Friday, July 29, 2011

MacBook Air and Lion in a semi work environment

I really like my MacBook Air but I have a complaint. I bought my 11" MBA in Dec 2010. It was love at first use. I had an idea I was going to like the laptop and that I was going to use it when I travelled or visited clients. In fact that's exactly how I have used it since. There was also one other unexpected use-case... when I was in the kitchen with the kids I could do a quick search here and there. I might even check on my client's systems between spoons of oatmeal.

Recently I upgraded to Lion and there has also been a flurry of update activity on the other apps that I've installed or purchased. But the one thing remained constant. I was dialing in remote to access my client's development systems and never doing any development on the MBA at all. I had done this before on my other laptop(s) when there was only one of them without a backup. But now I was in my happy place with backup hardware and cloud services.

Now I find myself having longer and longer edit sessions on client code. I find myself on airplanes where wifi does not exist of the latency is just too much to bare. There's also the limitation of the 11" screen. It's sufficient for editing an email but using Google apps to draw some pictures or make a presentation is a pain (yes I have keynote but I'm going for the seamless cloud integration thing). And long edit sessions with multiple small windows is impossible as my latest project has no less than 10 terminal sessions open on iTerm. (While I'd really like a pair of 30" displays for development I manage with a single 27" during those dark coding sessions)

As for security. FileVault is nice. It encrypts the entire home folder, however, since almost everything is executed out of that folder then almost everything is decrypted with every use. And everything is encrypted on the way in. There is no real good way for me to selectively encrypt and protect my personal information and the information of my clients. (so I do everything on the web when I can) In place of FileVault I use Espionage. It allows me to select when to encrypt and when to decrypt it. This way if the application is not running then the data is secure which is slightly better than a decrypted home folder when you're active. An interesting new challenge is that Apple has created a folder for Syncing with iDisk. This folder can contain sensitive data too. Once Espionage get's it you lose 10G of disk.

So here I am... limited window, limited disk, limited network, limited CPU. I essentially have a color/graphics terminal circa 1983. But here is my advice for Apple and AT&T. a) I need an iPad that is about the size of a piece of paper (8.5" x 11"), b) I need a new MacBook Air with more memory, bigger screen and bigger disk, c) and I need a better cell network that let's me really do all my work in the cloud.

Friday, July 22, 2011

Chef installation : you gotta be kidding me!

Last night I started working on puppet and things were iffy. At least the server and client installed from their ubuntu packages. Admittedly there were errors in the end but they might have been mine... and there are some compatibility issues that have been documented. So I switched to chef with good intentions.

Before I get to the details... in hindsight I must have been nuts to try chef. My first clue was the list package dependencies; there must have been 50+. What were the designers thinking?

First of all they need a DB and an MQ; and I think I like the idea that they are using packages that exist in the open source environment... but I am amazed that they would use such beheamoths. First of all CouchDB and RabbitMQ both depend on erlang and all those extra packages. When a standard SQL-type DB like SQLite or if they really need a document repo then MongoDB would be fine. At least the packages are small, available in binary form and they have a REST interface that is easy enough to write too. Of course there are so many other DBs that are integrated directly into Ruby or with shallow dependencies.

The same can be said for their choice of MQ. RabbitMQ is the thousand pound gorilla. There are two strong candidates in ZeroMQ and beanstalkd. Both are extremely lightweight to install and deploy. They are fast and reasonably functional.

So even though I have a personal dislike for all things ruby (based on personal experience in the Birmingham Alabama area) it can do the same job that other dynamic and non-dynamic languages can. Performance and some of the edge cases not withstanding... I hate deep dependencies... (same reason I dislike most package managers including maven).

Thursday, July 21, 2011

Strike one for Lion

It's a minor detail but it appears that the "fullscreen" keyboard shortcut is not the same between applications. Notably "terminal" and "Safari".

Terminal uses: command+option+F
Safari uses: command+control+F

If they were going to go through all the trouble to add the feature wouldn't they get the shortcuts right? Details, details, details.

Wednesday, July 20, 2011

The blog-war is on

I'd really like to be able to syndicate my posts within wordpress but the only way I see that happening is with a personal installation on my own servers. The widget library does not seem to support the defacto wordpress service. So I started looking at Blogger from google. And I have to say that I think I like it.  Of course I still have to work on email publishing and some keywords but it seems to do the trick. I also like that the monetization is semi- connected to google and that I do not have to pay extra for a custom domain if I'm already registered.

So let the evaluation begin.

UPDATE: score one for WordPress. Blogger does not have a widget.

