I firewall’ed the requests (dropping all packets from that IP), my VoIP ATA got back its sanity again. Hooray!

However, the “attack” did not stop. Large number of requests are still hitting my ADSL router every second. It is also chewing up quite a bit of bandwidth that counts towards my ADSL monthly quota. Here is an MRTG graph.

Not a lot of things I can do.

• I have sent an email to Softlayer’s abuse department (that IP address belongs to Softlayer). Did that a few days ago and still waiting for the reply.
• I could request a new IP address from Exetel to switch to. A lot of hassle especially with some IP-based authentication.

will update once there’s a solution. This kind of SIP-based DoS attack seems to get very frequent now — what are they trying to achieve?!

Situation: Bought a new big LCD TV with HDMI input. Got an year-old HTPC with Athlon 64 X2, Gigabyte motherboard and ATI Radeon HD 3200 integrated graphics. HTPC has a HDMI output. Connect it up with the LCD TV, but only gets video (Windows Vista desktop in 1920×1080 glory on a 55″ LCD TV). No sound what so ever.

Going into Control Panel to change the audio playback device, and saw that “ATI HDMI Output” device showing “Not plugged in“, and unable to be selected.

Solution: I googled the problem, browsed a few solutions in various forums, opened up the HTPC case to make sure everything is plugged in properly (which they are, as it’s actually an all-in-one motherboard), updated to the latest ATI driver, etc. Nope. Nothing works.

Then it turns out that it’s just a matter of getting into the BIOS (pressing [DEL] when the computer boots), going into “Advanced BIOS feature”, and changing “Onboard VGA Output Connect” to “D-SUB/HDMI”. It is usually “D-SUB/DVI” as default setting.

Booting back into Windows, and the audio would just work :)

Introduce my new toy — a Lenovo ThinkPad T410. I have been a Dell man for the last 10 years — having a total of 3 Dell laptops (Inspiron 8000, Latitude D600 and Latitude D630). Well now I am having a change and migrated off Malaysian product to Chinese product :) Built quality is probably on par comparing to Dell Latitudes, but a good $500-$1000 cheaper on a similar configured system, thanks to regular Lenovo bargains that are up to 35% off.

Spec of my new toy work horse

• Intel Core i5 580M
• 4GB memory
• 320GB SATA HDD with 7200RPM
• NVIDIA Quadro NVS3100M graphics
• Windows 7 Professional 64bit
• DVD-RW, 2.0MP webcam, Intel 802.11bgn, and all the works
• Legendary Lenovo ThinkPad keyboard with UltraNav

Since I am doing so much typing on the keyboard, it makes sense to get a notebook with the best keys. That rules out most cheap notebooks and any with chiclet keyboards, consider I was using this at work before. ThinkPad keyboard rocks, even better than the D630 I had before, which I thought was pretty good already.

And the UltraNav. Wow. Now I remember why I never bothered to use that blue sticky thing on my old Dell Latitude, because it sucks. Lenovo’s implementation is so much better (consider they actually popularised it). At the same time I found the trackpad not as responsive as my old Dell, which forces me to use the trackpoint more.

So far so good. This will be my main computer for the next 3 years, and hopefully it lasts.

Much better looking 404 Not found page at Google. Interestingly this is a single HTTP request — despite the Google logo + that blue’ish broken robot, that is embedded as url(data:image/png;base64,...) as inline CSS inside the HTML.

Interesting reading from Alex Payne, on issues facing Hacker News, but also running a community website in general.

A great community isn’t something that you just set up and periodically patch. Running a great community is a full-time job, not a weekend hack project.

Indeed — and that applies to some of the community sites I run as well. You do need to put “time” into it.