Snow Leopard – Rails; Java stink
August 28, 2009
If you’re upgrading to Snow Leopard and develop with Ruby on Rails you’ll need to do a few things.
First, a note about Java. If you depend on Java, 10.6 no longer has Java 1.5. The current workaround for this is to copy a 1.5 install from a non-snow-leopard mac. More instructions here (there’s a d/l for 1.5 as well; yes, Snow Leopard DELETIFIES 1.5).
1) Install XCode from the CD (required for ruby headers)
1a) Install iPhone SDK if that’s something you do
2) gem uninstall ruby-debug-base; gem install ruby-debug-base linecache
3) rebuild database gems and/or drivers (you’ll likely need arch flag, below)
I can’t speak for others but for PostgreSQL I had 8.3 installed and had to download/compile/install the latest 8.3.7 from source then gem uninstall dbd-pg, pg, and ruby-pg and reinstall them – prefixing gem install with ARCHFLAGS=”-arch x86_64″.
For our particular project I had to reinstall json, nokogiri, and rjb (had to export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0 ).
If you use mod_passenger, reinstall and follow install instructions (passenger-install-apache2-module).
Shameless plug: if this helped you, you live in Texas, and drive < 12k miles a year, checkout my employer.
Errors this stuff fixed for me:
/path/to/gems/ruby-debug-base-0.10.3/lib/ruby_debug.bundle: dlopen(/path/to/gems/ruby-debug-base-0.10.3/lib/ruby_debug.bundle, 9): no suitable image found. Did find: (LoadError) /path/to/gems/ruby-debug-base-0.10.3/lib/ruby_debug.bundle: no matching architecture in universal wrapper - /path/to/gems/ruby-debug-base-0.10.3/lib/ruby_debug.bundle /path/to/gems/linecache-0.43/lib/../lib/trace_nums.bundle: dlopen(/path/to/gems/linecache-0.43/lib/../lib/trace_nums.bundle, 9): no suitable image found. Did find: (LoadError) /path/to/gems/linecache-0.43/lib/../lib/trace_nums.bundle: no matching architecture in universal wrapper - /path/to/gems/linecache-0.43/lib/../lib/trace_nums.bundle /path/to/gems/activerecord-2.3.3/lib/active_record/connection_adapters/abstract/connection_specification.rb:76:in `establish_connection': Please install the postgresql adapter: `gem install activerecord-postgresql-adapter` (dlopen(/path/to/gems/pg-0.8.0/lib/pg.bundle, 9): no suitable image found. Did find: (RuntimeError) /path/to/gems/pg-0.8.0/lib/pg.bundle: no matching architecture in universal wrapper - /path/to/gems/pg-0.8.0/lib/pg.bundle) # This happens when postgresql is old. I had to compile 8.3.7 from source with archflags above. compat.h:38:2: error: #error PostgreSQL client version too old, requires 7.3 or later. dlopen(/path/to/gems/json-1.1.7/ext/json/ext/generator.bundle, 9): no suitable image found. Did find: /path/to/gems/json-1.1.7/ext/json/ext/generator.bundle: no matching architecture in universal wrapper - /path/to/gems/json-1.1.7/ext/json/ext/generator.bundle dlopen(/path/to/gems/nokogiri-1.3.2/lib/nokogiri/nokogiri.bundle, 9): no suitable image found. Did find: /path/to/gems/nokogiri-1.3.2/lib/nokogiri/nokogiri.bundle: mach-o, but wrong architecture - /path/to/gems/nokogiri-1.3.2/lib/nokogiri/nokogiri.bundle dlopen(/path/to/gems/rjb-1.1.7/lib/rjbcore.bundle, 9): no suitable image found. Did find: (LoadError) /path/to/gems/rjb-1.1.7/lib/rjbcore.bundle: no matching architecture in universal wrapper - /path/to/gems/rjb-1.1.7/lib/rjbcore.bundle # Java stuff spits out something like this :in `load': can't create Java VM (RuntimeError)
Don’t be like: Heartland Payment Systems
August 20, 2009
If you work for Heartland Payment Systems, whether you like it or not, you currently represent “what not to do” in the world of Financial Transactions on the Internet.