Lion or liar?

Apple's decision to go AppStore only is a curious one. I like it because of the instant gratification but I wonder if it's not smoke and mirrors to catch or trip up osx pirates. Which I don't care about in the least! For my 29.99 I was able to upgrade my family computers and that makes me happy.

Now I need a few extra bucks for a new MacBook air and a couple of mac minis.


Monday, July 11, 2011

When is auto update is bad?


Actually there are a few times when auto updating your software of virus definitions is a good thing. That is usually limited to when you are talking about "top 100" type vendors. For example I do not mind auto updating anything from Apple, the AppStore (Mac or iPhone), and I do not mind many of the software vendors that have been around for 10+ years and have a solid reputation. And I generally accept MacPorts.

But then this one caught my eye.

I started off by thinking that this was going to be an easy install of what looked like a decent application/script. The script was going to tell me everything about what programs and processes were connected to the outside world. (Kinda like little snitch) But as I read more of the online documentation I saw that a) it was from a college; and b) it was going to autoupdate.

I was a college student once and I did not do anything really stupid when I was that age but not everyone is like me that way. But I was incredibly curious and if I had today's tools would I have been that nieve or straight. While this shell script looks interesting I'm not going to install it out of general fear.

PS: they could have installed the script in userspace. They did not have to request the admin password.  And for those of you that did not understand the above... just think about trojan horses and what lay inside. Computers are cheap enough... I just cannot afford the time required to rebuild one from the ground up.

Sunday, July 10, 2011

PEP-8 is an awful document

Ordinarily I do not comment on RFC or PEPs and the like. They are written by people who are either experts in their fields (hopefully languages) or people who are clearly students of the art and craft of software development. That's not to say this I follow these guidelines to the letter... for example "do not code defensively" from the erlang best practices document makes my skin crawl.

So as I re-review PEP-8 I'm reminded of the first time it was introduced. It was not a pretty day or a fun time. It was everything that a good software development manager tells you can and will go wrong when the inmates run the asylum. So while I think it's generally a good idea... I hate the PEP-8 partly because it's poorly written and partly because the way the team deployed it. Maybe they are one in the same. (I don't think anyone referred to Knuth's work on documentation or documented code)

So here is my summary of PEP-8 in order to cool things down and make it workable.
NOTE 1: code is often read more than it's written.

NOTE 2: style guide is about consistency.

NOTE 3: use your best judgement.

Indentation: 4 spaces, no tabs. when wrapping lines use at least 8 spaces but keep the like items together.

Line Length: limit all line lengths to 79 chars.

Blank Lines: use sparingly. 2 between classes and 1 between methods.

Encoding: ASCII or Latin-1, and with Python 3 use UTF-8

imports: each import statement on it's own line. group the imports by "standard python", "3rd party :", and "app specific"

whitespace: good but do not go crazy. Add a single space in assignments but not in function declarations.

single line: do not put multiple statements on a single line.

NOTE 4: keep your comments up to date

block comments: the same indent level as the code

inline comments: use sparingly.

NOTE 5: see PEP-257 about docstrings

version: this only applies if you use CVS or subversion.  Since I use git and hg, they do not apply.

naming conventions: whatever you use make it obvious and distinguishable. Avoid ambiguous lettering like 'l', 'o' .

package or module:





function arguments:

method names:

instance variables:

I'm into this for an hour already and I'm bored out of my mind. This just seems so obvious to me.
design for inheritance:

programming recommendations:

So good luck with this. With any luck you'll have a strong manager or boss. You'll have a decent understanding and it's won't be confused with anything you used the other most recent language you've mastered. And that your intuition is something you can rely on. (remember reverse hungarian notation in OS/2 and Windows?)

Tuesday, July 5, 2011

Perl is Better than Python - The Killer App.

I just started working on rewriting a fully operational acquirer gateway. I originally wrote the application in erlang and now I convinced my client to implement it in Python. I happen to like python a lot and now that perl 6 seems to be more of a fork than a version python is even more tasty. And that's when it happened!

I wanted to "over" document the new system. Partly because the erlang version was very well undocumented but I also wanted to code the documentation inline... and I was thinking perldoc all the way. If you have not used perldoc then you don't know perldoc. It's the easiest way to document perl applications and I like it.

So naturally I wanted the same syntax or better for Python. Unfortunately it takes perldoc to a new level. So much so that I hate it and I want to try to reconsider my python decision. I may have to try a module or two in perl just for fun.

Perl has it's CPAN and Python has it's setuptools(easy_install) but nothing compares to perldoc. perldoc may be the killer app. Long live perldoc!

