Unimpressed with CreditSesame.com - A Review

After listening to Marketplace Money on NPR this morning, I decided to try CreditSesame.com after they discussed tools to managing your finances. I decided on CreditSesame because I've tried Credit Karma and I don't like to use anything Intuit (i.e. Mint.com) if possible. After 15 minutes, I'm thoroughly unimpressed.

Thoughts

• During the registration process, there is a place to set your financial goals.  CreditSesame seems to forget that I just want to sign-up.  I don't want to have to set goals to just get in for the first time.  The only way I could proceed was to make some dummy goals (which defeats the point).  This needs to be rethought!


• The UI of the website is less than impressive.  For example, entering or confirming expenses like PMI on our mortgage is very unclear -- do you want the monthly or annual amount?


• On my Dashboard, it recommends that I enroll in their free credit monitoring despite the fact that I enrolled during registration.  Why must you nag more about something I already did?


• On the My Credit page, I get a badge for using my credit wisely and then a warning that "Your credit card balances may be getting close to your credit limits".  Strange warning when the same page reports my credit usage at only 2%.  I guess that is too much!


• It seems the main point of anything I do is to sell me a $9.95 credit report.  Yes, I know their service is free however


• I get random errors using the site like this.  One thing that bothered me was that the Java stacktrace is publicly visible.  This is a security no-no in the web world and this place has my SSN!

My Rating: I deleted my account!

Micro Python: Python for Microcontrollers

Micro Python: Python for Microcontrollers

I backed this Kickstarter for £28 (includes £4 for shipping to the USA).  Sounds like a bunch of fun over Arduino.

Micro Python is a lean and fast implementation of the Python programming language that is optimized to run on a microcontroller.  The Micro Python board is a small electronic circuit board that runs the Micro Python language.  The aim of this Kickstarter campaign is to make Micro Python open source software so you can use it in your own projects, and also to fund a small manufacturing run of Micro Python boards so that you can own one for yourself!

GPUTest - Stress Test and Benchmarking for Linux

GPUTest - Stress Test and Benchmarking for Linux

Python Tip: Thanking People is Important

Thanking people for the time they spend on helping you is important.  Email is great, but impersonal.  Consider taking the time to write a hand written message in a real card.  It's the personal touch that counts -- showing that you really thought about it and appreciate their efforts.

Sunsetting Mach-II

Rather than leave things in an uncertain state, we feel it is best to announce that the current team behind Mach-II will no longer be working on or supporting Mach-II moving forward.

Peter, Matt, and Kurt have all moved away from CFML to other technologies: Peter and Matt to Python and Django, Kurt to C#. Since we are no longer doing CFML development and our time will be filled working in and contributing to projects in our new primary languages, we are no longer able to effectively develop and support Mach-II.

Mach-II is a stable, mature framework and is used -- and will continue to be used -- by a large number of organizations for their most mission-critical CFML applications. Current Mach-II applications will continue to run just fine of course, and if Mach-II does everything you need it to do there’s no reason to stop using it. The code will remain in its current state on GitHub (https://github.com/Mach-II/Mach-II-Framework) permanently, so it will always be available for you to use.

The beauty of free and open source software is that just because the current team supporting Mach-II is stepping away from the project, that doesn’t necessarily mean Mach-II dies. In addition to being able to continue to use Mach-II, you are also free to fork Mach-II and improve and evolve it as you see fit. Since we will no longer be maintaining Mach-II we will not be responding to pull requests back to the main repository, but if anyone is interested in taking over active maintenance of Mach-II please feel free to contact us.

Finally, we would like to express our extreme gratitude to everyone who contributed to Mach-II over the years. Contributions large and small -- from minor edits to documentation, to helping by testing your applications on new versions of Mach-II, to major code contributions -- were all vital to the success of Mach-II over the years. To all Mach-II users and contributors, our deepest and sincerest thanks.

Happy Hacking!

