Sunday, June 28, 2015

recursive query in SQLite

I'm working on a SQL query that it not very complicated, however, normal SQL is just not going to do the trick. I have simple hierarchy graph data represented in a single table or DAG. Eventually I'm going to dump the data into json document that I will later load into javascript d3js web page in order to render the graph visually. The end result should left us look more closely at the data in order to clean things up and make certain determinations about the quality of the data.

It was simple enough to dump the complete raw data without any processing, however, some simple reporting using recursion was possible using SQLite. This document explained the basics.
  • export the data
  • create the new tables in SQLite
  • import the data
  • execute and refine the SQL
Now I need to take the resulting data and convert it from TSV to JSON and import the data into the web page (example)

Sunday, June 21, 2015

6 weeks with my Chromebook Pixel

I have some complaints and while I would like to elaborate in painful detail I just don't have it in me. My point of view starts with a few expectations and for the most part I get a lot of work done and the notion that I need a functioning replacement up and running with little or no effort is at the core. But it's the edge cases that I swore I was not going to let bother me.... and yet they do.
  • bluetooth support sucks
  • video player sucks (no mkv support)
  • cannot rename a USB or SD card.
  • only formats intro the default format (probably FAT; which means there is no support for my huge media??)
  • no containers like docker or rocket
  • channels is fine; devmode and crouton are a FAIL
  • cannot mount remote file systems
  • Google Play apps have some serious security flaws
  • I have not been able to find a way to work the touch screen into my workflow
I'm not going any deeper than this. I've had great success developing my code on this Pixel because I'm using a remote system.  I also have 7 Chrome devices in close proximity and I regularly switch between machines. I'm also developing an IDE that will work the way I want it to. And I have a reliable network.

I think I can do well with both or just the MacBook. Maybe even an iPad if they ever close the loop there too.

UPDATE: I'm starting to feel the pain of not being able to connect to my peers without all the usual software. If I had not paid $1200 for my Pixel-2 I'd likely set it aside except it's also my primary development console with it's awesome display (I have yet to use the touch).

UPDATE:  I just came back from 3 days at a client site. The only time I used my MacBook was to have a facetime with my family back home. For that matter I could have use my spare Chromebook and thus hangouts instead.

Monday, June 15, 2015

Skype for the Web

I wish I had something good to say about Skype for the Web. So far the discussion has been vague at best. Simply put; Skype does not support ChromeOS for Voice or Video. Any mention to the contrary would be wrong and incorrect. (not that it won't be available in the future.)

ChromeOS - delete offline files

I have about 650 files in my offline folder and I did not know how to delete them until just a few minutes ago. Someone posted and led me to understand that offline files are marked as "available offline" (not in my case) and that they are located in Google Drive. Then I realized that I had inserted an SD card and initiated a backup.... which it might finished but I could not tell for certain (no notifications or progress bar until I rebooted my Chromebook).

In then end I had 650 files that needed to be deleted.

Turns out that there is a backup folder in my Google Drive that, when deleted, removed the files from the offline folder. The offline folder is some sort of shadow directory. Once I deleted the backup folder the files in question were removed from the offline folder.

Hope this makes sense.

Are Chrome Apps and Extensions Safe?

This conversation will get my blood boiling in a New York minute. I recently posted a question on Google+ (link)
How do you know whether or not you can trust a Chrome App or Extension? For example there is an APP out there that seems to have modified my "file" manager offering to install some "services" from this fellow Tanaka. I'm sure he's a fine fellow but he has no obligation or compliance requirement that his code is not going to (a) steal my data and export is someplace else (b) steal my credential and send them someplace else.
Simply put the Chrome user base has absolutely no assurance that the software we are running is true, reliable and safe. Or do we? Ask yourself why Angry Birds needs access to my Contacts.
There were some typical responses that all sound like "if it hurts don't do it"; but frankly that's bullshit. The entire world has come to depend on free software of every kind. Many businesses exist only to serve or use free software.

One fellow responded; "The code is on github". Phew that makes me sleep better. Since the compiled code is done somewhere else and the binaries are keyed and packaged on another system I feel so much safer. There is nothing to guarantee that the code on github is the code that was compiled and is executing on my computer and when I gave it permission to talk to ANY computer on my local and "the internet" I feel so much safer. (I hope you read my sarcasm).

