The Tinker Pit

There have always been ways to sort folders before files in OS X finder, or so I’ve read.  I’m new to OS X, only been using it for a few months, and until now I’ve dealt with the intermixed folders.  But I never liked it.

All of the posts I’ve found related to folder-first sorting tell you to modify a system file to prepend a space to the “Folder” type.  Then you sort by type and bam, folders on top.

Well in 10.11, Apple has a system integrity protection mechanism that will not let you modify system files.  You can disable the system integrity protection, but that leaves you more vulnerable to malware.  Not to mention, I’m constantly testing things and I would like to minimize the chance of trashing my new notebook.

Here’s what I found, and I’m sure somebody else has probably already thought of it, but I couldn’t find it anywhere.

First I created a new Tag: “Folder”

Pretty self explanatory, no color needs to be added, we just want a tag.

Next we create an Automator service.

Basically a shell script receiving a list of files from Finder.  The shell script verifies that the file is a directory and that it does not end with “.app”.  This treats apps like files and doesn’t apply the tag to any regular files, only folders.  It then deletes the existing tags and applies the configured tag(s).  I’m hard coding the “Folder” tag into an XML plist and applying that.

Finally we set a keyboard shortcut.  I’m still learning the keyboard shortcuts for OS X, but Command+F1 seems to work for this.  Maybe there’s a better option, and if it comes along, I will happily switch around, but for now, this works for me.

So, how’s it work?  Simple <Command>+A, <Command>+F1 while arranging by Tags.  You select everything, which makes the keyboard shortcut available.  Press the keyboard shortcut, and wait for the service to do it’s thing.

Consequently, if you don’t use any other tags, this sorts all folders alphabetically (under “Folder”), then all files alphabetically (under “No Tags”).  Similar to how other OS’s sort.  If you use other tags, they will of course be shown as well.

It’s been a long time since I’ve posted.  A lot has happened that has slowed my tinkering to a crawl.  Namely the little girl who should start crawling any day now.  She may only be 4 months old, but the previous year was hectic.

So it seems a shame to start off 2016 with a rant, but here it goes.  I detest web.com and their “family” of sites.  Register.com and Network Solutions being my two least favorite registrars.

For the past 2 years, I have been trying to consolidate my companies domains under one registrar, Namecheap (who has excellent support and decent prices).  Well unfortunately, a number of them existed under these two.  I’m almost done dragging the domains from Register.com’s claws. I’ve got one left that is in process as I type.  Unfortunately, I also have 3 SSL certs with them.  And they all mysteriously got set to “SafeRenew”.  And I can’t disable “SafeRenew” without calling them and waiting on hold.  The 3 day wait for auth codes is bad enough, but now I have to call your understaffed support center to uncheck a box?  That’s horrible.

When I purchased Visual Studio 2010 a while back, I used the new license to upgrade an existing workstation already configured with VS 2005.  It might have been 2008, I’m not sure and it doesn’t matter.  Anyway, this was my dev PC for a long time and was configured the way I liked it.  The upgrade carried over my configuration settings.

Well recently, I decided to move to a new PC.  It was a sad day and a joyous day.  My new dev PC is running a Xeon quad core at 3.10 GHz, 20 GB of RAM, and 2x 500 GB “enterprise” drives in a RAID1 config.  It’s a 2-year old ex-server, but it beats the hell out of my 3-yr old laptop.  Why didn’t I buy new?  I feel guilty buying stuff for myself.  Like the tablet PC I ordered for myself and I’m hoping to have in time for vacation so that I can “research and test it against our environment” while on vacation.

Anyway, since this was a new install, my preferred config did not transfer.  So on the first day after installing I thought I reconfigured to my liking.  Then I went and started developing a new program for work.  And it’s time for a simple test on one page.

The program should not let two items have the same name, so click Update and …

Ok, this is new to me.  I throw the exception and expect the stack to unwind until it gets handled in the code behind for the ASPX page.  This function sets a message to the status bar at the bottom of the page and marks it as either good (blue-green background) or bad (dark red background) to catch the user’s attention.

But visual studio is telling me the exception is not user-handled.  If I click Continue, it gives me the expected result (mostly, I need to tweak the DIV to work with the new application since I borrowed it from another application I wrote in the past).

So, clicking Continue runs it as normal, but I don’t want to have to click Continue every time.  I Googled the question to see who else experienced similar problems.  I found one or two people with similar problems, but no solutions.  And I found a number of posts telling people how to enable stopping when exceptions were thrown.  So I went to the Debug->Exceptions dialog as instructed in these latter posts with no intention of stopping when exceptions are thrown.

