Monday, March 14, 2022

Named

Name the marauding beast
to mark it from its heedless kin.

Name the rock
as a place to meet
at the hunt's end.

Name each other to...
Oh, kinsmen, what have we done?

You, me, I
separate one from the other.

You are Hunter, she is Healer, he is Runner.

Known by my skills.
Known by my past.
Shackled and chained
by others,
by myself.

No longer free to be.
No longer free to flow
with Nature and Time.

Named.


Jim Hart
1997

Copyright Jim Hart, 1997, all rights reserved. May not be copied or published digitally or in print without express permission of the author.

Thursday, March 4, 2021

Thoughts on Chromebook

In particular, Acer CB515.

We have retired our desktop computers, a Mac Mini and the mid-tower running Ubuntu, in favor of Acer Chromebooks. Yes, there is the concern about being logged into Google all the time. Offsetting that are the following pluses:


  •     Low price ($300, Oct. 2019)
  •     Simple   
  •     Excellent performance
    •         Dozens of browser tabs
    •         Half a dozen or more apps
    •         Slow loading Linux apps...but once loaded performance is excellent
  •         Run most Android apps
  •  Multiple desktops (with a dedicated key for creating and switching - F5 on external keyboard) and separate desktops for each display
    • With one external monitor and the laptop screen, that's 4 desktops each for a total of 8
  •         Multiple displays, mirrored or extended desktop, user choice
  •         Run Debian compatible Linux apps
  •         Special keys for search and multiple desktops
  •     Works with most printers, either directly or via Google Cloudprint
    • Better than Linux
  • Has Penguin Linux available. Most things seem to work.
    • Thunderbird
    • Firefox
    • Gimp
    • grsync
    • Missing:
      • apturl
  •     Integrates with Android smart phones
    • Unlock
    • Text messages
  •     Hardware:
    •         All solid state
    •         Display full 1080 15.6" screen with excellent color and viewing angle
    •         Good speakers and keyboard
    •         Lots of ports
    •             USB 3 (2)
    •             USB C (2)
    •             HDMI (external monitor)
    •             Headphones
    •         MicroSD slot
    •         Brushed aluminum case with strong screen hinge (very similar to Apple MacBook Pro)
      • Slim
      • Lightweight
    •         Touchscreen
    • Large touchpad with 2-finger support
      • 2-finger drag
      • pinch and zoom
    •         Long battery life
    •         Kensington lock slot
Even though it has only 32GB of built in eMMC, the MicroSD slot expands that substantially. Huge external drives can be connected to the USB C.

Saturday, May 26, 2018

Why use Apache Server Side Includes (SSI) for Web scripting

  • Simple
  • Fast
  • Flexible
  • Secure (if configured properly)
  • Low server load
Apache SSI (also called XSSI, extended server side includes) has several advantages over other server-side technologies:
Easy to learn
A small learning curve makes XSSI accessible to people with limited programming experience. XSSI is programmer-efficient because it requires very  little debugging.
Mature
Well-tested code and a stable API make future surprises unlikely.
Lightweight
XSSI can deliver popular features such as printer-friendly versions, article partitioning, and hierarchical menus without client-side scripting or a database back end. Maintenance becomes easier--and cheaper.
Efficient
Contrary to early-day warnings that XSSI would bog down a web server, XSSI is probably the most resource-efficient of all dynamic technologies. For example, according to the Apache Hello World Benchmarks (see XSSI Resources), mod_include, the base module implementing XSSI in Apache, can serve more Hello World pages per second than other dynamic content-generation technologies.
Secure
In particular, if you do not include the output of arbitrary web server executable programs. Also, content maintenance is at the file system level. Desktop html editors make that an advantage because Web-based CMS write  to the file system. That's the vector for CMS attacks. See below for a security discussion.
Ubiquitous
Present in virtually every Apache installations, because its implementation is a base module.
Complementary
Combined with web site templates, XSSI can decrease maintenance time and increase sitewide consistency. 
It is easy to integrate with client-side technologies, including cascaded style sheets, JavaScript, and other dynamic objects such as Flash and Java applets.
On the server side, it's integrated with Apache CGI (Apache's original way of programming Web pages). Thus it can be combined with any other programming language that supports stdin/stdout. CGI is language neutral. 
Desktop GUI html editors can include it by switching to html mode. Can even use an online editor like blogger.com and copy-paste the html.
Forward-looking
It can integrate with any text-based document, including XML and RSS.
Powerful
CGI has access to all programming languages, commands and scripts on the system including server side Javascript. It can get data, code, etc. from other servers. It can make database calls. There's practically no limit to what a programmer can do using CGI integrated with SSI.