He continued: "The permissions are justified". Well he's kinda right here but justified it the wrong word. Required would be more like it. It's kinda hard to deploy a network program if it cannot talk to the network. But since the security demands of this permission set is so low you can leak data at will.

Finally he said: "Tanaka is working upstream...". I do not know this person first hand. I did not go to school with him and I certainly do not sit around and chat code, politics, or religion. He might be a fine fellow but I'm pointing out the fundamental flaw. "We" clearly need a curated and blessed application store. That Tanaka has his own build process is meaningless. That his code is not reviewed for evil is BS. Google needs a way to bless apps and extensions.

This is more than the Cathedral and the Bazaar. The book should be renamed Cathedral, Bazaar, and the Underworld.


By comparison; let me talk about the homebrew package manager. One of the interesting things about homebrew is that when it installs the requested packages; they are installed in user-space instead of root as many applications do. And the "recipes" in the system direct the build agent running on your computer how to build the application and which version of the source was the latest to be trusted. Of course trust being the operative word. Sadly if the package author and the package submitter are the same person then it is upon the homebrew owners to curate the source. The good news is that there is an alpha/beta channel and with any luck there is an informal code review, however, it's not a guarantee.

PS: if an app or extension needs access to the entire internet I should be able to flip a switch that limits the domains that it can talk to... maybe only my *,, This is not the same, but is similar, to prevent kids from surfing to instead of In my case I need to SFTP to a white-list of servers. Never the internet as a whole.

Saturday, June 13, 2015

GMOs in the food supply

I have no idea what the real motivation is for companies like Monsanto other than the profit motive. If the human race was on a head's down course for an extinction event I could understand why we might modify the food supply in order to give the human race the opportunity to catch up and recover. But making changes for the sake of change or profit is just so very wrong.

Some day we might learn that GMOs are worse than smoking and that the human race is now speeding toward an extinction event. At least with smoking one could quit, asbestos, mold or lead paint one could re-mediate to safety. Once GMOs and other super-gene strains make it into the food supply we will not be able to stop it.
art imitates life; there was a lifetime show where the antagonist was food company who owned some custom engineered plants that had germinated into a nearby farm which they were now embroiled in legal action because the food was migrating (infecting the neighboring farms)
 I really hope these labs know what they are doing. I certainly challenge them to do the right thing and be transparent.

is search broken

A friend of mine wanted me to construct a system that would trigger either a shopping cart instance or an alert email when Nike's one-off shoes arrived. Forget that there are a number of programs out there that perform that function but it's clear that it's also an arms race and as such falls into game theory.

Enter search...

I'm curious to know how many Chromebooks other than just the highest end Google Chromebook Pixel uses the Intel i7. But when I tried to search for them I got a wide mix of products. Needless to say the results were less than stellar; downright disappointing as it was mostly advertisers doing the bait and switch thing.

I tried:

  • Google
  • Duck Duck Go
  • Bing
  • Yahoo
and I even tried Amazon.

Friday, June 12, 2015

you have been contacted by network services

The pitch is the same.... the phone rings and the number is usually a strange 7 or 8 digit number preceded by a plus (+). When I answer there is a slight delay and the phone is now showing some other number and in my case it was 337-729-7536. The person on the other end have been both men and women, however, they have always had a distinct accent that I can only place in Pakistan or India. I do not have an extensive experience with voices, however, in one instance I was able to get the person on the other end to admit she worked in an Indian call center. I have no idea what they are actually accomplishing because it never gets that far.

During this evening's call I asked a few questions:
  • where are you located? California
  • What is the name of the company? Orange Tech In Los Angeles
When I Googled and called Orange the number had been disconnected.
  • I told the caller that I was putting the kids to sleep and that I would call back. What is your number? 866-263-2630
When I Googled this number I was only able to determine that it was a toll-free number. (866) - get a clue... There are a number of social websites that are trying to capture this information in a useful way, however, between the poor quality, over advertising, accuracy... it was just a waste.

So I called the number.  What could it hurt? They already had my number... My guess is that the number was also bullshit. The phone just rang and went unanswered.

During the pitch the caller said, repeatedly, that he was from the "Microsoft Network Department" and that he needed to perform some maintenance on my computer. Well.... there isn't a computer company on the planet that is going to do exactly that. Simply put this is a scam of epic proportions!