This checkbox under user-unhandled caught my attention.  And made me start thinking, so I unchecked the box.  Now it works the way I want it to.  In this case, I’m throwing an exception in user code that is called by system code (ObjectDataSource).  The ObjectDataSource is supposed to catch the exception and construct an EventArgs parameter containing the exception to pass to the OnUpdated event handler.  Since the user-exception is raised to the ObjectDataSource, the system code tells visual studio it is user-unhandled before allowing the ObjectDataSource to process the OnUpdated event handler which also happens to handle the exception.  That’s annoying to me.  Others may want to know that they are raising an exception into system code, but I don’t care if this is what I’d have to deal with.  I want to know when they are really unhandled, which still gets reported and always will since it causes the program to crash.

Up until this project, I've always done through-hole soldering.  But for this project, I knew the chip was surface mount, so I figured, why not make the whole circuit surface mount.

So what is the project? Well, over the holidays I played with this little tank-like robot.  My wife calls it "tank", I call it "battery-sucker 4000" (now sucking more than ever!)

Each of those IR leds is running at 60mA, and they are not configured in series at all.  Overall, there are 10 IR LEDs on this guy, all running all the time.  So for one thing, I need to rebuild the IR bars.  To run this guy, I have 4x AA's to run the motor, and a 9V to run the Arduino and logic circuits.  The Arduino has a motor shield on top, that has been slightly customized to eliminate the extra features (all jumpers are cut) and make it stack tighter (TinkerKit connections are gone).  I also cut the traces between the TK analog inputs and the analog pins to ensure no interference.  On top of the motor shield is a custom cap-shield that I made to distribute power and sensor headers.

The red/yellow wires run off to a switch.  The thin wires run off to a bluetooth serial adapter, which was added as an afterthought of course.  The double sided tape is where it was "attached" in the picture above.  If you look, you'll see that originally I designed it to take in 6V + 3V to supply 9V to the Arduino's Vin pin.  Because the motors killed the 6V source, I changed it to where they share GND and the Arduino gets a fixed 9V battery instead.

And that's where the problem lies.  My Arduino setup is pulling 600mA constant draw off that 9V battery.  Going thru the 7805 on the Arduino, that means I am wasting a constant 2.4 watts of energy thru the shunt regulator.  The 9V was falling rapidly.  In fact, within 10 minutes of playing the 9V cell was under 7V.

Time for a new cap, this time with a switching regulator instead of a linear regulator.  In my (admittedly not very thorough) search, I found the MAX1674 boost regulator.  In theory, capable of boosting 0.7V to 5V.  So I layed out a double sided board to handle the surface mount 1674 and components along with the through-hole headers.

The transfers were beautiful.  And my three alignment holes made sure I had both sides relatively in line.  So I transferred to both sides and took it to the etchant.  One thing I did do was fill in the large planes with a permanent marker on top of the toner.  After etching, I think the alignment holes and permanent marker both had a good effect.

Damn, I screwed up.  All of the header solder points should be on the other side.  Other than that, this is damned near perfect alignment and very little pitting in the copper.  Time for the fun part, putting it together.

Since I am limited to two hands, and at times I wasn't sure that was enough, there are no pictures during the assembly.  So here's some post assembly pictures.

Yes, I am that lame.  I called it the "Robo-Cap Shield".  For the most part, the SMT parts were easy to work with.  The 0402 caps and resistors were a little tricky at first and are so freaking tiny the hardest part was handling them, but I think I worked them out fairly well. The 0402's at the top of the first picture were the early ones, and tend to have more solder and are sloppier.  The 0805's are nice and easy.  The large caps were easier still.  Even the chip was easy.  The inductor wasn't hard, but once the solder bonded, the inductor core started acting as a heat sink.  Not wanting to damage the wire on the inductor, I didn't want to heat it enough to remelt the solder to straighten it out.  Luckily it doesn't need to be perfectly straight to work.

Half a dozen tests later, here is the finished product.  Yes, I cut too close to the edges and nearly took off my 6V sense wire on the top edge.  The bridge wire connects the "dirty" groundplane on the bottom with the "clean" groundplane on top.  The Arduino fills this role, but for testing I wanted the board to work on it's own (and I have corrected my drawings to include this connection).  I also removed the LED header in favor of some SMT LEDs on the right side.  Finally, I had to cut a chunk out of the corner so I could get to the screw terminals on the motor shield.

I definitely like SMT, but I think once I use the last of these 0402's, I probably will pick up 0805's or 0603's instead.

When I did my first few PCBs, I was using paper from a Dell catalog, printing with my little HP LaserJet 1018, and then ironing it onto the copper clad board with the clothes iron.  The board then went to the storage container marked "acid" that originally contained hydrochloric acid and hydrogen peroxide, but now contains cupric chloride.  The whole process from start to finish would take about half an hour or so.  Well, my wife wanted the iron back.

