At my day job, I get to write a bit of code. I'm fortunate that my employer is pretty cool about letting us open source what we write, so I'm happy to announce that two of my projects have been open sourced!
The first project is an app which I wrote in PHP, it can be used to compare an arbitrary number of .ini files on a logical basis. What this means is that if you have ini files with similar contents, but the stanzas and key/value pairs are all mixed up, this utility will read in all of the .ini files that you specify, put the stanzas and their keys and values into well defined data structures, perform comparisons, and let you know what the differences are. (if any) In production, we used this to compare configuration files for Splunk from several different installations that we wanted to consolidate. Given that we had dozens of files, some having hundreds of lines, this utility saved us hours of effort and eliminated the possibility of human error. It can be found at:
The next app I developed was written in Node.js and is intended for use in a high-availability environment. In most HA environments, you will have multiple servers running behind a load balancer. In order to check the health of its servers, the load balancer will usually issue an HTTP GET request to a pre-defined endpoint to make sure each server is healthy. But what if... the server didn't have any GET endpoints? This is actually the case with Apache NiFi, which only provides HTTP POST endpoints. What now?
That's where this utility comes in--it starts an HTTP server on the port of your choice, and can be used to turn a GET request into a POST request (with a zero byte payload), send it to a target port on the same server, and relay back the HTTP response. This in effect proxies a GET request as a POST, and returns the result. It's a bit of an odd way to go about it, but it let us more effectively use Apache NiFi in a high-availability environment and did not break any workflow, so we're calling that a win. That app can be found at:
I hope these are of use to anyone who stumbles across them. If you have any feedback or comments, feel free to leave them below or on GitHub!
Another Anthrocon has come and gone, and it's been amazing year!
We had 7,310 attendees this year, a considerable jump up from our previous number of 6,348 attendees. Our Fursuit parade had 2,100 fursuiters in it, an even bigger relative jump from the previous year's number of 1,460.
We raised $31,880 for our charity: The Pittsburgh Zoo & PPG Aquarium.
I am pleased to announce the launch of the website Septa Stats! This website provides real-time data on all Regional Rail train lines. The following stats and metrics are supported:
That website is at:
My source code is also available!
I decided to learn websockets recently and figured that using the excellent Socket.io library along with Express. The tutorials on their website made sense, however I ran into an issue using the express-session module--cookies are not normally parsed with websocket connections, so I could not get the session data normally.
I then spent several hours reading through blog posts and Stack Overflow to figure out how to manually go through the process of parsing cookie strings and decrypting session data, which I thought I'd share here!
This assumes that you are using Express 4.x and have installed the following modules:
And the resulting code looks like this:
The problem: you write files to an S3 bucket on Amazon Web services. Maybe a single user/process does this, maybe multiple users or processes do this. But you want to keep a particular process from going rogue and deleting your data. What do you do?
The answer: You write a function in AWS Lambda that is fired whenever something is uploaded to the S3 bucket in question. It then calls the copyObject() method and makes a copy of the file to another bucket--one that only it (and your admin account, presumably) have access to write to.
The GitHub repository is at:
It's a quick and dirty thing that I put together mostly as a demo of how to integrate AWS Lambda with other S3 services.
I haven't written too many convention reports lately, and that's pretty much my fault. I've been struggling with some health issues which have kept me from attending as many cons as I'd like. That said, I was able to make it to Anthro New England this past January. It was held in Boston, Massachusetts.
I wasn't staff at this con, but I did end up volunteering for the cash registers in the Dealers Room throughout the convention. It was a different experience than what I used to, but provided a great way to help out the convention. For the cash registers, we used custom software developed by Kotanu Cheetah. The software did a great job of running both regular register functions and having integration with the membership system.
Work is sending me to a conference that just happens to be hosted in Las Vegas, a city where there are a few casinos. I'm not much for gambling, so I figured I should learn a little about it before I even think of doing such a thing. I read that craps is a fun game that has some pretty safe bets, so I decided to learn more about that. To that end, I wrote a craps simulator.