Apache's eXtended Server Side Includes Onlamp.com, by Kostas Pentikousis 07/07/2005

 

But, is it secure? Various authors have challenged Apache SSI security. For example:

Protecting Web Servers from Security Holes in Server-Side Includes by Jared Karro, Jie Wang, Division of Computer Science, University of North Carolina at Greensboro, Greensboro, NC 27402, USA, Jared Karro@uncg.edu, wang@uncg.edu
All of the examples this paper sites are internal attacks. Controlling who can edit the Web site and what user Apache runs as completely negate the claimed problems.

Generally, when people talk about the security of a Web scripting language, they are referring to external attacks. No one will claim that a Web language is totally immune, but SSI has, historically, had the fewest issues of any Web programming language.

Other claimed vulnerabilities:
  • Server-Side Includes (SSI) Injection
    • The authors provide no explanation of how the injection is to be accomplished. Setting the file system permissions so the Web server can't write to it and turning off Exec permission, which are standard procedures for securing an Apache site, should eliminate any possibility of this working.
    • Perhaps they are referring to using the query string as a variable in an SSI command. Programmers must be cautioned to never do this without checking the content of the query string.
So, what's wrong with it?
  • Limited function in of itself compared to other Web languages, e.g. PHP. Using CGI, it can do anything the others can, but programmers may find breaking the work into two environments inconvenient.
  • Requires understanding of stdin/stdout to use CGI.
  • Programmers must pay attention to the data coming in to ensure it doesn't contain executable code. Best practice is to never execute any part of the parameters or form input. Some CGI libraries, e.g. in CPAN and MIT's cgic take care of this housekeeping.
  • The biggest problem is lack of exposure. Most Web programmers don't know it exists.

Tuesday, May 22, 2018

Turning Apache SSI usage on its head.

Most people who talk about templating with Apache Server-side Includes scripting (SSI) have HTML pages pull in pieces of common code such as styles, headers, footers and so on, then hard code the content in the page. This technique certainly reduces the amount of code in each page. And, one can make some changes in a single place. In programming parlance, it modularizes the code. This approach has drawbacks, though.
  • Depending on what is pulled in, changing the structure of all the pages in the site may mean editing many files.
  • The content can't be presented in different ways for different purposes. It can't be reused.
So, what if we turn this concept on its head? What if the content calls the “page”, or more broadly the “template” rather than each page having content. What would that look like?

SSI can set variables. The variables can contain anything that is a string. The variables can be substituted for text just about anywhere, including in the URI in an SSI command.

What does that mean? It means that content can be put in a file that calls a “page” to display itself. The steps are:
  1. Set one or more variables with content.
  2. Call a template file, either a fixed one, or, and here's the beauty of it, one whose path is in a variable that was set before the content file was called.
  3. The template file puts the content variables in the appropriate places.
Why go to this trouble? Because the template file that’s called can be different depending on the desired output. One time it can be a complete HTML page. Another time it can be an HTML fragment such as a paragraph or a list element. Another time it can be an RSS feed item. Another time it can be Javascript variables. The same content. Only the template changes.

What's more, one template can be used for many pages, potentially an entire site. So, if the site structure or style changes, only one file has to be modified.

In some sense, this turns SSI into an object-oriented system, bringing it into the modern era of system architecture. The variables are object attributes and the template file is the method. What's more, the method can be anything. Unlike most OO languages, it doesn't have to be hard coded. (Although it could be by using #if conditional processing to choose among a fixed set of methods.)

Regardless, the possible uses of this technique are limited only by one’s imagination. The output can be anything that is deliverable in response to a Web request, even JSON. And, it can be driven by parameters in the URL that called it. (Apache SSI has access to the query string.) RESTful services anyone?

Thursday, November 17, 2016

Herding Cats

Thoughts on managing independent, smart people.

Q: How do you herd cats?
A: With a mouse.

Q: How do you confuse a cat?
A: With more than one mouse.


Sunday, March 13, 2016

Large mouth bass in Maine

The original version of this essay was over the top. I apologize to those who read it. Hopefully this revised version is a little more accurate and well reasoned. jah 4/25/2016

Bass fisherman had no right to illegally introduce large mouth bass into Maine waters. In some places, these voracious fish have caused a collapse of other fisheries. If it were up to me, the Maine Department of Inland Fisheries and Wildlife (DIFW) would be doing research to find a way to destroy them. They're an invasive species and should be treated as such. At the very least, the law should require that the fish be killed after being caught.