Ok, really, I wanted finer traces.  I was getting really good results with the iron + catalog paper, but the removal of the paper sometimes damaged traces.  And the inaccuracy of the iron would overheat and squish some traces, making them wider, and destroying the gap between traces.

So I did a quick search for other methods, and came across Pulsar's products (www.pcbfx.com).  I was skeptical, and a bit unhappy about the costs, but I figured "what the hell" and purchased the transfer paper.  The paper by itself, not so useful.  It's hard to get the right temperature and pressure with the iron and half the time the traces would lift right off the board.  I was so irritated, I switched back to catalog paper for a few more boards.

Well, around Christmas, I bought the laminator Pulsar recommended (Apache AL13P from Amazon).  And then I fixed it because it was broken already and I didn't want to send it back and wait for a replacement.  Now we're in business. This works great.  It works great with the standard 1/16" thick board, not just the 1/32" thick board Pulsar recommends.

Well, it's been a while.  Over the holidays, I played with a toy robot.  It's a little tank-like thing right now.  Anyway, I was driving the motors with 4x AA and the Arduino with a 9V.  I was pushing 10 IR LEDs constantly and could watch the voltage from the 9V drop quickly while running.  By the time the motors killed the AAs, the LEDs killed the 9V.

So I needed to get away from the shunt regulator (7805) and need either a buck or a boost regulator instead.  I did some extensive hunting on digikey and found a MAX1674 that sounded ideal as a boost regulator.  A nice simple circuit and I can boost voltage from 2x AA to 5V.  Add to cart.  Add additional items to cart.  Place order.  Wait patiently. Get box, open, pull out pack of chips, what am I in for?  I should have read the spec sheet closer.  The MAX1674 chip measures just 3mm x 3mm.  I knew it was surface mount, but didn't pay attention to the size.  I also didn't pay attention to the size of those additional parts.  Most of the resistors and the 100nF caps I picked up are 0402 parts.

Ok, no problem.  I will make it work.  I'll just fire up Fritzing and find a part with the same footprint.  Nope, not in there.  Shit.  Now I have to make a part for Fritzing.  So I threw down a standard surface mount 8-pin chip, create a custom part, and export the FZPZ file.  I used Inkscape to edit the SVG files and then repackaged the FZPZ as a new part.  Maxim calls the footprint 8UMAX, I just called it UMAX8.  I know, creative, right?  It didn't take much effort to create the footprint, and as you can see, I tie the ground pin to a ground plane under the pin.  I printed out the drawing to show the chip compared to standard 0.1" headers.  If you're interested, you can download the FZPZ file here and import it into your parts bin inside of Fritzing.

Well, I know my house is dry.  It always is during the winter.  I don't have a whole house humidifier, just a dinky little 1-gallon job.  Anyway, this is a project that can easily tie into a home automation system.  I grabbed a DHT11 from SparkFun a while ago, and finally decided to use it.

The board, as always, was laid out in Fritzing.  It's based around an ATMega328, programmed with the Arduino bootloader and my code.  Along the top of the board, there is a line of 16 pins, this is to hook up the LCD from the back side.  The DHT11 is positioned over on the left all by itself, and the standard voltage regulation circuit is on the right.  There is a serial I/O header at the bottom and right above the chip is another header to allow up to 5 buttons for input and one for reset.

Here is the front, all populated.  Not a very dense design, but then I didn't need it to be and I actually wanted the DHT as far from any heat sources as possible.

And here is the back.  The LCD is mounted on 7mm standoffs to the PCB.  The standoffs could have been shorter, but this happened to match up with the male pin headers soldered along the top edge.  The LCD is a "recovered" item and that would be why the solder pads look a little burnt.  Damn plated through holes...

The buttons got a small proto-board.  This happens to fit tightly into the end of my enclosure giving very little play.  From left to right we have reset, A3, and A2.  I'll probably lay out a PCB for this as well if I decide to make another.

The enclosure is just a standard RadioShack enclosure, with plenty of holes drilled and cut.  The right side has my three button holes and the left has a hole for the serial port and eventually a power port.  I first ran this with a 9V battery, but I didn't want to worry about the battery dieing so I replaced it with a power jack.

I couldn't find this anywhere, so I did a bunch of measurements and testing to find the appropriate board size.  If you're curious, this is the size you need to fit the inside of this enclosure and match up with the built-in standoffs.

Print up a button cover label and apply.  Red is reset, green toggles C or F, and blue goes through min, max, and current measurements.