Concurrency on the JVM

I just purchase a couple of books from PragProg; Programming Clojure, Programming Scala, and Programming Concurrency on the JVM. (I'm starting to think that I already purchased the Scala book some time ago and that now I have  a dupe.)

As I'm about to embark on Clojure and Scala for the 2nd or third time I'm beginning with many of the questions I had when I started on Erlang and LUA. What does it mean to me? What is the current mindshare out there? Are there any real projects? Is there enough full-time and contract work out there to warrant even the cost of the books and the time lost reading them?

And that's when I get really frustrated because Scala has a section on "intermixing with java" and then my head starts to spin as I remember that Lift-web (a webserver written in scala) is not really written in scala. It's actually a combination of Scala and intermixed java (notably Jetty).

And right about there is when I lose my steam. When you are a fully vested java programmer and you know all 100B jar file filled APIs with all that it means to you... it's hard to implement anything 100% native. So that's the dark cloud hanging over Clojure and Scala. How can they implement all the functional goodness without getting twisted up by all that legacy poison? And so I read on.

[UPDATE: Scala and Clojure seem to intermix with Java a lot. I find this painful because I be not believe that there is a way to determine where the warts are automatically. It sure would be nice if there were some sort of dependency checker so that the graph provided some illumination before projects were implemented. Or at least some developers might contribute where the holes are. I'm about to put these books on the stack again.]

Sunday, July 3, 2011

Quote of the day

I'm not in the business of selling Erlang. Mnesia has plenty of issues though, we've been avoiding it for a few years.

Saturday, July 2, 2011

erlang programmers versus the rest of the world

I don't know if there is a snigglet for it but I just had an IM conversation using Twitter. Normally I would just go on about my business; in this case sleep. But sleep is not coming easy tonight.

The conversation was sort of a point/counterpoint debating erlang programmers to everything else. I tried to summarize things this way:

  • erlang is not suited to solve all problems

  • other languages provide similar services/features

  • current mindshare is sketchy

  • costs are higher for the same caliber of programmer

  • erlang will either go the way of smalltalk or maybe java. either way I will be there trying to make a living. java=mainstream, smalltalk=edge cases.

There are a few things that I did not mention but I think they are moot now. The best I can offer is the right tool for the right job... and that needs to take into consideration the business environment and economics.

In the end, everything is subjective. The person with the purse strings is going to call the shots. That person may not be a geek or technologist. So they may not know much about languages etc... but they are watching the bottom line. And if some VC is going to say... use erlang because we get instant cache for being smart people. They that's what you use.

In many ways I'm the mercenary programmer. I'll write code in just about any language out there so long as the checks are accepted at the bank. Some day when I'm the boss I'll decide what tools we/I use. And I'm sure that someone is going to try to change my mind.

To the future me, good luck.

DropBox,, SugarSync - Terms of Service

There has been a lot of pissing and moaning about a section of DropBox' Terms of Service agreement. At least this was the first and fiercest monologue I had read. (this was about 2 or 3 weeks ago). However, this morning one of my age old friends from the neighborhood and McAfee talking head posted the same section of the agreement. And while I'm not one to be prodded into action I decided it required some second thought. (I use dropbox to protect my client's projects as I am sure many do)

At first I could not locate the text in question so I got a pointer from David. He was clearly up in arms and ready to abandon DropBox for good. So I decided to look for some alternatives to DropBox myself. What other vendors/service providers are out there. I've tried many of them and they are all very similar but none hit the sweet-spot that DropBox does. Even though there is room for improvement there too.

I use the free version of for my LinkedIn profile and my WordPress account. So I am familiar with their services.

And shortly after I downloaded the SugarSync iPhone app.... I decided to read all of their TOS'. And the funny thing is... you guessed it. They all have the same text. They all require some level of permission from the user.

(The following links and snippet of text are current as of 7/2/2011)
DropBox - We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.  - To the extent that the Services provide Users an opportunity to store and exchange information, materials, data, files, programs, ideas and opinions (“User Content”), you hereby represent and warrant that you have all necessary rights in and to all User Content you provide and all information contained therein. By registering to use the Services, you understand and acknowledge that and its contractors retain an irrevocable, royalty-free, worldwide license to use, copy, and publicly display such content for the sole purpose of providing to you the Services for which you have registered. In the event that you give the right to distribute your content, additional terms may apply to's usage or distribution of this content.  You continue to retain all ownership rights in any User Content you provide and shall remain solely responsible for your conduct, your User Content, and any material or information transmitted to other Users for interaction with other Users. does not claim any ownership rights in any User Content.

