Goodbye Borders

Although it’s a little outside of our usual subject matter, I sadly note the passing of Borders. Yesterday Borders announced that it was canceling its upcoming bankruptcy auction and liquidating the company instead. Although some creditors are objecting, it’s almost certain that Borders will close its 399 remaining stores and sell off its assets.

The story of how Borders arrived at this end is well known. They didn’t take Internet sales seriously and failed to appreciate how ebooks would change their industry. I’ve written before about the challenges facing the publishing industry and my hope that they would avoid the same mistakes that the music industry made. So far, they appear to be oblivious to the new reality. Perhaps Borders can serve as a wakeup call. No matter how much you want your business to stay the way it was, circumstances and customers move on. You either move with them or you end up like Borders.

Like most folks, I mainly get my books on-line and tend to prefer ebooks over the dead tree variety. Still, I have fond memories of browsing at Borders and enjoying a comfortable chair and cup of coffee while I skimmed through a book. I’ll miss the opportunity to do so in the future.

Posted in General | Leave a comment

The 25 Most Dangerous Software Errors

Each year the SANS Institute and the MITRE Corporation team up to survey the year’s most dangerous programming errors. This year’s list, the 2011 Common Weakness Enumeration, was published at the end of June. This is a great resource and anyone writing software for the Web should read it carefully. The document is a long and thorough analysis of the errors that led to exploits in the last year.

The report begins with some guidance for different types of users—programmers new to security, programmers experienced in security, project managers, testers, customers, and educators—on how to use the list. Next there is a brief listing of the errors sorted in various ways, and finally a detailed explanation and sample code for each type of error. Finally there is a list of “Monster Mitigations” that establish some general principles for writing secure code.

The tops 5 errors were:

  1. SQL Injection
  2. OS Command Injection
  3. Buffer Overflow
  4. Cross-site Scripting
  5. Missing Authentication for Critical Function

I find OS Command Injection in second place surprising, but sadly all of the others are as expected. It beggars belief that SQL injection is still such a common exploit today. The same could be said of buffer overflow. Of course, as LulzSec has shown us, there is every reason to expect that SQL injection will be a major attack vector for the foreseeable future.

Again, if you are writing code for the Web, you really need to read and study this report.

Posted in Programming | Tagged | Leave a comment

An Interesting Talk On Guile

I just ran across an interesting talk on Guile Scheme by Andy Wingo. The talk is from 2009, shortly before Guile 2.0 came out. Wingo discusses the new Guile architecture and plans for a native compiler. One of the most interesting parts for me was the discussion of his plans for Guile to replace the Emacs Lisp engine. That’s still in the future but there’s already an implementation of Elisp that runs on the Scheme VM. Wingo claims that it will make Emacs much faster than it is now and will allow Lispaphobes to customize Emacs in any of the supported languages—Javascript, for example.

It’s a fairly long talk (about an hour and 15 minutes) but it’s pretty meaty and worth the time if you want to know about the future of Guile. Wingo is a pretty impressive guy so, again, I recommend this talk if you haven’t already seen it. You might also want to check out his blog.

Posted in Programming | Tagged | 1 Comment

Marking Up Key Sequences For HTML

The other day, I wrote about Xah Lee’s post on aliases. One of his aliases was for htmlize-keyboard-shortcut-notation. I realized that this was probably the function he used to markup the key sequences in his posts and I had (yet another) face-palm moment. As you may recall, when I decided to steal borrow his notation I implemented it with Org mode macros. There are a couple of problems with that. First, it’s a pain to type. To get the sequence 【⌘ Cmd+Tab】 I have to type

【{{{key(⌘ Cmd)}}}+{{{key(Tab)}}}】

I have to lookup the unicode value of the ⌘ symbol and enter it with the 【Ctrl+x 8】 key sequence. The same thing applies to the lenticular brackets that frame the key sequence.

Second, I have to include a file that contains the macro definition for every post I make that includes a marked up key sequence. Both of these problems are a result of my initial decision to use Org mode macros to enter the <span> tags that CSS uses to produce the fancy key representations.