So, what good is the serial port?  Well, a program can easily query the device to get the readings.  A home automation system could use these values to trigger a heater, air conditioner, humidifier, or dehumidifier.  A server can use these values to send out warnings to an administrator if the server room gets too hot, too dry, or too wet.  Plus the serial port can be used to reprogram the chip.

The arduino has a built in USB-serial converter.  While playing with your arduino, this is an invaluable tool.  It is also the way that the arduino can be programmed without using the ICSP header.  But what if you want to pull that ATmega and put it on a custom board?

I asked that question because that's exactly what I want to do.  I want to make a small custom PCB for a single purpose.  The ATmega chip is a good candidate for this board (due to the number of I/O lines needed).  Since the ATmega has built in serial, and I wanted to enable serial communication anyway, I figured why not expose the build in serial and skip the ICSP header.

I ran into one major problem, everyone assumes you want to use a MAX232 (or equivalent) chip.  I don't have any laying around, and they consume a relatively large PCB footprint.  Routing the traces could also prove difficult (I didn't really examine the option).  I wanted cheap and small footprint that could easily be routed.  SparkFun has an excellent level shifter (https://www.sparkfun.com/products/133) based on the voltage stealing principal.  The sketch I created above is based on that level shifter.  I want the functionality on-board, not via a daughter board, so while the kit is useful, it's not useful here.  I examined their schematic and the board itself to break apart the various functions.

The capacitor is wired backwards on purpose.  The diode allows the capacitor to charge with a negative voltage that can then be used on the TX side.  The LEDs are purely informational and they are wired to light when the TTL levels go low.  The transistors are used to invert the TTL signals to RS232 "compliant" signals.  I tested this with a USB-Serial adapter cable and it worked.  My PC doesn't have a built-in serial, so I don't know if it will work with a true serial port.

This is VMware.  It is a partial screenshot showing nothing that can be deemed confidential.  Basically, I have a handful of these ProLiant servers running VMware.  Each physical server is equipped with 2 6-core Xeon and 60 GB of RAM and they connect to a 24-drive SAN that sustains about 500 MB/s of throughput for writing.  I love the flexibility granted with VMware.

Well, that setup ran 6-figures.  I wanted something similar at home, but I can't afford a 6-figure setup.

Enter Ubuntu and VirtualBox.  My home server is simply my old gaming PC with the video card removed.  Take a Core i7 (1st gen 950), add 24 GB of RAM (max for this board/cpu), add a 3ware RAID controller and some WD RE4 hard drives.  Ok, the hard drives are new, they used to be Velociraptors.

Ubuntu was installed using the "alternate" image.  This is a very limited install with Apache and PHP added for the management interface to VirtualBox.  I used to just run 1 Linux server, now I run 3 Linux servers and 1 Windows 2008 R2 server.  And you can see, I also have a test VM for Windows XP and another for Windows 7.  Overall, the server runs fairly cool and the CPU load hardly every spikes above 20%.

So the obvious question: why?

A) I wanted to run separate servers for separate purposes.  That way, each can be configured without affecting others.  Especially since one of those virtual servers is hosting minecraft for my nephews and needs to be updated/reconfigured more often then the others.

B) I did not want multiple physical servers.  From both a noise and power perspective, I definitely want fewer physical computers.

This is my initial motor control board.  Nice isn’t it?  I know, you’re saying, why not just use the motor shield with the Arduino?  Well, it uses too many pins.  And controlling the motor can tie up the processor for significant chunks of time.  Those “delay” function calls are hideous wastes of clock cycles that can be better used elsewhere.  If all you want to do is control a single stepper, or two regular low current motors, then the motor shield works great.  But what if you want to do a lot more?

The idea behind this board is that we use and ATtiny84 to control an L298 H-bridge to drive a stepper motor or a regular motor.  There are pins for a stop sensor and an encoder, both of which allow the tiny to “know” if the motor is actually moving or not.  I also make use of basic current limiting to only drive the motors with about 0.6 amps per channel, which seems to be the limit for this heat sink since it gets fairly warm.  Thru the headers, I also expose the SCL and SDA pins to allow two-wire communications with a master chip.  The voltage regulation is handled via the secondary board and all drive current runs thru several wires in the ribbon cable.  The design works, but obviously I’m not thrilled with some of the limitations I had to impose.

I fired up Fritzing and layed out a new PCB.  In theory, the 48 mil traces should be able to handle up to 3 amps each before overheating.  So all of the motor driving traces and the main “high” voltage and ground traces are all layed out in 48 mil.  R10 and R11 are both 0.5 ohm 1-watt sense resistors.  With this design, the current will be limited to about 1.2 amps and these resistors will be burning off about 0.6 watts each.  The L298 will also be buring off some wattage and the 7805 will produce a wee bit of heat as well.  They are all inline so that they can share one large heatsink.  I provided a header block to allow sharing the regulated 5V source with other boards.  Mostly, I added this section because I had a large empty area and figured “why not”.  The ICSP header is used for both programming the ATtiny84 and also communicating via the two-wire interface.