These "social engineers" (see Kevin Mitnik) are trying to do a number of things
  • get you to install something on your computer that in itself may contain virus-ware, malware, or even ransom-ware.
  • in addition they may simply be trying to get your credit card number and if you're unfortunate to use your debit card they may siphon your bank account dry. Which they could use to do a lot more damage to your financial standing.
  • NEVER give out your PIN.
If you think you are having trouble with your computer then do this:
  • geek squad or similar
  • any of the big box stores
  • pull out the hard drive and destroy it with a hammer; and buy a new computer
  • instead of buying a new computer start thinking about chromebook or ipad etc...
**For the time being comments are open. Please append any information or key phrases you can get and report it to your local law enforcement when applicable. Network neutrality and the cross board communication laws were never intended for this.

UPDATE:  I just got off the phone with network security services. Actually "David" hung up on me. David tried to get me to give him access to my computer via the "logmein" service. Of course there is nothing wrong with logmein as a service. I've used similar services to help family members but that's a horse of a different color. I asked David how much this was going to cost me and he said FREE. Can you hear the alarm bells yet? When I loaded the logmein login page he gave me a number. It was a simple login number that would eventually pair our computers together giving David full access to my computer.

Instead of logging in.... I put David on hold and clicked the "report abuse" link on the login page. I filled in the information and included the PIN. I also followed up with a phone call to their technical support team. The operator took my information and checked the account. He also alerted their security staff. Finally David hung up on me. I assume that he heard my conversation with logmein (because I didn't actually put him on hold) and then the line went dead.

I'm certain that if I allowed things to continue that David might have found a way to drop something on my computer that would put everything I consider important at risk.  My data and code and the same for my customers.

PS: this call came from an area code in Canada(249-713-6048). If you've ever worked in telephony then you know that the callerid information can be spoofed. What you don't know is that google is not a telephone company and as such is more likely have more info and more willing to take action.

Thursday, June 11, 2015

Google plays some hits

Since today is TBT I thought I'd give Google Music a chance to impress me with it's selection. I checked out GM's 00's selection and it seemed focused on some form of rap & pop. It looks like a Justin Timberlake, Snoop Dog reunion of sorts. Then I tried 90's and that was almost completely dominated by rap. When I got to the 80's I found one that was considered electronica and 2 others that were dominated by Michael Jackson.

First of all, if I were a country star I'd be pretty pissed. Even though I'm not a true fan there is plenty that I would listen to like a selection of Garth Brooks; and there are plenty of others. Punk and Metal were totally absent. I could be suggesting that either Google knows it's average user but that it does not know my taste.

housekeeping chromeos

I've installed a few things that I need to get rid of. The reasons differ but nonetheless they have been deleted.

1) Music Bubbles is a pretty cool app. It's a remote control for Google Play Music. It's cool because it's injected into every webpage and does some z-layer alpha blending that makes it appealing. My only complaint is that depending on where you locate the bubble it will take over when you hover. Meaning that if you drop the bubble over a menu item you'll not be able to access that menu unless you move the bubble. Also, since there are keystrokes like CTRL+1 to access the first tab... it's just some overkill.

2) Bouncing Ball - It's just a silly little game from Google. I like the aesthetic. The game is fluid and kind-of fun to play although I was bored after the first 5 minutes. I have not played the game in a few weeks so there was no point in keeping it.

3) Mosh - I have never been a fan of mosh. The authors make certain claims about it's security model which I believe are baseless. I've written about it a few times(link). Recently I've been doing the 100% remote development on an unreliable network; which is supposed to be a main selling point for mosh. The challenge, however, is that since the server is not running mosh(CoreOS) and neither are the containers although it could be added; easy enough. However, unlike the terminal program for Chrome; the mosh chrome-app does not keep a history of the servers it's been connected to. While that could be argued as a feature I'd argue NOT.

Three fewer apps makes me happier. Now time to do the laundry.

Wednesday, June 10, 2015

de-google yourself?

I'm concerned about my privacy and personal information security; this morning my father pointed me to this article that espoused all the evil things that Google does with my data, cookies, email, and personal information.

