Superbowl and geek toys

At the SuperBowl-watching-event, I took my LCD projector, which we looked up to provide a big-screen version of the action. We also got the wireless network going, and hooked up my laptop to the projector, so that we could switch back and forth between the action and the stats on the web site, or various other web sites.

I’d like to mention, for posterity, that Dexter Jackson was the first Safety to win SuperBowl MVP, and that he was chosen based in part on the overwhelming number of votes he received via the web.

On a somewhat unrelated note, I’d also like to mention that SuperBowl.com is running Apache 1.3.22 and mod_perl 1.26 on some Unix variant – possibly Linux.

And, finally (of course completely unrelated) I’d like to note that their web site was very happily able to handle 30 or 40 requests per second without any noticeable slowdown.

TRACE works as designed! Panic! Run for the hills!

WhiteHat Security, perhaps in an attempt to make themselves appear important, or, perhaps because they really thought it was true, released a security alert a few days ago. You can read it HERE (http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt)

In summary, here it is.

HTTP provides a TRACE method, for debugging purposes. When you send a TRACE request, you get it back, including the message body, headers, etc.

WhiteHat’s security alert said that when you send a TRACE request, you get it back, including the message body, headers, etc.

Pretty scary, huh?

So, basically, they are saying what the rest of us have known since 1992. After all, it is in the HTTP specification, and you have read that, right?

Apparently, they think that you should not be able to get at information that you just sent to the server. It is secret or something.

And they provide a variety of scary JavaScript examples that allow you to intercept your own request, and send that request to some third-party site. Now, this is actually where they say that the vulnerability lies. They seem to think that this is the fault of the TRACE command. The fact of the matter is that the client has always had access to this data. Perhaps – just perhaps – this could be construed as a flaw in JavaScript – that you could possibly gain access to cookies, or auth information, and send it to some other site. But that is possible via other means which are not quite so tortuous.

So, folks, if you are in a panic about TRACE, you might want to read http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=104333761011676&w=2 which talks about it a little more scientifically than I have, and explains why it is a bunch of hogwash. You can feel free to disable TRACE on your Apache server if you really want to, but it won’t gain you anything other than a false sense of security.

New wine store

There’s a new wine store in Nicholasville. Frankly, it seems entirely too nice and upclass to be downtown Nicholasville. I wish them much success. I went in there yesterday, and was very very impressed, both with the store itself, as well as the staff, who are very knowledgeable. They were doing a Yalumba wine taststing (Oxford Landing, I believe it was) in honor of Australia’s Founders Day. The chard was great – fruity, bright, and easy on the oak. The Shiraz was even better, although it could stand to stay in the cellar for another year or two. Huge nose. Berries and plums and leather. Lots of tannins and earthy flavors. Yummy.

Migrating to 2.0, part two

I got done migrating to Apache 2.0 on Eris. I’m actually still running two daemons. I’m running Dav in its own process, on an alternate port. I built a very stripped-down Apache, taking out all the modules that I did not think I would need. I’ll bet I could make it even more stripped down, but it seems to be pretty good. I’m running it with Worker, and just a few threads.

The other process is bigger – ie more modules – and running SSL as well. I’m running worker on that also, and it really seems to be running faster. I suppose I could be imagining this, but it feels snappier. This could also be because I’m running mod_deflate. I was using mod_gzip before, but this cause some problems, as mentioned in an earlier note.

My other main server is still running 1.3, because I feel better with 1.3 and mod_perl. Hopefully, I can move that to 2.0 real soon now also.

Migrating to Apache 2.0

Now that I have given a “Migrating to Apache 2.0” talk a few times, I
thought it might be a good time to try it myself. Actually, my last PHP
web site went away, and I’m not using mod_perl on the server in
question, so it seemed like a reasonable thing to try. Also, after my
latest frustrations with mod_gzip, a move to mod_deflate seemed like a
good idea as well.

So, I’m moving one of my two main servers to Apache 2.0.

The hardest part of the entire process really seems to be the swap
itself, because there are so many hard-coded path-names laying around
pointing to /usr/local/apache. So I’m building Apache2 in
/usr/local/apache2, I’ll do some symlinking for a bit while I rebuild it
in /usr/local/apache, and then … well, it should just work. I think.

Linux World Expo, summary

LinuxWorld 2003

I just wanted to write a few last thoughts on my experience at Linux World, lest I leave the wrong impression – or no impression at all, which is more likely to be the case – about the conference.

I arrived Monday evening, and left Tuesday almost immediately after giving my presentation. This was not condusive to actually experiencing anything of the conference, which did not start for real until Wednesday. I tried to get out onto the show floor, so that I could at least talk to a few of the companies there, even though they were not really set up for business yet. However, the various people in charge of such things did not feel very cooperative in that regard, so I did not even get to do that.