Once again, I used the Dell catalog paper and a clothes iron to do the transfer.  I am very impressed with the quality of the transfer I am getting with this method.  The etch went mostly good except there was apparently one small flaw in the transferred toner.  You can see the scratch in the finished product, but you can also see the imperfection a little in the toner transfer.  A little bit of solder and some strands of wire fixed this small problem, so all-in-all, everything seems to be going well.

The “silkscreen” transfer also went very well.  I lightly sanded the top surface before doing the transfer, which was only an option since I happen to be using single-sided PCB.  I couldn’t find any flaws in the silkscreen.  I did give it a light coating of clear coat before soldering the components on which gives the toner the nice dark “wet” look and gives the entire board a nice finish in the end product.

I did not salvage these components.  For one thing, I have plenty of parts that haven’t already been made to fit.  Aside from that, I really didn’t feel like de-soldering all the parts and untangling the wires.  So here is the semi-finished product.  R10 and R11 are slightly larger than I allotted for and actually sit into the heatsink area more than I had wanted.  I’ll make some changes to the PCB layout to give them a better fit.  R3 is wrapped with heat shrink tubing because I wasn’t 100% sure about my heatsink yet and didn’t want the exposed leg to short out.  R2 and R4 share a common hole with their respective jumpers and this led to a tight fit.  The hole could be drilled larger, or I could separate them slightly to have two holes instead of one.  In this picture, R2 and R4 are both 100 ohm, but in the finished product, they are 2.2k ohm.  I hadn’t realized at the time I drew up the PCB that I had created a voltage divider that would never allow EN1 or EN3 to be driven high.  On the original board I had used 1k ohm, but after doing the math I settled on 2.2k.  I could probably go much higher, but at 2.2k the enable pins should get around 3V and the transistors will get enough current to sink the other pins low.  Notice the nice dark silkscreen, clearcoat worked very nicely on this board.

I have done a few protoboards with the lovely point-to-point wiring.  My intelligent motor control board (not pictured below) is a lovely example.

This (as you may know) is my custom programming board for Atmel ATmega and ATtiny processors.  It's actually a very simple circuit overall, so I figured, what better to try a PCB with.

My chosen chemicals: peroxide and hydrochloric acid.  They're cheap and they work.  My transfer method: paper from a dell catalog.  My chosen design software: Fritzing.  I like Fritzing, it works fairly well.  The breadboard view is virtually un-usable once you hit a certain component density, but the PCB view works nicely.  Anyway, I created the circuit, printed it, ironed it onto the board, and then etched the board.

I think it came out really nice for my first try.  Ok, so now I dunk it into some tinning compound and then take it to the drill press.  A drunken monkey could have gotten straighter lines, but whatever, the holes are drilled.

Shiny.  Alright, looking good.  Now the fun part, desoldering all the parts off the old board.  I didn't need to.  Aside from the ZIF socket, I have plenty of spare parts.  But I don't like wasting them.

So with my reclaimed parts, I set about putting everything onto the new board.  You'll notice the power jack is smaller, I screwed up there.  Fritzing defaulted to a 3.5mm jack and I didn't catch it until the design was done.  I didn't feel like moving everything around to accommodate the larger jack, so I just used a 3.5mm jack instead.  Also, some of the "silkscreen" rubbed off while working with the board.  I repaired with permanent marker where I felt like it.

Bear with me while I rant about password security policies in websites.

Both of these password policies are bad.  Example 1 is a better policy than Example 2, but they are both bad.

In the old days, long before Windows and the Web, systems still needed security.  The controller of a company should have access to all financial data and the AP clerk should only have access to a small subset of the financial data related to accounts payable.  Without security, the AP clerk and controller would have the same level of access and bad things could happen.  So the designers of these systems created simple “User ID” + “Password” login mechanisms.  The controller had his login and the AP clerk had her login.  In these days, processing power and memory were at a premium.  The overhead of encryption was usually considered unnecessary.  So they stored the User IDs and Passwords in unencrypted form in a database of some sort.  Nobody could access the system except from one of their terminals, so this was adequately safe.

Now, let’s fast forward to today.  Computers have a lot more processing power and a lot more memory.  My primary servers are running multiple 6-core hyper-threaded processors with about 32 GB of memory per processor.  This is not your typical home computer environment, but this is a fairly typical server environment.  Even more so when you’re looking at database servers.  This is an important point in terms of security.  Notice, I don’t even take into consideration storage because that is a moot point.  Storage doesn’t matter when it comes to data security (for the most part).