On the other hand, one avid bash fisherman pointed out to me that in some places the water quality has deteriorated to the point that salmon and trout won't survive and reproduce, so large mouth bass aren't responsible for the collapse.

I would have no problem if the DIFW had done research and decided, for the right reasons, to introduce large mouth bass legally into former salmonid waters. But, private citizens introducing an invasive species of any kind anywhere is illegal and wrong.

Now public officials are embracing out of state bass fishermen. (Note recent efforts in Waterville that made the paper.) Who doesn't love a rich guy who throws his money around? Well, I'd rather they take their fast boats, money, publicity and attitude and go back where they came from. I only wish they could take their fish with them.

Thursday, March 3, 2016

Report on my diy silent computer system 2 years on

This system has proved to be very reliable and exceeded my expectations for performance.

(Nov. 2017 update:  The USB board in the front burned out for the second time and the company no longer makes the part. Bummer. Fortunately the Mobo wasn't damaged and the case has a separate USB3 port on the front.)

System specifications

Case: NoFan CS-60 mATX Mobo: Gigabyte GA-B75M-D3H CPU: Intel Pentium G2120 Graphics: SAPPHIRE Ultimate Radeon HD 6670 RAM: Crucial Technology 8gb (2x4) Pc3-12800 1600mhz Ddr3 Ballistix Cl9 Drives: 120 gb OCZ Vertex, 128GB Samsung SM841, Super Writemaster SATA DVD/RW PSU: SeaSonic SS-400FL2 CPU Cooler: stock Intel with Scythe Slipstream 120 Other cards: Syba ieee1394a-b PCI-X

Performance

iPlane9 and Flightgear flight simulators: smooth and responsive at max frame rates

Will run 2 Windows VMs in VirtualBox both doing updates, Firefox with a dozen or more tabs, Chromium with multiple tabs, Libreoffice with multiple documents open, and Thunderbird: switching between applications, mouse movement and typing are instantaneous; opening additional applications, e.g. gthumb to import pictures, is as fast as if nothing else were running. In other words, it'll do more things at once than I can keep track of.

Boots Ubuntu 14.04: 6 seconds, timed
Load Firefox: 2 seconds
Load Gimp: 2 seconds
Load Libreoffice essentially instantaneously...less than a second
Extract a 640MB tar/gzip archive: <2 seconds

Some things it doesn't do so well:

Encode a 4GB mp4 to 1080p 60fps (same as the recording) using OpenShot Video Editor: 23 minutes
(I have no idea whether this software uses the GPU. It uses ffmpeg for encoding.)

Temperature data

Ambient temp. 20 deg. C
Stress test the CPU at 100% - max CPU core temp 56 deg. C
Flightgear for 1 hour - max GPU temp 68 deg. C, max CPU temp 57 deg. C
(Note: The CPU is above the graphics card so it will get hotter when the GPU gets hotter)

These temperatures were much higher with two different passive CPU coolers. The case is narrow so only short coolers will fit. Running a CPU stress test, the CPU cores were over 80 and still climbing. Under normal use, they were in the 60s, but running a flight simulator pushed them, again, to a level I wasn't comfortable with. So I gave up on totally fanless and installed the Scythe 120. The results speak for themselves.


Issues

1) The first OCZ SSD died within the 2-year warranty window and was replaced.
2) The firewire card has never worked...appears to be a hardware problem. I didn't care until recently and have ordered a new card.
3) When a USB2 device is plugged into the USB3 port in the back, it often locks up the USB bus. You have to power the machine down by holding the start button for 5 seconds, then start it up again. Very annoying so I don't use the port.
4) I started out with 4GB of RAM. At times it wasn't enough, especially when running VMs. Adding another 4GB eliminated the problem. As noted above, I can't run and keep track of enough tasks to overload the machine.

Summary

Many people have used the G2120 in their builds because the combination of performance, price and low power is hard to beat. SPCR has reviewed an actively cooled card with the 6670 GPU, but this particular card is passively cooled. That has proved to be sufficient in the Nofan case with no high-temp cards below it. Combining these two processing units with SATA III and an SSD yields a fast, responsive system for day-to-day tasks. To my ears it's totally silent, but I'm 65 years old and my hearing isn't what it used to be. For those who want hard numbers, SPCR has tested the version of this fan without PWM: http://www.silentpcreview.com/article83 ... .html#SS-M