When I saw Lee’s alias, I realized that the right way to do this is to enter Cmd+Tab when I want to have the sequence 【⌘ Cmd+Tab】 and then run some elsip code on it. That turns out to be reasonably easy to do.

The idea is to do repeated applications of replace-regexp-in-string with regular expressions and replacement strings such as

"Cmd""@<span class="key"> ⌘ Cmd@</span>"

It’s a pain to keep writing out all that <span> notation so we start with a helper macro

(defmacro key (k)
  "Convenience macro to generate a key sequence map entry
for \\[prettify-key-sequence]."
  `'(,k . ,(concat "@<span class=\"key\">" k "@</span>")))

With this macro, we can transform a key into a Lisp cons

(key "Tab") → ("Tab" . "@<span class=\"key\">Tab@</span>")

With the key macro, it’s pretty easy to write the function to do the markup:

 1:  (defun prettify-key-sequence (&optional omit-brackets)
 2:    "Markup a key sequence for pretty display in HTML.
 3:  If OMIT-BRACKETS is non-null then don't include the key sequence brackets."
 4:    (interactive "P")
 5:    (let* ((seq (region-or-thing 'symbol))
 6:           (key-seq (elt seq 0))
 7:           (beg (elt seq 1))
 8:           (end (elt seq 2))
 9:           (key-seq-map (list (key "Ctrl") (key "Meta") (key "Shift")
10:                              (key "Tab") (key "Alt") (key "Esc")
11:                              (key "Enter") (key "Return") (key "Backspace")
12:                              (key "Delete") (key "F10") (key "F11")
13:                              (key "F12") (key "F2") (key "F3")
14:                              (key "F4") (key "F5") (key "F6") (key "F7")
15:                              (key "F8") (key "F9")
16:                              ;; Disambiguate F1
17:                              '("\\`F1" . "@<span class=\"key\">F1@</span>")
18:                              '("\\([^>]\\)F1" .
19:                                "\\1@<span class=\"key\">F1@</span>")
20:                              ;; Symbol on key
21:                              '("Opt" . "@<span class=\"key\">⌥ Opt@</span>")
22:                              '("Cmd" . "@<span class=\"key\">⌘ Cmd@</span>")
23:                              ;; Combining rules
24:                              '("\+\\(.\\) \\(.\\)\\'" .
25:                                "+@<span class=\"key\">\\1@</span> @<span class=\"key\">\\2@</span>")
26:                              '("\+\\(.\\) \\(.\\) " .
27:                                "+@<span class=\"key\">\\1@</span> @<span class=\"key\">\\2@</span> ")
28:                              '("\+\\(.\\) " .
29:                                "+@<span class=\"key\">\\1@</span> ")
30:                              '("\+\\(.\\)\\'" .
31:                                "+@<span class=\"key\">\\1@</span>"))))
32:      (mapc (lambda (m) (setq key-seq (replace-regexp-in-string
33:                                       (car m) (cdr m) key-seq t)))
34:            key-seq-map)
35:      ;; Single key
36:      (if (= (length key-seq) 1)
37:          (setq key-seq (concat "@<span class=\"key\">" key-seq "@</span>")))
38:      (delete-region beg end)
39:      (if omit-brackets
40:          (insert key-seq)
41:        (insert (concat "【" key-seq "】")))))
42:  

The heart of the function is the key-sequence-map on lines 9–31. Most of the entries are generated with the key macro but some are more complicated and were hand generated. The entries on lines 17–19 take care of preventing F10 (for example) from being mistaken for F1. The two lines at 21 and 22 have a symbol attached so the key macro wouldn’t work. Finally, lines 24–31 take care of combining single letters with the more complex keys.

First, we get the symbol at the point or the region—if there is one—using the region-or-thing function that I wrote about earlier. Then the mapc at line 32 applies replace-regexp-in-string to the raw key sequence repeatedly using the substitution strings in key-squence-map. The code at lines 36 and 37 take care of the special case of a single key. Finally, the original raw key sequence is deleted and replaced with the marked up string. Unless omit-brackets is non-nil, the lenticular brackets are also added.