Some developers don’t think too much about security.  And I believe web developers are the worst offenders.  Mostly because of how many web sites are designed insecurely every day.  They may design their own login and store your password in a plain text format.  If a hacker gains access to this database, they have instant access to all user passwords in this system.  This is why you should never use the same password on multiple systems.  If the developer thinks about it, they may encrypt the password before storing it.  This makes the password somewhat harder to gain access to, but not hard enough.  The server I discussed above would take a while to decrypt an encrypted password.  However, you throw in a few high end video cards for GPU computing and the time it takes to decrypt a password drops frighteningly.  In these cases, the passwords might as well not be encrypted at all.  This encryption can be thought of like the lock on your front door, it’s only there to keep honest people honest.  Do you want your bank storing your money behind a simple deadbolt or do you want it stored in a high end vault?

That’s why the above policies are bad.  They scream out that the password is being stored in either plain text or encrypted format.  The equivalent of either no lock or a simple pin and tumbler deadbolt.  The real indicator is the upper limit on length with the secondary indicator being the limitation on characters that you can use.

In the first example “8 to 30” characters could simply be stating a “hard” minimum and “soft” maximum.  They may not be storing the password; they may just want to minimize network traffic by limiting the maximum length.  This is fine, 30 characters is a relatively low maximum, but not horrible.  What is horrible is the character limitation.

In the second example “six to ten” characters is a “hard” minimum and a “hard” maximum.  This is not a method to save bandwidth.  This combined with the character limitations really indicates storage of the password in a recoverable format.

Minimum requirements are good.  They help keep stupid people from being too stupid.  I’m sure there are people who complain about the minimum requirements being too strict, I complain about the maximum requirements existing at all.

Ok, so maximum lengths indicate storage and that’s bad.  What about the character limitations?  When you submit a form online, your browser will either URL encode or Base64 encode the values you type in.  That means that you can type anything and the server will be able to receive it as it was typed.  Even if you use characters like ?, %, &, <, or > which are all considered special characters in the Web.  In the world of databases, characters like ‘, ;, %, and _ are all considered special.  The % and _ characters are special in filters while ‘ and ; are special in statements.  If a developer does not escape special characters prior to sending them to a database server, you can end up with broken statements.  This is one method hackers can use to gain access to a system.  Starting a value with ; or ‘; can easily expose a field being sent directly to the database.  Following the ; with a malicious statement can occasionally give the attacker access to the system.  That’s bad.  This is called SQL injection.  Anyplace where there are character limitations on the input field (aside from format related restrictions like a phone number that should only contain numbers), you have to worry.  If the dev was lazy, they may be missing processing somewhere and an attacker may gain access.

So storing passwords in a recoverable format is bad and sending unprocessed input is bad.  Here are a few solutions.

First, when working with a database, use parameters.  Somebody else spent a lot of time writing the code that processes parameters and formats their values in a safe way.

BAD:

“UPDATE [User] SET [Password]=’MyNewPassword’ WHERE [UserID]=’MyUserID’”

 FAIR:

@Password=’MyNewPassword’

@UserID=’MyUserID’

“UPDATE [User] SET [Password]=@Password WHERE [UserID]=@UserID”

 GOOD:

@PasswordHash=ComputeHash(‘MyNewPassword’)

@UserID=’MyUserID’

“UPDATE [User] SET [PasswordHash]=@PasswordHash WHERE [UserID]=@UserID”

Second, don’t store the password in a recoverable format.  You don’t need it.  The user can always reset later if they forgot it.  You should never send a password thru email, that’s just asking for trouble.  What you should store is a hashed password.  And not just a hash of the password, but a hash of the password with some value that only you (and your server) know.  This second value is known as a “salt” and causes the hash to vary wildly from the known hashes.  If someone figures out your “salt” value, they will be able to start cracking away at the passwords, but if they don’t they will have a very hard time.

I can’t go into details about hashing; it’s a complex mathematical process.  Google “SHA-1” if you’re really interested in the process.  Basically what hashing does is take any amount of data and converts it into a fixed size value.  One of the more common routines is “SHA-1” which will convert any amount of data from zero bytes to hundreds of terabytes into a value consisting of twenty bytes.  Those 20 bytes represent 160 bits of data.  There are 2^160 (or more than 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000) possible values for these 20 bytes.  The security is banked on this uniqueness.  It is possible for two values to generate the same hash, but very unlikely.  So instead of saying that your password is limited to 20 characters and storing the password in the database, you should be saying there is no upper limit on the password length and storing the 20-byte SHA-1 hash in the database.  There are actually much more secure algorithms, but the SHA-1 hash is many times better than storing the password itself in any recoverable form.  This SHA-1 hash would be similar to a bank's time-lock vault where they need the correct combination and key at the correct time of a specific date to open the lock on the vault.