SugarSync - After setting up your account and downloading our Software, you can select the Files you want to sync and/or store. You can change the Files you want to sync or store whenever you want. In order to make the Service available to you, we need your permission to sync and store your Files. Accordingly, you hereby grant to SugarSync a license: (i) to use, copy, transmit, distribute, store and cache Files that you choose to sync and/or store; and (ii) to copy, transmit, publish, and distribute to others the Files as you designate, whether through the sharing or public linking features of the Service, in each case solely to provide the Service to you.

I'm not a lawyer and I do not play one on TV. But I think this is harmless.

[UPDATE 2011-07-11 Looks like Yahoo is in the same boat. However, if you read the TOC it seems no different than the DropBox. In the end they might split hairs and read your content and then the whole thing may be challenged in court, however, we're not there yet and it really looks like they are just covering their collective butts when providing services.]

Who has had experience of using a prepaid card and finding that it has gone over its limit?

I have been travelling in South Africa, Germany, Canada and France recently, using my money-saving, secure and trusty prepaid travel cards (Euro, Dollar and Global Traveler cards). On two occasions, I have discovered that I have used spent money than I had money on the card.

Has anyone else had this experience? And can anyone explain why this happens, and when?


Richard Bucker • There are several reasons why this happens. As someone indicated that when there is a auth-hold... however, this will prevent the second transaction from going over the limit. This real issue in these cases is when the merchant adjusts the transaction amount (like a tip) after the auth... and based on the MCC there is a percentage that the merchant can adjust.

Then there are the system's related issues, like load-balancing, latent database replication and maintenance cycles. If you're not careful and the cardholder is nefarious there are ways around some of these components that allow the CH to appear to have more funds; if even for a short period.

As others mentioned; from a business/brand perspective the associations need to implement some changes. However, the biggest change will come when they more accurately define the differences between an anonymous prepaid card; an identified prepaid card; and a debit card... from a transactional and business perspective.

Losses will only mount as cardholders and merchants learn to game the system.

Friday, July 1, 2011

In response to your interest - in case you want to hire me.

Hi Richard,

Thank you for considering this position. I have been going over your CV and it looks interesting enough to take it to the next stage.  As for helping us better understand where your strengths are as far as your current software engineering capabilities I would like you to answer the following questionnaire.



Question: Write a simple sorting algorithm (array of numbers) in python and explain it.
my_numbers_that_need_sorting = [4,3,4,6,3,6,9]
## there are plenty of APIs out there that do sorting. 
## There is absolutely no reason for me to open my
## Knuth books and read anything on merge sorts, hash sorts,
## btree sorts, insert sorts etc. People smarter than me
## are getting their Phd(s) on the subject.


Question: What parts of Python don't you like and why?
I hate the indenting.


Question: What is Bitcoin and what do you think about it?

 I'm not an economist so I don't know what the long term ramifications are. As a skeptical systems person I hope there are no bugs.


Question: What other software projects have you been involved with? Do you have a github account/website with code you wrote?
My code is proprietary. I do give back from time to time. Recently I patched a bug for MongoDB... for fun. Their data "import" utility supports importing JSON, CSV and TSV.  When loading TSV and CSV files the leading and trailing whitespace is removed from each cell, however, the TAB character is considered whitespace in the TSV file import code. Therefore, if the first field were an empty field then the data would skew(shift by one cell) and the load would fail. So I identified the offending line of code, wrote a patch, tested it and submitted a patch to the dev team.


Question: What's your favorite programming language (besides Python)?

I do not have a specific favorite... but if I had to choose it would be one that does that job. And as a manager I want to make sure that there are resources that pick up the standard when the time comes. (business continuity see

ASM - when performance is absolutely necessary and I don't need floating point. I hate floating point in assembler)

C - when performance is absolutely necessary and I need floating point or integration with other APIs like libcurl or the gtk.

C++ - when I have to bugfix someone else's code.

perl - nice for reporting, ETL and other batch operations. (parrot and perl 6 have me concerned about compatibility)

python - same as perl. many of the APIs make things easier than perl. I also like tornado/cyclone and Django for webapp frameworks. (I like easy_install!!)

Java - java is the new cobol. there are APIs and frameworks for just about everything. There was a time when java had a manageable library but now it's too big and it has fractured. Not to mention that the JDK is semi open source and then there is the Oracle factor.  J2EE is also a well known framework but it is the 1200lb gorilla in the room.