I does not take too much effort to debunk everything the author lays claim too in fact it is also demonstrated by (a) the publisher of the article (b) the commenting system therein (c) and it's advertisers; as they are all part of the profit machine trying to monetize it's visitors. (no different than Google just on a different scale)
the publisher's site was closed for comment, however, that information was not available to me prior to registering. Had commenting been closed I would never have registered.
The author of the article made certain recommendations and claims;

Step 1: Spread your data.

This might do more harm than good.  Spreading your data means that the premium associated with your data is higher. (the sum of the parts is less expensive than the parts sold separately; economics 101)  It also puts the cost of managing all this data, the individual policy and procedures, and maintenance.

Step 2: Search Differently

There are a number of other search engines. Duck Duck Go comes to mind. While Google is not necessarily a search company they are the best search company.

Step 3: Crumble the Cookies

Cookie security makes sense, however, while there are a certain number of cookies that belong to the application and some to the advertiser/ghost hunters it's impossible to determine the difference so that the browser can be selective. Burning your cookies can and will eventually degrade your experience.

Step 4: gmail

If you do not want some of the advertising associated with gmail then simply pay for it ($50/yr). You already pay for MS Outlook and OSX Mail when you purchase their operating systems.

Step 5: Cloud Storage

I'm not sure what the author was getting to here. This irrational fear of vendors having access to your data has been around for quite a while.  It started with the terms of service at both Box and DropBox. Both companies asked the users to give them permission to access and modify the documents. While the terms were evil sounding and vague; in the end it was just about asking permission to compress, archive and relocate your data on their servers. It was clearly an over imaginative attorney who was splitting fiber but it was out there.

By comparison, Google Drive and Google App, have a number of compliance certificates including HIPPA and PCI. This means that while Google has your documents it is not reading them; by which I mean operating on them, taking action, or changing anything about your experience. (but they are reading them in a binary sense as is the case with all the other browsers and file managers.

Step 6: SmartPhone

It's hard to know, for certain, what information we might be leaking and just how private it might be. Given the cost of our smartphones you'd think that the information we are leaking would give us a better discount. For example the traffic indicator on the maps application is harvested by all of the other phones on the road with you at the same time. The information is supposed to be anonymous and it likely is, however, a motivated someone might be able to crack the code. Between the GPS, WiFI navigation etc... someone with access to a traffic camera and map telemetry could probably isolate a single individual.

If the price is too high, turn it off.


You do not get anything for free these days. Everyone wants something whether it's you email address, phone number or location. Even the article's publisher and the author have an interest in knowing who you are. (this article is posted on Blogger and previously WordPress. Both try to monetize it's readers)

Until someone can prove that Google is doing something evil with my data I trust them before all the other bobs out there.

UPDATE:  The author of the article @DerekInBerlin was published by The Irish Times. The website is full of advertising and analytics; including Google's own. Since the Derek did not provide an email address; only a twitter; he's also selling his information in a manner of speaking.

Monday, June 8, 2015

programming languages - the next thing

I've been a student of programming languages since I started programming in the early 80s. Back in those days there were only a handful of mainstream languages that were accessible. At first there were two computers to choose from. An Apple ][ or a Radio Shack TRS-80. Both included a ROM based BASIC interpreter.

Other compilers were available, Radio Shack had COBOL, Fortran, pascal compilers and and Assemblers. Apple had it's own toolchain, which I never experienced first hand but I recall my high school friends were writing programs in something other than 65x assembler.

When the IBM PC entered the space the tools changed again. Borland International started selling Turbo Pascal which turned into , Turbo C, Turbo C++, Turbo Assembler, Turbo Prolog, and so on. These tools were reasonable priced and were simply awesome. Soon after Microsoft entered into the tools war polluting the API at every turn but nothing beat Borland compilers.

Sometime in the middle of all that there was a tool fracture to the next level. dbase, clipper and later foxpro created an application development layer using macros and data instead of low level constructs of the languages that came early.

There was a whole classification of languages and tools that were out there... schools like MIT and companies like Bell Labs were in high gear producing more languages, operating systems, and general systems research.

Later, in college I was introduced to more and more languages. Ada was one language that I liked although it was time consuming to get my first program to run as there were so many compiler errors that had to be overcome. (review of Ada) I appreciate it eve more today because that strict immutable contract between programmer and other applications seems to be what we strive for now. And other than some basic syntax sugar it's no different than any other language. At the time we were talking about the potential of software proofs. Now it seems that proofs have given way to TDD and BDD with some natural language syntax.