The nice things that did happen was that I was able to talk with some folks that I only see about 2 or 3 times a year, at most. In particular, I talked with Adam Turoff about the copyright/patent stuff surrounding Calendrical Calculations. I don’t know if I’ve mentioned that here before, but I expect it will come up again.

And, as I was submitting an article to slashdot about the 2.0.44 release, Chris DiBono conducted a mini-interview so that he could write a few additional words about the topic for the article.

In all, I came away from the conference with just a few observations.

First, New York City is an awful place, and one would have to be a lunatic to live there voluntarily. It is cold, crowded, noisy, smelly, and everybody seems to be in an absolute panic of hurry. These people need to calm down, get their priorities in order, and move somewhere where people aren’t quite so reticent to look one another in the eye.

Second, I’m unclear how any conference even remotely connected to technology can not have network in the session rooms. Perhaps I’m spoiled, but I’m really coming to expect wireless networking, or, at the very least, wired networking, at conferences. IRC is an integral part of conference-going. And, no, I’m not being facetious.

Third, I know that conference budgets are really tight lately, but if I may make a comment/suggestion. The speakers are an integral part of what makes the conference happen. It is a Good Thing to encourage them (ie, pay) to stay for the whole conference, mingle with the attendees, conduct late-night BOFs, have informal “guru is in” sessions, and so on. In addition to the fact that I *hate* rushing around, it is annoying to fly in, speak, and fly out, being unable to participate in the conference, have people be able to ask follow-up questions after ruminating on the talks, or just being able to feel like more than a hired hand. I suppose I’m whining, but I tend to feel that I’m wasting my time doing these kind of gigs, where it ends up costing me a few hundred dollars in expenses, and I don’t really get anything out of it for my troubles.

mod_gzip

It appears that mod_gzip keeps work files FOREVER. Don’t say that you want to keep work files, because it will. I appear to have GIGABYTES of mod_gzip work files. And I’ve been backing them up. For months. This is an enormous pain.

You bet your life

When I am in big cities like this, I am struck more than ever by how much we rely on the good will of strangers. In fact, as is observed by Rush in their song of the same name, “you bet your life.” I got in a van with 9 strangers, and wandered around a strange (*very* strange) city for almost an hour, just hoping that I would end up somewhere pleasant. And, eventually, I did. This is a very nice hotel room. Not quite as nice as the room at ApacheCon, but still very nice. And a lot cheaper.

They did not have any note that my room cost would be covered. And Kevin Lenzo, who was standing next to me at the check-in counter, also did not have such a note on his reservation record. I don’t think Kevin knew who I was, which makes perfect sense considering I met him once, more than 1.5 yrs ago. Kevin has done some very cool stuff, including the original YAPC, and heading up YAS.

While we’re quoting Rush …

In the canyons of the city, you can hear the buildings cry.

It is darned cold out there, and the wind is just killer. But on some streets, you feel like you’re in a canyon, and the wind whips through it like it is possessed, and flings trash at cars almost belligerently.

On another, completely unrelated note, it appears that Apache::Perldoc does not work under Perl 5.8. I have not yet figured out why this is the case, but it appears that pod2html itself has changed syntax somewhere in that timeframe, and so when Apache::Perldoc calls pod2html, the arguments are geborken.

Flying to New York

The flight out of Lexington was delayed, and my time in Cincinatti, already painfully tight, was reduced to about 3 minutes. I arrived at the gate after they had already closed the door, but as the plane door was still open, they let me on.

And so I’m on my way to JFK, using my wonderful new ElectroVaya 16-hour laptop battery. I’m really happy with it. Although it was very expensive, it’s cheaper than 3 laptop batteries, which is about how long it lasts. Except for my laptop batteries, which seem to last about 10 minutes on a good day. When I’m using 802.11, it seems to last about 6 hours. When I’m not, I seem to be getting about 10 hours out of it. So it’s not *really* 16, although I suppose if I did console only, no sound, no network, I could probably get that much out of it.

In other news, the Magical Vhosts thingy that I posted a few weeks ago only works for one vhost. So it’s not much good. The fix is pretty simple. Instead of:

$VirtualHost{‘*’} = { … etc

I have

push @{$VirtualHost{‘*’}}, { … etc

This should have been obvious to start with, but, alas, I did not actually test it. Well, I tested it with one vhost, but not with more than one. And having it work for one vhost is not terribly useful.

Hopefully, the guy on IRC who was frantically trying to get this working will still be online this evening, or tomorrow morning, or some time, so that he does not get fired for not getting this working. I had to get on the plane, and so did not have a chance to tell him my solution, which I really just arrived at just now, at 5000 feet or so.

Linux World Expo

Heading out to Linux World Expo this afternoon. In New York City. In the dead of winter. Ick. Anyways, hopefully it won’t be too terrible, and there will be a few training leads that come out of it. (Shameless self-promotion!)

My goal for this trip is to get my GPG key signed by John “Mad dog” Hall.

Oh, yeah, and to get my presentation written before it is time to give it. 😉

The Margin Is Too Narrow