Peter, Kurt, and Matt

Installing VPython (Visual Python) on Linux

VPython on Linux is a pain to install because they recommend using WINE or compiling from source.  I was able to compile from source but it took over an hour to compile a special patched version of wxPython and then compile that into VPython.  It was a less than "fun" experience and requires knowledge of compiling.  I discovered this during Kirby Urner's Leveraging Python tutorial at DjangoCon US 2013. So I set out to find a better way with fellow attendee German Larrain.

We're waiting on a pull request to the main GitHub repo that fixes our problems however we figured out a way to install VPython using PIP.  Its as easy as using PIP ability to install from a GIT repo.  In the meantime, you can use German's fork of VPython at GitHub:

sudo pip install git+git://github.com/glarrain/vpython-wx.git

Edit (Nov. 2013):

The pull request mentioned above has been merged into the main VPython git repo.  However the installation instructions have changed due to the addition of the Numpy package and on my system I needed to install a newer WxPython (which much have been installed on my old system and why it wasn't on the original instructions).

Here's how I installed WxPython 2.9.4 on Ubuntu 13.10 (saucy -- no deb was available yet).  I couldn't get 2.9.5 to build on my system - it kept failing in the make process at random places. You do need GTK2 dev package (as indicated as the first command) if you do not have that installed yet and the gstreamer base dev package (second command).  If you get errors about missing .h files, then your system is missing a -dev version of some package that is indicated.

sudo apt-get install g++ libgtk2.0-dev freeglut3-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev python-dev libgtkglextmm-x11-1.2-dev libboost-python-dev libboost-signals-dev libboost-python-dev libboost-thread-dev tk
wget http://downloads.sourceforge.net/project/wxpython/wxPython/2.9.4.0/wxPython-src-2.9.4.0.tar.bz2
tar -xvf wxPython-src-2.9.4.0.tar.bz2
cd wxPython-src-2.9.4.0/wxPython
python build-wxpython.py --build_dir=../bld

Note the output that say something like -- we will need this later:

To run the wxPython demo you may need to:
 - set your PYTHONPATH variable to /home/peter/wxPython-src-2.9.4.0/wxPython
 - set your LD_LIBRARY_PATH to /home/peter/wxPython-src-2.9.4.0/bld/lib

Note that Numpy will take some time compiling all the C code on your system. I have an i7 with 8 cores it took a few minutes -- may look like it hangs, but be patient. Also, it may take some time for PIP to download the tarball depending on your internet connection speed -- it may look like it hangs downloading, but again be patient.

sudo pip install numpy
sudo pip install https://github.com/BruceSherwood/vpython-wx/archive/master.zip

At this point, we need to create .sh executable to run vidle.  Create a file named vidle.sh with the following text (replace paths with the stuff we noted above) and ensure this file is executable (chmod 777 vidle.sh).

export PYTHONPATH="/home/peter/wxPython-src-2.9.4.0/wxPython"
export LD_LIBRARY_PATH="/home/peter/wxPython-src-2.9.4.0/bld/lib"
python /usr/local/lib/python2.7/dist-packages/VPython-6.03-py2.7-linux-x86_64.egg/vidle/idle.py

Twitter Bootstrap JS: Using ButtonGroup (radio type) selected button in a form

This is the function that we use to watch which buttons have been activated in a Twitter Bootstrap `buttonGroup` of a radio type.  You need to have a hidden form field so the function can put the values from the selected buttons in there for your form post.

Using it is as simple as adding this to your document ready of your page.  The first argument of the function call is the id of the `buttonGroup` and the second argument is the id of the hidden input where the function will store the values of the activated buttons:

    $(document).ready(function() {
        watchButtonsRadio('#utilitiesLocatedBtnGroup', '#utilities_located');
    });

Add this function to the general or utility JS file that is loaded on every page:

function watchButtonsRadio(buttonGroup, hiddenInput) {
    $('button', $(buttonGroup)).each(function() {

        var originalValue = $(hiddenInput).val();

        //Convert booleans to numeric
        if (originalValue == 'true') {
            originalValue = 1;
        } else if (originalValue == 'false') {
            originalValue = 0;
        }

        if ($(this).val() == originalValue) {
            $(this).trigger('click');
        }

        $(this).live('click', function() {
            // Hidden by default doesn't trigger the change event so manually fire it
            $(hiddenInput).val($(this).val()).change();
            console.log(hiddenInput + ': ' + $(hiddenInput).val());
        });
    });
}

Judgemental Maps: Minneapolis

So true in many ways!