If you’re a customer of Heartland then you should take this as an opportunity to verify the security of your own systems. Heartland Payment Systems is a very large organization and if they were more secure you may have been attacked instead. Don’t make their mistake. Be proactive not reactive.
To begin I’d like to immediately point out the DoJ’s release on this event and appreciate the department giving away some details on the attacks which aren’t available on Heartland’s site. I first heard of this story from someone at our office and immediately realized there was more to the story but it wasn’t until I read the DoJ’s release that my suspicions became more than a guess. My response to the email: “Heartland’s negligence was as severe as their assailant’s attack and for this, they should be prosecuted”. According to bloomberg, a shareholder filed suit against Heartland in July and “in a Feb. 24 conference call, Carr [CEO] said the company was the subject of an informal inquiry by the Securities and Exchange Commission, as well as investigations by the Justice Department, the Federal Trade Commission and the Office of the Comptroller of the Currency.”. It’s obvious that the attacks were malefic, but what about Heartland’s security? Was Heartland negligent? Did Heartland employ the “Highest Standards” of security which could have mitigated the severity of their compromise?
Per the DoJ release, Heartland was vulnerable to “sophisticated” SQL Injection attacks which were used in part to compromise more than 130 million credit and debit cards. The attacker, Albert Gonzalez, 28, of Miami, Fla., is now being charged for a “different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators.” – in addition to two other trials for other hacking activities. Thief, criminal, hacker – whatever you want to call him, we can all conclude these attacks were wrong. This guy has been in your Internetz stealing your credit cardz.
Meanwhile, if you’ve been a business who accepts credit cards through Heartland you likely have customers with stolen credit card information and are in a delicate position considering the significant cost required to change payment processors, both technically, and contractually. Changing payment processors often requires programming and the contract agreements required by most payment processors are stifling, costly, or both. So now you’re left with the question as to whether you should trust Heartland with your customers credit card information?
I can’t answer these questions for you but we can at least explore the idea that Heartland’s operations were negligent and ineffective at providing “The Highest Standards” and “The Most Trusted Transactions” as, according to reports, their attacker profiled several systems before determining that Heartland’s system was one to be compromised. If Heartland’s system was as-advertised, would it have withstood these attacks or would the attacker have targeted a different system instead?
Based on the DoJ report of the attack and amount of information compromised I would suspect the attack was preventable if “standard” security systems and practices were adopted. SQL Injection, while it sounds like a complicated attack requiring intricate knowledge, planning, and acrobatic stunts — is really a simple exploit which has been documented and addressed for almost a decade. In fact, a similar attack – code injection – was used in the SQL slammer worm which essentially broke the Internet in 2003. Basically, both attacks depend on a “parameter” not being checked and then being executed; this is akin to letting a stranger drive your car. Being exploited by one of these attacks is like letting an intoxicated stranger drive your car into a pole; maybe he said he was good to drive, and maybe the pole jumped in front of him, but the point is you had no experience to trust a stranger and you shouldn’t ever let an intoxicated driver behind the wheel of a car.
Ignorance is not an excuse for information security just as it isn’t an excuse for tax evasion or violating regulations. If you want to sympathize for Heartland for being attacked then that’s your prerogative and I hope you’re not the person responsible for security at any organization. If you’re concerned for the privacy and security of consumer’s financial and personal information then it’s your right to ask these questions of Heartland Payment Systems, or any company who significantly compromises the security of your information.
links for 2009-04-10
April 10, 2009
links for 2009-04-08
April 8, 2009
-
If it's too good to be true…
links for 2009-04-02
April 2, 2009
-
I was surprised by the good material in their discussions. Kevin & Tim keep going up in my book (if I had one).