Another advantage about hashes, you can expand them to hexadecimal to store in the database and know that they will never cause issues with SQL injection.  Here’s a brief example showing a lazy dev’s code and the result:

BAD:

“UPDATE [User] SET [Password]=’’; DELETE FROM [User];’ WHERE [UserID]=’MyUserID’”

The dev didn’t process the password and the first two characters of the supplied password will close the text value and end the first statement.  This will set all passwords in the User table to ‘’.  Then the server starts processing the rest of the password as the second statement and attempts to delete all the user’s from the User table.  Finally the server hits the rest of the original statement and throws an error.  However, the damage has already been done.

 FAIR:

@Password=’’’; DELETE FROM [User];’

@UserID=’MyUserID’

“UPDATE [User] SET [Password]=@Password WHERE [UserID]=@UserID”

The dev processed the password and the parameter processing further protects the database from malicious intent.  The user’s password is set to “’;DELETE FROM [User];” if it fits.  There should be no error, but the dev is storing the password and one misstep could cause problems.

 GOOD:

@PasswordHash=ComputeHash(‘’’;DELETE FROM [User];’)

@UserID=’MyUserID’

“UPDATE [User] SET [PasswordHash]=@PasswordHash WHERE [UserID]=@UserID”

Not only did the dev process the password, he also hashed it into a harmless value.  The user’s password is still set, but there is no chance of it ever causing problems in its stored format.

Hashes can still be used for enforcement of password history.  Your hashing algorithm will always compute the same hash for the user’s password.  When they try to change a password, you just compare the hashes (same as during a login event) to determine if they are reusing a password.

So, to sum up this incredibly long rant that started with my setting up an account with a bank, if you are a developer creating your own security system:

Don’t store passwords in plain text.

Don’t store passwords in a reversible encrypted format.

Don’t store passwords in any recoverable format.

Don’t limit the user’s ability to create insanely complex passwords.

Store a hashed value of the user’s password.

Add a salt value to the password before computing the hash.

Use more than one hash algorithm and combine the results to create a super hash.

Include the length of the password in the stored value.

See #1, #2, and #3 again.

If you can figure out the user’s password using the value you stored in your database, start over.

About a year ago, my brother-in-law introduced me to Arduino.  I have always been a coder.  Over the past 20+ years I've amassed several million lines of code.  For the first 10 years, it was entirely written in "vi", "edit", or "notepad".  Nothing graphical. No error correction, no intellisense.  None of that.  Anyways, getting off track here.

I have occasionally played with very basic electronic circuits over the past few decades.  When I attended college for engineering, one of the few classes I enjoyed was electrical engineering.  But I never really got into it fully.  About a year and half ago, my boss asks me to look into a project that would require some electronic circuitry.  I started playing with PIC's, happy for a change of pace, and then the project got cancelled.

Well, along comes my brother-in-law, doing some basic stuff with the Arduino.  I look at what he's playing with and start tinkering around with it myself.  (PS - kinda where the name comes from, see my "workshop" is actually my office and, with all the tinkering materials laying around, it's kind of a pit)

Me being me, I like to go deeper.  So once I got into Arduino, I wanted to go off on a tangent.  I bought a couple of ATtiny chips.  ATtiny84 and ATtiny85.  Originally, I programmed them using the Arduino as an ISP and the tiny on a breadboard.  Quickly, I went and made this shield.

The shield allows programming either ATtiny84 or ATtiny85 chips.  There is an LED hooked up to pin 3 on both that can be used for testing.  A major drawback is that you need to pull the chip to test it further (no access to the pins while on the board).  So I made another standalone programmer.

This one is compatible with ATtiny84, ATtiny85, and ATmega 168/328 processors (the same as on the Arduino).  It has a standard ICSP header to program with the Arduino or any ICSP programmer.  I also included a nice little voltage regulator block to provide nice stable 5V to the board.  Next to each processor is a set of headers to give access to the pins.  And I also put a 3-pin header next to each processor for a clock source.  The little board is a 16MHz crystal clock that can be put on any of these headers for the respective processor.

I drove down into Pittsburgh a couple weeks ago, pull into a parking garage, and see signs for "$5 event parking".  Huh, well I won't complain.  $5 to park in Pittsburgh for a day isn't bad at all.  When I go to Penguins games, I usually pay $20 for a few hours.  Anyway, I ask the attendant "so what event is going on"?  His reply "we got a duck".