How different things would be if we had stuck to a single syntax and merely added the features we needed.

Saturday, June 6, 2015

reflection on golang reflection

I'm building a transaction gateway that requires the transcoding message from one schema to another. The messages will originate from the client as a JSON string which is easily parsed by the stdlib and then transcoded to a bytestream based on some schema. The server will process the transaction and return another byte stream which must be parsed according to some schema and then transcoded back to a JSON string and returned to the client.

My challenge, as I review the encoding packages, is how or where do I store the DDL (data definition language) for the byte streams? One easy representation is in the golang struct with the schema contained somewhere in the field types and the tags.

The question, however, is it better to use reflection at runtime or precompute some DDL from the struct or just manually construct the DDL?

Some weeks ago I reviewed some code for an ISO8583 encoder. It did a good job of parsing messages into it's perspective fields, however, in their implementation the user had to provide the schema with every transaction and the first thing the parser did was compute a DDL which it discarded after the parsing was complete. While correctness and clarity are job #1; this explains their decision.

Looking at the stdlib version of the JSON Unmarshal() code I see that they rely on reflection. Quickly reviewing the ffjson package for unmarshal'ing I have no idea what they have done. I do see that they implemented a generator of sorts, however, the public API layer is so obtuse that it feels like this might have been implemented in another language and ported to go. (not a bad thing) but there is a lot more code than the stdlib so it's a matter of complexity over getting the work done.

For now the answer is "working". Fast is a nice problem to have... just not now.

Friday, June 5, 2015

I have 5 bars - what is in a number?

I have two Apple Macs sitting side by side on my desk. They are connected to my Airport Express on the other side of my house and they are showing 5-bars in the AT&T vernacular. I find that extremely curious because my Nexus 6, Samsung Chromebook both show 2-bars. And while you might say something about the quality of hardware or the vendor... I also have a Chromebook Pixel 2 i7 and as Google describes it, the Pixel 2 is all premium hardware meant to be bar that all other CBs are meant to reach for.  My P2 is also showing 2 bars. What does this say about Apple? Is their hardware tuned differently than everyone else or do that physics of WiFi radio transmission and reception not apply to Apple engineers. Or is it possible that their "computation" of WiFi strength is optimistic and everyone else pessimistic?

I'm not one for regulation but when faced with a sub-par WiFi environment, like a house constructed with iron rebar and aluminium studs, and when faced with purchasing decisions based on empirical data like WiFi bars... It's hard not to be a little bitter.

If faced with a new WiFi purchase I'm not certain which vendor I'd buy from except that Apple is at the bottom of the list now.

PS: as a reminder I had a Sonic Wall problem about 6 months ago. Since then I tried a d-Link model that worked and then I heard that there was an AirPort Express that also worked. I spent the $100 and it worked. Even though the version of the device was identical in Firmware with the model I already had (which did not work).

What does it take to get a +1 or LIKE?

I often wonder what it take to get a +1 from my readers. I admit the ratio of readers to comments and likes is pretty low. If I had to guess there is probably some Pareto number that makes the most sense.

  • Like things within some SOI (sphere of influence; social or otherwise)
I've encountered family members who like everything anyone else in the family posts. The same can be said of some employees who do much of the same. I'm no psychologist but my intuition is hinting that the motives are vastly different depending on how they are each perceived. (Some Family LIKEs can be perceived as social climbing and some work LIKEs are sincere)
  • Like thing when you agree or even strongly agree
But what happens when you disagree? Would the reader comment? Argue? And is a comment as good as a LIKE?
  • Like thing when you've made it through the presented material
Whatever the material is the reader managed to make it all the way through the material and was able to form an opinion about the content, the quality, or even the presenter.
  • Like thing because it's going to act as a bookmark
Things you've read or are influenced by can now be located more easily. With any luck you have some sort of notification when there are updates. (there is a feature in this) Maybe you've STAR'd the page in your browser.