I don’t need to markup key sequences often enough to bind prettify-key-sequence to a special key sequence so I just made a simpler name for it with an alias:

(defalias 'pks 'prettify-key-sequence)

There are probably some weird key sequences that prettify-key-sequence won’t handle, but those can be done in pieces; that’s why the omit-brackets option is there. The key sequences in the last two posts were done using this function and so far I’m happy with it. One thing for sure: it’s a lot easier than using the Org mode macro as I did before.

Posted in Programming | Tagged | 6 Comments

Emacs Aliases

Xah Lee has a nice post on using Emacs aliases to increase productivity. He uses aliases for two purposes:

  1. To change the behavior of Emacs
    For example, he has the alias
    (defalias 'yes-or-no-p 'y-or-n-p)
    
    

    This gets rid of the annoying “Please answer yes or no” silliness that Emacs insists on for some questions. This was one of the first things I did when setting up my .emacs file and I’ve never been sorry.

  2. As shortcuts for longer, harder-to-remember commands
    For example he has
    (defalias 'dtw 'delete-trailing-whitespace)
    
    

    In this vein, I have long used

    (defalias 'qrr 'query-replace-regexp)
    
    

    because I can never remember if it’s query-regexp-replace or query-replace-regexp. Besides, it’s a lot shorter and easier to type. Another example of this sort that Lee uses is to make alias shortcuts for the different modes that he uses. Thus, he has such shortcuts as

    (defalias 'hm 'html-mode)
    (defalias 'tm 'text-mode)
    (defalias 'wsm 'whitespace-mode)
    
    

    and so on.

You might think that the mode changing aliases aren’t that useful given that they are usually invoked automatically by the file name extension of the file you are editing but sometimes you want to temporarily turn off a mode. For example, as I’ve mentioned previously, it’s sometimes convenient to turn off paredit mode if you have some major restructuring to do. It’s a major pain to have to type 【Meta+xparedit-mode to turn it off and then again to turn it back on. It’s much easier and faster to just type 【Meta +xpm.

Lee keeps all his aliases in a separate file, which makes them easy to find and maintain. I like to keep mine in my init.el file near whatever they are redefining as that makes more sense to me but I can see the advantages to a separate file. What do you like to do?

Posted in General | Tagged | 10 Comments

More Dired Features

On my old blog I wrote about calling FTP from Dired under Emacs and Xah Lee has written several posts about Dired capabilities and how to use them (search for dired at the above link). Now Bart Lantz over at Denver Droid has a nice post on Cool Things to do in Emacs’ Dired Mode. Many of these are the usual things such as deleting or renaming files but he also writes about less well known commands such as 【~】 to mark all backup files for deletion and the 【O】, 【M】, and 【G】 commands to change a file’s owner, mode, and group. He also writes about using dired to clean up your Downloads directory.

There are other ideas in the comments such as using the 【Q】 command to do a regexp search and replace on the marked files or using 【Ctrl+x Ctrl+q】 to enable editing in the dired buffer.

This is a great post and well worth spending a few minutes on. There’s a lot of capability in dired and learning about some of it can help your work flow a lot.

Posted in General | Tagged | Leave a comment

Guile 2.0.2

By now, all you Guile users out there are aware that Guile 2.0.2 has been released. Andy Wingo over at Wingolog has a nice post that explains some of improvements and gives a road map for where Guile is headed. If you want to know exactly what’s changed, the NEWS file has all the details.

I’m also happy to report that unlike last time, the build for OS X was as simple as

./configure
make
sudo make install

so there’s no need to delay. If you’re a Guile user, download the source and build it.

Update: 2.02 → 2.0.2

Posted in Programming | Tagged | Leave a comment

A Lawsuit Waiting To Happen

There’s an interesting, if depressing, post over at hover.com about how feedback had fueled new features. One of these new features seems particularly ill-advised. Apparently some of their users weren’t able to remember their passwords so Hover Would send them a special link to reset it, a common and reasonably secure method of handling lost passwords. Unfortunately, the delicate flowers in their user base found this “confusing” and too hard to use. Hover responded by changing the process so that users would be emailed their passwords.