I don't know if this makes national news or whatever, but if you haven't heard, apparently Pittsburgh (Pennsylvania) is the proud temporary home for this 40 foot "rubber duck".  So naturally, I had to go down to the point and snap a picture.

Ahh, MSSQL is such a nice database.  Fairly fast and responsive.  And it allows you to make stupid mistakes without ever yelling at you.

Ok, really, it will complain if what you're doing is downright stupid.  But not when you're being lazy.  Let's go back in time.  I was young(er) and lazy(er).  I was charged with creating a fairly complex database.  In the end I ended up with somewhere around 75 tables and about twice as many views.  I thought it was a nice database.  The front end sucked.  I was never good at those.  All-in-all it was a nice application driven by about 35k lines of VB code.  For the record, I dislike VB and much prefer C-style languages.

So now, flash back to the present with me.  I'm asked to update this (ancient) system.  They want a new flag to indicate a very specific situation.  Ok, no problem.  15 minutes later, the table has a new BIT field and the entry form has a new checkbox.  Everything is good with the world.  Until, later, when something broke.

Did I mention that I was lazy when I made this system?  Well I was.  In several (many) views I had used the magical * selector to bring in all the fields from a base table and then appended more fields from other tables to make the data more usable.  Standard stuff.  Anyway, when you insert a field at the end of a table, that field gets included in the * in views.  Makes sense.  However, MSSQL likes to "compile" views to make them faster and the view doesn't know there's a new field in the middle of the results.

In this case, a text field was bumped out of the way and replaced with a bit field.  And every field after that was also bumped, but they all carried the original name.  So now I have a whole slew of fields with the wrong data type and wrong values.  The view crashes and the users get errors.  Very informative errors too I might add (did I mention I was lazy).

So the fix... Simply alter the views with the exact same SQL used to create them.  This forces MSSQL to re-compile the view and then they work.  However, this is where it gets real fun.  What other views might use this view as a source? And how big is the tree of views that need to be recreated?  One solution is to just recompile all of them and be done with it.  But only if you do it in the right order.

I was happily working at one of my remote offices.  My VPN WAN was working beautifully.  I had full access to the corporate office.  Then, about an hour into the day, everything seems to be going slow.  So it’s time to diagnose the internet connection.  Connectivity is there, so let’s check the speed.  Download looks good, right about where you’d expect for an office in a rural area (about 2.8 Mbps).  Upload appears stalled, no wait, we are managing 0.003 Mbps.  That’s 3 kbps, or roughly 1/10 the speed of dial up.

The next step is to see if it’s a memory issue in the modem or firewall.  Even though these devices would benefit from ECC RAM, no manufacturer is willing to increase costs on a mainstream device.  So they use non-ECC RAM, which can get corrupted and simple reboot will generally clear the corruption.  Basically, the same reason you should reboot your PC from time to time.  So I visit the telecom wall in this office.  Disconnect the power from both the firewall and the modem.  Give them a few seconds, then reconnect the power and ... well this is new.

A solid orange (amber) status LED.  I’ve had a half dozen of these boxes running for the past six years or so.  I have never had a hardware malfunction until today.  This is not good, I need to access the corporate SQL server and manipulate data for the higher ups.  This firewall needs fixed NOW.  I have no spares, and no local retailer would carry a replacement.  Cisco’s solution is to RMA the device or replace it, if the device is out of warranty.  Neither option works for me.  The device is out of warranty and I wouldn’t want to wait for mail-in service anyway.

The status LED is incredible informative.  Since hooking up a serial monitor shows no boot, it means that the CPU is not even trying to run the BIOS.  On PCs, I’d lean towards memory issues.  Although, PCs would also generally either give you a beep code or use multiple status LEDs to tell you it might be the memory.  So we’ll try memory here too since the ASA is basically a single-purpose PC.

So I take the three screws out of the bottom and pop the cover.  The memory is just sitting at the front of the box in a standard DDR socket.

The picture was actually taken with new memory, but you get the idea.  This is DDR-1.  Old stuff.  Luckily, I have other old stuff lying around.  A Dell OptiPlex GX270 is sitting there with blown out caps on the motherboard.  It was a common death for that series.  But the memory was still good, and the memory happened to be DDR-1 333, same as the ASA.  So I borrow a 256 MB stick of memory and swap it into the ASA.  The ASA boots up nicely, none the wiser that it is running different RAM.  The VPNs re-establish and I’m able to talk to corporate again.

So, the moral of the story?  Don’t throw stuff away.  Actually, if you get the orange LED on an ASA, don’t bother calling Cisco, just find an old PC and borrow some memory for a quick test.  If that works, you can then go about replacing it with a Cisco certified stick of RAM if you feel inclined.

2013-10-15: Update