To get it up and running, make sure you have PHP and Composer installed, and do the following:
git clone firstname.lastname@example.org:dmuth/craps-simulator.git cd craps-simulator/ composer installer
Syntax is explained in the README.md file, but just by running the file main.php, you can run games of craps and see what the results are. The simulator allows you to place "Pass" and "Take Odds on the Point" bets. Multiple players with different starting balances, bet amounts, and betting/exit strategies can also be simulated.
A successful run will look something like this:
Note that if you simulate enough games, you will lose all of your money. That's the whole point of how casinos work, actually. Use my simulator to see how it works instead of playing a few dozen games and finding out for yourself.
I got this voicemail the other day from "Rachel at cardholder services":
(If the embedded player doesn't work, here's the direct link)
This one is kinda clever, that rather than a human using high-pressure tactics to get you to enter your credit card number, what you hear instead is a recorded message which asks you to "press 1 to get a lower interest rate". Had I pressed 1, I suspect I'd be transferred to a nice sounding human operator who would try to coax me into giving them my credit card number.
There's two takeaways from this:
1) Never give out your card card number to someone who calls you on the phone. (caller ID can be spoofed)
2) Strongly consider against picking up the phone when an unknown number calls you. Let it go to voicemail. If it's someone trying to get a hold of you, you can listen to the voicemail right away (or use Google Voice, which does transcripts), and call the person back.
This year's Anthrocon has come and gone and it was a great year! There was a total of 6,348 attendees and 1,460 fursuits in the fursuit parade. We also raised $35,910 for our charity this year, The Western PA Humane Society.
We tried something new this year--we took the fursuit parade outside and invited the entire city of Pittsburgh to come watch! The turnout was impressive--according to Visit Pittsbirgh, there were an estimated 5,000 people who showed up to watch. And it went over really well!
We received lots of positive feedback from convention attendees, fursuiters who were in the parade, and the City of Pittsburgh itself. We're thrilled that it went so well!
I know, I know. This is a rather short con report for such a big convention. The truth is, like with other Anthrocons, I was very very busy at this one, and it seems like every year as the con gets bigger, I get busier.
For what it's worth, I did get some downtime in which I was able to see some old friends, make some new ones, and generally enjoy the city of Pittsburgh. It does amaze me how welcoming the city is to us every year, and I am thankful for that.
This a busy summer for me! My next cons will be BronyCon, Eurofurence, and MarinaraCon. They're all as good as they sound. I hope I'll see you there.
In general, the longer the password, and the more random it is, the more secure it is. This is because if a password file is stolen, the passwords are stored there are stored in encrypted format, where each password is encrypted with... itself. This means that in order to determine what an account's password is, an attack must try encrypting every random possible string and see if it matches the encrypted password.
Naturally, this means that all possible 2-character strings can be tried quicker than 3-character strings, and 4 character strings will take even longer. Unfortunately, thanks to Moore's Law, "longer" means "a few milliseconds". 8 character passwords are usually the minimum, but by some estimates, even that is not sufficient. To make for an even bigger challenge, us humans tend to have a hard time remembering random letters and numbers. This leads to bad habits such as using the same password on multiple sites, and that can cause its own problems.
This is where Diceware comes in. The concept is over a decade old, and rather simple: you roll 5 dice, and then look up the number against a word list to get a word. Words are easy for us humans to remember, yet the dice rolls themselves are quite random. Let's look at a sample run:
That's 20 dice rolls, which means there is a one-in-6^20 (3.65 * 10^15) chance of getting that specific dice roll or, for an attacker, 6^20 guesses they need to make to try every possible password. As computers evolve and longer passwords are needed, more rolls of the dice can be made.
This app can be used online at:
Please try it out and let me know what you think. Naturally, my source code is also available for download. It can be found over on GitHub.