Scala and Clojure - interesting functional languages. If they were real languages instead of using the JDK. During initial development it is interesting that the languages can interop with traditional JDK libs, however, in the end apps like "lift" are simply calling Jetty. That makes a functional call stack not to functional.

erlang - interesting but not all 'that'. While it works well for long running process and it's lightweight processes make for some interesting parallelization it's better for longer running tasks like phone switches and audio codecs. It's not well suited for messaging. There are so many other better solutions. Mnesia is useful. It's nice that it's integrated into the language, however, there are plenty of warts there and there are so many other DBs that make more sense.

haskell - bloated and disorganized package manager.

prolog - In 20 years I have not found it useful... or in production. Erlang does a better job and Turbo Prolog is long since gone.

R - I would like to use this language, however, I have not found a use-case for it yet. It generates nice graphs and charts... but it requires Intel Fortran to build it. So I'm not sure I want this many dependencies.

LUA - another interesting idea.  Nice that the language is small enough to compile quickly and there is a jit. It's also interesting that it integrates with C instead of the JDK.

.NET - I'm not a fan of anything that creates a lock-in and Mono while it runs on *nix is not a real viable solution in the long term. Mono is loosely glued together.

Thank you. I hope to hear from you shortly.


All ur emailz r mine

That's right. All Your Emails Are Mine! The next time you use Outlook, Thunderbird, Mozilla, MailApp, OperaMail think about this.  All of these email programs download all of your emails to your PC (regardless whether it's POP or IMAP).  They might, initially, download the headers but at some point in the process that email is going to be on your computer in it's bared naked truth. And... unless you delete your email, then purge your trash can and then NSA-securely erase the trash can and all points in between... that email can be recovered.

So here are some tips:

  • Use webmail. I have 20+ email accounts. That might be overkill but I also have over 200K pieces of email. And that includes attachments with confidential and sensitive information. This is not completely secure because there is a cache for the browser, which can be scheduled to be deleted, but it's probably the best for now.

  • You can use your traditional email app... but then encrypt the folder where the email program stores the data. Something like espionage for the Mac is good. This, of course, slows your email down but it is safer. Also you have to be aware of where the temporary cache is located. I tend to use this strategy for my client source code/projects. The only downside here is that the folder is in the clear while the user is logged in and the application is running. So if a running computer is stolen it is more likely to give up it's secrets. This is more secure in that the folder is decrypted, only, when the attached application is running.

  • You can use FileVault, from and for Apple. This allows you to encrypt an enture user directory. Overall this is a good idea if you do not have the time or expertise to try to lock the folders individually. Unfortunately, the decrypted data is available while the user is logged in. Not just when the application is running.

  • The most interesting choice is something that Dell offers with it's laptops. Encrypting the entire disk from the BIOS. I like this a lot, however, since it's encrypting everything it's slow. Also, if there is a vulnerability in the encryption then the upgrade is going to take considerable time. And like the others, while the power is on, everything is in the clear.

One other point... while it might seems to make sense to overlap some of these technologies and idea. It's just going to make your data slower to get too. It's even going to make launching and running your applications slower.

Just remember to practice safe computing and maybe most if this will be irrelevant.

Logging in is hard to do

Services like Twitter and Facebook have created APIs so that 3rd party developers can write applications that can take... take advantage of their infrastructure, add features that are missing, and a host of other motives.

The one motive that we fail to remember when someone reports that Mark Zuckerberg get's a Google+ account is that it'a all about marketing. I feel certain that long before it was announced about MZ his team had already performed a competitive analysis. The rest was just press from one side or the other.

Which brings me to my next observation... If you are a startup or a wanna-be startup. You might see yourself going to VCs for money. While on the surface that makes some sense, however, social networking is all the rage and organic growth is ok but VCs want to see explosive organic growth... *cough* cancerous growth. So your first stop should be an advertising or marketing company. Not VC.

And sliding back into APIs let's talk security. When you are in your favorite app and they ask for some facebook credentials. Hold off. You should NEVER enter you username and definitely not your password. Sometimes your applications will launch a popup that looks like a login screen from whatever your remote system is (like facebook) but STOP!!! and cancel the current operation.

First you should log into your service (facebook or twitter etc). Then go back to the application and repeat the operations. This time the application will not prompt you for your credentials. It will slide to the part where it asks for permission. And then it's going to display the types of permissions it wants.

The facebook permissions are very scary so read them carefully. One such permission allows the application to access your personal information any time they see fit. This does not seem like a problem today, however, some day you may have some important info that it truly secret. I hope MZ is listening and builds a data vault into the system.

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...