Tomcat7 Service Start/Stop Script

I'm posting this because I forget the script I used because I setup systems so infrequently.  Place this in a file called tomcat7 in /etc/init.d/ Be sure to sudo chmod 777 tomcat7 so it will run.

#!/bin/bash                                                                                                                                                                                                #                                                                                                                                                                                                          # tomcat7     This shell script takes care of starting and stopping Tomcat                                                                                                                                 
# Description: This shell script takes care of starting and stopping Tomcat
# chkconfig: - 80 20
#
## Source function library.
#. /etc/rc.d/init.d/functions
TOMCAT_HOME=/home/peter/tomcat
SHUTDOWN_WAIT=20

tomcat_pid() {
  echo `ps aux | grep org.apache.catalina.startup.Bootstrap | grep -v grep | awk '{ print $2 }'`
}

start() {
  pid=$(tomcat_pid)
  if [ -n "$pid" ] 
  then
    echo "Tomcat is already running (pid: $pid)"
  else
    # Start tomcat
    echo "Starting tomcat"
    ulimit -n 100000
    umask 007
    /bin/su -p -s /bin/sh root $TOMCAT_HOME/bin/startup.sh
  fi


  return 0
}

stop() {
  pid=$(tomcat_pid)
  if [ -n "$pid" ]
  then
    echo "Stoping Tomcat"
    /bin/su -p -s /bin/sh root $TOMCAT_HOME/bin/shutdown.sh

    let kwait=$SHUTDOWN_WAIT
    count=0;
    until [ `ps -p $pid | grep -c $pid` = '0' ] || [ $count -gt $kwait ]
    do
      echo -n -e "\nwaiting for processes to exit";
      sleep 1
      let count=$count+1;
    done

    if [ $count -gt $kwait ]; then
      echo -n -e "\nkilling processes which didn't stop after $SHUTDOWN_WAIT seconds"
      kill -9 $pid
    fi
  else
    echo "Tomcat is not running"
  fi
 
  return 0
}

case $1 in
start)
  start
;; 
stop)   
  stop
;; 
restart)
  stop
  start
;;
status)
  pid=$(tomcat_pid)
  if [ -n "$pid" ]
  then
    echo "Tomcat is running with pid: $pid"
  else
    echo "Tomcat is not running"
  fi
;; 
esac
exit 0

Yet another reason Twitter needs Two Factor Authentication

AP Hack Highlights Two Crucial Features Twitter Needs - Forbes

I swear they haven't added support for Google Authenticator or Yubikey because any publicity about Twitter is good publicity about Twitter, right?

Get with the program Twitter -- you need two factor authentication now more than ever.  It's not surprising I blogged about it just in February about the hacking of Burger King's Twitter account.

Code Python anywhere online via your browser - PythonAnywhere

Code Python anywhere online via your browser - PythonAnywhere

Totally awesome with Python, Bash, MySQL consoles... GitHub integration, etc.

SSH Tunnel to Remote MySQL (Port Forwarding)

ssh -f -L 13306:localhost:3306 root@example.com -p 10022 -N

We block access to production MySQL servers over port 3306 for security reasons.  Here is an example connection string that proxies localhost port 13306 to port 3306 on the target system.

We use a few switched to make this easier to use:

Use -f to force SSH to go into background just before the SSH session starts.  This way you can get still be prompted for passwords but then run this in background.  We like this because then we don't have to have an open terminal all the time.

The -L switch indicates port:host:remoteport format. In this case, listen to socket 13306 on localhost and proxy to remote host port 3306.

The -p switch is special.  You might have to connect to SSH on a remote host on a port other than the standard 22.  It is starting to become common practice to change the SSH port on remote hosts to something else for security reasons.  In this example, the remote host only responds to SSH on port 10022.