-
These folks hit my blog from their dashboard @ dashboard.prod.cyveillance.com. *waves for the camera*
Skype over 3g is unfortunately, irrelevant
April 2, 2009
If Skype was allowed to transmit voice calls over a cell data network, for several reasons, it would be unusable. There’s overhead in buffering and accommodating the effects of cellular data service in order to provide reasonable voice quality. Whereas IP packets and browsers don’t care if there is a slight delay, voice has stricter latency requirements and that’s one reason cell phone networks didn’t start out as data networks to begin with! Triangulation, echo cancellation, and multiplexing are systems that IP isn’t built for and even if it was, it would be like powering a computer with a solar panel that’s fed by a light bulb, plugged into the power grid.
If you’d like an example, get a 3g laptop card and open Skype on your laptop, then try and hold a phone call as a passenger traveling in a vehicle at 55mph; you’ll soon be disconnected or be unable to understand the call. Skype and the Internet it runs over has no idea you’re switching from Cell Tower 5 to Cell Tower 14 and to expect parts of the call in a different order from the different towers; even if it did, the towers aren’t aware of skype and the bandwidth overhead for the towers to communicate between Skype’s system and your cell phone would be excessive and negatively impact the network as a whole. ATT isn’t handicapping anybody, it’s just not that simple.
I can understand consumer advocacy but some things just don’t work. If it was really practical to run VoIPoCell then none of us would have Cell phones. Skype’s best effort would be to find a carrier to work with them at a higher level than just the iPhone; if Skype wants you to seamlessly transfer your call between the most efficient network, they’ll need much more than Apple’s cooperation.
LED Cinema Display + Unibody MacBook Pro is broken
April 2, 2009
Now that I’ve railed on Dell I need to return the favor to Apple. Well, not really, but I do wish to post about an issue I’m having simply because I haven’t found a solution, Apple read’s these posts, and a resolution is posted, I will joyfully note it for others to find.
I’m sure others have had this problem but it’s a gamble for me on if and how I plug my LED Cinema Display into my unibody MacBook Pro. This is really lame considering both have been out for months and Apple touts the simplicity of using the new display. There is a reason however, that their advertising has the macbookpro lid open and not closed, it’s really buggy. With laptop closed, when plugging in the cinema display there’s a chance that I will only get a blank screen — the laptop is alive because I’ll get sound feedback by pressing keys on the keyboard; from there, if I sleep (power button, tab key, space key), then when I wake the machine w/click or keypress, half of the time it will be frozen. The fans will light up but no more sound feedback and no video. My only course of action here is to forcefully power down the machine by holding the power button and thus, loosing any unsaved changes.
I know this is a bug between the laptop and display because I have one of each (laptop/display) at home and work and all have this problem. I would note that this would sometimes happen on the old macbook pros but those systems had the F7 key set to essentially ‘refresh displays’ and that would always resolve my problem. Now apple has changed the fn key bindings and that key is no longer available! I don’t know why they took it away because while they did add an expose button they only added ONE button for expose functionality. Needless to say I’m very glad Apple’s keyboard still has 15 functions keys.
If you’re holding out on a unibody MBP then I say keep holding out till these bugs are fixed. Aside from this issue, you *still* have to log out/log back in to change to/from “high performance” — annoying because I never know when I’d like to boot up vmware. Moreover, if you’ve got an older 15″ matte display then you’ve got a feature I personally miss (glare on the glass screens is horrible in any environment).
I really like the machine, don’t get me wrong, but my previous generation MBP would be fine [if I hadn't busted the display].
links for 2009-04-01
April 1, 2009
-
Processing is an open source programming language and environment for people who want to program images, animation, and interactions. It is used by students, artists, designers, researchers, and hobbyists for learning, prototyping, and production. It is created to teach fundamentals of computer programming within a visual context and to serve as a software sketchbook and professional production tool. Processing is an alternative to proprietary software tools in the same domain.