Consider what this means. First, the passwords are being sent in the clear so that there are several opportunities for compromise. Worse, it means that those passwords are not hashed at Hover. Indeed, they explicitly say that the passwords are stored in the clear. There is, I think, a very good chance that the Hover site will be attacked and those passwords and other information exposed. Right after that, the lawsuits will start. Does this make any sense?

Hover provides domain registry and related services so there is something of value to protect. Their Web site makes a point of stressing that they provide Whois privacy to keep contact information private so any lawsuits will surely point to an implied contract to keep this information safe. I just don’t understand what the folks at Hover are thinking. Sure, you want to make things easy for your customers—that’s one of their selling points—but sometimes you need to explain to them why the seemingly complex procedures you use are necessary for their protection. I don’t see how this ends well for Hover.

Posted in General | Tagged | Leave a comment

More Dropbox Silliness

I’ve written about Dropbox a couple of times before in a generally positive way. In this post, I’m coming to their defense again so I should state for the record that I’m neither a Dropbox user nor associated with them in any way. The latest silliness involving Dropbox is concern over their new Terms of Service. A number of people have pointed to the section entitled Your Stuff & Your Privacy. Here’s how the story on Slashdot reported the new language:

By submitting your stuff to the Services, you grant us (and those we
work with to provide the Services) worldwide, non-exclusive,
royalty-free, sublicenseable rights to use, copy, distribute, prepare
derivative works (such as translations or format conversions) of,
perform, or publicly display that stuff to the extent we think it
necessary for the Service.

That sounds pretty bad, doesn’t it? Dropbox appears to be saying that they can do anything they want with any data you store on the system. But when you add a little context

By using our Services you may give us access to your information,
files, and folders (together, “your stuff”). You retain ownership to
your stuff. You are also solely responsible for your conduct, the
content of your files and folders, and your communications with others
while using the Services.

We sometimes need your permission to do what you ask us to do with
your stuff (for example, hosting, making public, or sharing your
files). By submitting your stuff to the Services, you grant us (and
those we work with to provide the Services) worldwide, non-exclusive,
royalty-free, sublicenseable rights to use, copy, distribute, prepare
derivative works (such as translations or format conversions) of,
perform, or publicly display that stuff to the extent reasonably
necessary for the Service. This license is solely to enable us to
technically administer, display, and operate the Services. You must
ensure you have the rights you need to grant us that permission.

you see that what the terms really say is that if you want Dropbox to provide certain services, such as sharing your data, you have to give them the right to do it. No All your data are belong to us, merely protection from lawsuits for using your data in some way that you asked them to.

As a result of the brouhaha over the Terms of Service, Dropbox added an update on their blog in which they explicitly say that they don’t own your data and that the license allows them to provide the service that you are requesting and nothing else. As the folks over at the Agile Blog (the makers of 1password) say “Read the policy, not the tweets.”

It’s bad enough when the kids over at Slashdot hyperventilate over a faux issue like this but others who might be expected to take a more measured view are also upset. Even Michael Krigsman over at ZDNet is jumping in recommending that Enterprises “…discontinue use of the product for applications where privacy and confidentiality are mission critical.”

Let me say it again: If you are storing sensitive information in the cloud and you don’t encrypt it then you, not the cloud provider, are guilty of negligence if that data is compromised. Krigsman is right; You shouldn’t be storing unencrypted mission critical data in the cloud but that has nothing to do with the Dropbox Terms of Service; it’s a matter of common sense and due diligence.

Update: Dropbox has once again updated their Terms of Service in an attempt to assure everyone that they have no interest in owning or using your data in any way that doesn’t involve providing the services that you ask for. It should put this silliness to rest once and for all but it probably won’t.

Posted in General | 1 Comment

Git Cheat Sheet

The folks over at fournova, maker of Tower, a Git client for the Mac, have a really nice Git Cheat Sheet available for download. There are plenty of Git cheat sheets around, of course, but this one is only two pages and one of those pages concerns Version Control Best Practices. That leaves you with one page full of Git commands that tell you how to do most things in Git from the command line.

This is a handy resource that you can bookmark or print. And it comes in three colors so no matter where you stand on the proper editor color themes, you should find a version that satisfies you.

Posted in General | Tagged | Leave a comment