These would be my 80%:
  • I like all my family photos because my wife and my friends do not have the same circles and I like to share the pictures of my kids in a passive sort of way.
  • I rarely like anything to do with work. I'm not the company's communications officer and so it's not for me to spread the word. Personal credibility is sacrificed to be a YES-man even though we al know when the Wizard steps out from the curtain he's just a man.
  • I like posts where there is enough good information that it changes the way I think or believe about a subject. If I agree or even strongly agree before I read the post then it's just supporting material. It's only when it changes my opinion that I need to like it.
  • Very few services provide dislike buttons. I rarely use them and the only time I do is when the content is offensive in some way. Not just because I disagree.
What would happen if there were a quality survey at the end of each post? How about TV commercials? The Twitter client has an interesting feature that you can provide feedback to promoted tweets. I click on "displayed too often" every chance I get. I absolutely hate promoted tweets. They are a greedy and needless monetization of Twitter. Twitter already sells our data why do they need to advertise other then $$$.

UPDATE:  I missed one logical reason; reciprocation. You like me and I'll like you.

Thursday, June 4, 2015

Docker Gotchas

I've watched as the memes have gravitated to Docker like bees to nectar or flies to poop. I guess that's a half full half empty thing. As I've said many times in the past you gotta know your stack. And the more I use Docker and the more they advance the project the more I realize that it's just too early for adoption... unless you have a person or three on the inside.

By example my first CoreOS+docker server is continuously running out of disk space in part because btmp is filling up (which I've read is probably an attack). My second CoreOS+Docker server shows an explosion of files in the Docker overlay folder. I'm not certain why I need so many folders and if any of them are zombies or not.

Another article made mention of my filesystem iNodes. While my filesystem is at %5 used and iNodes at 15%; which is not an unhealthy ratio, in my opinion, but since this is a single Docker container running on a 200GB HDD it suggests that getting any sort of density is going to be unpredictable and painful.

I may need to investigate NixOS containers.

UPDATE:  found this article echoing my problem.

UPDATE: I made some discoveries that are not actually documented anywhere.  The first truth that I realized is that proper VMs are probably still a better proposition than containers of any kind. CoreOS toolbox and it's analogs make sense but not for actually running a production service. This is yet another reason why the Phusion containers are a bad choice.

Next, you simply do not need intermediate layers. The first reason is that many times the builder falsely uses an old container. For example I have a RUN go get some_go_package and docker does not rebuild it. SO I have to but my go get commands after my ADD commands in order to insure they are executed.

Now that I'm deleting all of my images, intermediate layers, I'm getting ready to rebuild my containers with the --rm and --force-rm options. I do not want any intermediate files. The issue is that docker build is consuming too much disk space and any hope of reasonable density is impossible.

delete all of your contianers
docker rm $(docker ps -a -q)
delete all of your images
docker rmi $(docker images -q)
delete eveything
docker rmi $(docker images -q)
** this last one takes a VERY long time. My 331 overlays has been deleting for nearly 30 minutes and white it was only 2.5GB it made up 15% of the inodes meaning there were a lot of files.

UPDATE:  One more thing to keep in mind as my system is still deleting those intermediate layers... GCE (google compute engine) limits the iops for my host VM and so bulk deletes like this are going to take a while regardless whether it's an SSD or HDD.

UPDATE: In hindsight this sort of cleanup (a) would have been faster to rebuild the host (b) if there had been more than one container on this system I would never been able to clean it up because there are no tags. The also means that the build and deploy system should probably be different machines.

UPDATE: compressing a container [link] (devbox and devboxrun are my image and container names)
ID=$(docker run -d devbox /bin/bash)
docker export $ID | docker import - devboxrun
UPDATE: backup compressed snapshots
ID=$(docker run -d image-name /bin/bash)
(docker export $ID | gzip -c > image.tgz)
gzip -dc image.tgz | docker import - flat-image-name 
UPDATE: I'm testing my last clean build configuration (bash functions)
function cleanbox {
        docker rm $(docker ps -q -a --filter=image=builddevbox:latest)
        docker rmi builddevbox
        docker rmi golang:cross

function buildbox {
        docker build --force-rm --rm -t builddevbox .
        ID=$(docker run -d builddevbox /bin/bash)
        docker export $ID | docker import - devbox

Tuesday, June 2, 2015

SmartLock - what's it good for?

SmartLock is a tool that joins your Android phone and your ChromeOS device. When logging into your ChromeOS device it will attempt to locate an open or unlocked Android device. When ChomeOS identifies the paired device it it will change the lock icon in the login dialog from yellow or spinning to green.  The green icon means that I need only click on the picture in the login form in order to perform that function.