Using -N tells SSH to NOT execute remote commands.  Useful when all you want this SSH session to do is port forwarding.

Recover Lost Admin Password in Django

./manage.py changepassword <username>

Run this in your project directory.

AirDroid - Manage your Android from your Computer Browser

http://youtu.be/WfNnQxpw7Uw

I need to transfer some video files from my Ubuntu computer to my Nexus 7. I couldn't get MTP via USB to work right.

Luckily, I found this nice Android application (free - no ads) that gives you a simple virtual desktop of your Android in your browser. I was able to upload my videos over WiFi in just a few seconds.

You can get AirDroid in the Google Play Store

Quick YubiKey PAM Bash Installer

Quick YubiKey PAM Bash Installer

A quick and easy way to install YubiKey PAM for Ubuntu.  There is also a Bash installer for Debian in the same GitHub repo.

MySQL FOUND_ROWS() and OpenBD

We recently switched to OpenBD on a production website and it uses MySQL FOUND_ROWS().  There a couple of things to ensure it works properly on OpenBD.

You need to add this setting to the "Connection Settings" in the datasource

useDynamicCharsetInfo=false

The queries need to be in a cftransaction block otherwise they will use a different MySQL connection.   It would look something like:

<cftransaction>
  <cfquery name="foo" datasource="foo">
    SELECT SQL_CALC_FOUND_ROWS * FROM foo 
    WHERE id > 2 LIMIT 2
  </cfquery>
  <cfquery name="bar" datasource="foo">
    SELECT FOUND_ROWS() AS numRows
  </cfquery>
</cftransaction>

Twitter Needs to Add Two-Factor Authentication

After the account of @BurgerKing hacked at Twitter, when is Twitter going to add two-factor authentication? Google and Facebook both have done it.

Excited for PyCon 2013 - Live Blogging It!

PyCon 2013 is the first conference since 2007 that I will be attending and not speaking at the conference itself.  So I actually feel like I can focus on being an attendee instead of a speaker.  So this is going to be a different experience for me and I'm already planning what I want to do at the conference.

I've decided I'm going to live blog the sessions that I attend at PyCon using Google Drive.  This means you'll be able to even watch me take my notes as the session goes on.  So I'll be blogging the live Google Doc links in a future blog post.  I'm so excited!  Watch this space...

pyMNtos - February Meeting Agenda - David Goodger on The Zen of Python Revisited and 3 Lightning Talks

Our next meeting on Thursday 2/21 (pizza at 7p / meeting at 7:30p -- Please RSVP) includes three Lightning Talks:

• MyHDL -- Chris Felton
• Docopt -- Andrew Carter
• Building Web UIs with Twitter Bootstrap -- Peter Farrell

David Goodger will be presenting a longer talk on The Zen of Python Revisited -- A fresh look at the meaning of Python's Zen. Does it mean what you think it means?

David is best known in the Python world for Docutils / reStructuredText and for chairing the 2008 & 2009 PyCons in Chicago.

We might broadcast this as a Google+ Hangout for those interested in attending remotely or out of state.  Let me know if you are interested as I don't want to setup all the mics and camera if nobody is going to come.

LastPass and YubiKey - Lessons Learned

Continuing on with my year of digital security ideas, I wanted to share a few short thoughts on some lessons I learned using LastPass and YubiKey.

LastPass

• Before I committed to switching to LastPass, I tried it out. LastPass uses a Master Password and I generated it in my KeePass.  However, I didn't save my KeePass vault for some reason.  Never forget your LastPass Master Password or you will be sorry.
• Always generate a few one-time passwords (OTP) to get into your LastPass vault just in case.

YubiKey

• After you receive your YubiKey, be sure to sign up for the Yubico Revoke Service and add your key.  This allows you to revoke your YubiKey in the YubiCloud authentication service in case your key is lost or stolen.  You have to physically have your key to add it to the revoke service -- you cannot add a key if you do not have it (like after you lost it).
• Be sure to add your YubiKey to your LastPass profile and enable two-factor authentication.