There is a related feature on the phone.  I can identify and record "safe" locations on the phone so that when the phone is found to be in that location it does not require a password. You are automatically logged in by GPS location. This is great when you're home or maybe even work... if you do not mind the obvious complications.

So you can see that if your:

  • home
  • SmartLock knows home is safe
  • the phone has auto unlocked
  • and paired with a ChromeOS device
  • and the devices are in range
your ChromeOS device will auto unlock with a click of a button. (you can temporarily disable this feature by clicking on the lock when you logout).

This is a particularly good feature when your in public. Clearly you do not want people to see what you might have logged into and correlating that with your password which can be captured with a gopro or even the store or coffee shop store camera. It's no longer the thing of science fiction. So having your phone handy, and unlocked, means not having to worry about your password.

However, this does create a different attack vector. If you at a location that is not SAFE then you need to unlock your phone manually; which can be recorded. And then there is the potential that there is a backdoor for the Bluetooth detector thing/code. All someone needs to do is steal your phone and get to one of your safe locations before you and they have access to the family jewels.

The good news (a) I do not have the family jewels on my phone. (b) the tough ones still require a password. (c) I never access them from the public.

The bad news (a) it might still happen if one of the vendors I depend on is vulnerable and I've been exposed. (b) someone is able to steal my computer and phone and get to my safe place before me... or even at some distance depending on the geo limits of SmartLock.

The really bad news is that Google has not yet provided a killswitch so that SmartLock can be disabled from anywhere. Once the bad guy has my phone and computer changing my password may not help.

Making OpenVPN work inside a docker container

There are a number of possible solutions.  The first looks like a storage container but provides network access. It's a novel approach and one I might implement in the future. It has the benefits of configurations that might differ between prod, stag and dev. It also isolates the network issues from the application container.  It's actually a very strong idea.

In my case it's more complicated that I want.  I have a simple workflow that I want to follow for the time being.  Taking my default Dockerfile I did a chmod +s to the openvpn is running with root privileges which is required in order to update the routes and IP address.
run chmod +s /usr/sbin/openvpn
AND when running the docker container there are two additional params: cap_add and device.
docker run --rm -it --cap-add=NET_ADMIN --device /dev/net/tun -v /data/data1/devbox/shared/:/var/shared/ --name=${boxname} ${imgname} /bin/${shellname} --login
And that worked for me.

One other recommendation was installing sudo.  I suppose that was also an option, however, sudo might leak other root level changes that I might not want to put in application space rather than the environment.

Monday, June 1, 2015

using tmux or GNU's screen in a docker container

There are too many open issues with the docker project pertaining to the use of TTY and Docker. It seems that Docker uses or supports /dev/console. I suppose if I was running ssh-server in my container that I would likely have a working environment.

Sadly it seems that there is a correlation between tmux/screen and it's expected normal operation.

That's it for now. I'm going to give up on this branch because it feels meaningless.

starting or exec'ing a new container

I'm not going to elaborate on the problem too much other than to describe the challenge and then provide my script that solved it.

I'm using CoreOS(685.0.0) + Docker(1.6.2) in order to host my own development environment. The benefits are already well known... a consistent environment for my code and testing. There are a number of real challenges getting to a shell prompt and not blowing out my disk space as I create more layers and images of the same sandbox.

Here are some of my requirements:

  • launch fast
  • shared source / data / certs / config (with or without a data container)
  • able to build my go project
  • idiomatic go structure
  • able to connect with multiple terminals to the same instance without having to run the ssh server
The script below launches(run) my container if it's not already running and attaches(exec) if the container is already running.

CONTAINER_ID=`docker ps -q --filter "name=${boxname}"`
RUNNING=`docker inspect --format="{{.State.Running}}" ${CONTAINER_ID:-"NOTRUNNING"} 2> /dev/null`

if [ "$RUNNING" == "true" ]; then
echo "connecting to exiting ${boxname}"
docker exec -i -t ${boxname} ${shellname}
echo "running a fresh ${boxname} instance"
docker run --rm -it -v /data/data1/devbox/shared/:/var/shared/ --name=${boxname} ${imgname} /bin/${shellname}

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...