2013 - The Year of Digital Security

Last year, 2012, was the year of backups.  Between the cloud and automatic backups and safe places to keep drives -- I believe backing up my digital life as well as getting it more organized in the first place was a complete success.

This year I'm focusing on something entirely different: Security.  Actually, I did a lot of small security stuff at the end of 2012 so I'd say I started 2013 with a "very good" rating.  Instead of a tutorial on how to implement security in your digital life, I'm just going to share some of things I've already done and where I'm going from here.

I was already doing a lot of good things that I started in 2012:

• I was user of a password manager / password vault.  I've been using KeePassX (available on many platforms like Linux, MacOS, Android, Windows, etc.) on both my laptop, desktop and Android phone. I kept my single password vault file in sync between devices using DropBox.


• Stopped sharing similar or the same passwords between sites. I was pretty good about this, but sometimes I would order something from a company that I knew I would rarely use.  I became lazy and didn't always setup a new profile in KeePassX. For example, I was one of the 24 million accounts that were hacked at Zappos in January of 2012.  Also, my credit card information was stolen (see sample letter in PDF) from Altrec -- an outdoor outfitter where I made a purchase almost two years ago.


• After reading Matt Honan's tail of how he got his entire digital life wiped out by hackers in Wired last August, I turned on Google Authenticator (two-factor authentication) on all my GMail accounts (even DropBox can utilize Google Authenticator).

So, you're probably thinking what more can you do? Well, there a few more items that I've already working on or done in 2013:

• I decided to switch from KeePassX to LastPass for my password management. I switched for three reasons:
  
  
  
  • #1 - LastPass has tighter integration with the browser and the cloud. LastPass has a pretty good web browser plugin for Chrome and Firefox.  KeePassX I would have to find the profile and use the clipboard to copy my password.  LastPass just reminders my profiles.
  
  
  • #2 - My LastPass password vault is encrypted locally and stored in the LassPass cloud.  This takes the pain of synchronization with KeePassX and Dropbox out the equation.
  
  
  • #3 - Two-factor authentication support. For those that don't know what this is, this means you need both the password and some physical item (that usually emits unique codes) in order to login.  If you don't have both items, you cannot login.
  
  
  
  


• Two-factor authentication using YubiKey.  These are amazing little USB devices that emits an one-time password (OTP).  For example, to login into my LastPass vault I use my master password and then I have to authenticate using the OTP emitted from my YubiKey.  They even offer a YubiKey that has NFC built-in so you can use it with NFC enabled devices like my Google Nexus 7 tablet.


• I now encrypt my home directory data on my HD (via Ubuntu) on both my laptop and desktop.  So even if you steal my computer -- you cannot get my HD contents unless you know my password. (Note: Yubico offers a PAM for Linux so I could even require my YubiKey login).

I hope this inspires you to do more for your security of your digital life.  I'm planning on writing up a nice quick start soon for getting started with LastPass and some of the things I did or things you shouldn't do like I did.  Let me know if you have any questions.  Until then, may the security deities be with you!

Illegal use of nonvirtual function call in Java / MySQL JConnector

My computer crashed today and after restart none of my Java based application via Tomcat that used MySQL would work.  I would get an error like this:

Could not verify datasource: java.lang.VerifyError: (class: com/mysql/jdbc/DatabaseMetaData, method: supportsRefCursors signature: ()Z) Illegal use of nonvirtual function call

No matter the amount of Googling did anything turn up useful.  After reinstalling MySQL, I realized that my Aqua DataStudio could still connect and query the MySQL databases.  I tried a new MySQL J/Connector which did not help.

In the end, the fix was that Tomcat was using Java8 weekly (via a .deb) and something in Java8 must be broken.  I downgraded Tomcat to use Java7 and everything worked.  I found out that there was an update to my system to Java8 on 2/13 and the restart made it effective because Tomcat had been running for at least a week.

The fix: Check your Java version and downgrade from Java8