Jason

Developer Job Board

Genius PoolI’m pleased to announce the Genius Pool job board. This is a new job board for connecting companies to job seekers. With the connection to the 5by5 podcast network, making sure your job opportunity is in the ears of qualified applicants has never been easier. Why’s that? If you’re looking for a Ruby or Rails developer, what better spot is there than The Ruby Show? The same applies to The Dev Show. You can also be assured that whomever is applying has an impeccable sense of humor and taste.

So check it out if you get a moment or follow Genius Pool on Twitter for new job postings as they get posted. I’ll be doing some blog posts in the coming weeks about the process of launching your own project as well.

80s Me

20100326-qu2ym5us1yxacd3j78a7ggs4ex.jpg

This fantastic image courtesy of Peter Cooper.

On Passwords

On a recent episode of The Dev Show Dan and I talked about passwords. In particular, the topic of password hashing came up. I’d like to say up front that I’m not a security guy and most definitely not a cryptographer. However, I don’t have to be because there are much smarter people who have already done a lot of work on encryption schemes and have done it much better than I ever could.

Spaceballs Above: discussion of best practices in passwords.

This should go without saying: you shouldn’t be storing your passwords in plain text in your database. Unless you need to be able to retrieve the password later, it should be stored in the database in a hashed format. Thomas Ptacek, a very highly respected security professional, explains all you need to know about passwords in this blog post. I’ll save you the trouble of reading the whole thing: just use bcrypt as your encryption scheme. It’s the slowest to generate the encrypted hash. By virtue of being slow to generate, it would also take a very long time to perform a successful lookup using rainbow tables. See that blog post linked for much more information and a thorough explanation.

Just how much longer does it take to generate? The following is a quick ruby program I whipped up to benchmark. It uses each encryption scheme to generate a password 50 times. The following was how long it took to run on my macbook using ruby 1.9.1-p378. You can grab the script here if you’d like to run it locally. It contains absolutely no tests which makes my inner Corey Haines frown:

  Password to hash: password
                    user     system      total        real
  MD5           0.000000   0.000000   0.000000 (  0.001443)
  SHA1          0.000000   0.000000   0.000000 (  0.001679)
  SHA256        0.000000   0.000000   0.000000 (  0.001308)
  bcrypt (3)    0.080000   0.000000   0.080000 (  0.086532)
  bcrypt (10)   4.550000   0.010000   4.560000 (  4.601996)

The differences between the (3) and (10) are the "cost" of generating the password. The documentation for the bcrypt gem summarizes that very well:

Takes an optional :cost option, which is a logarithmic variable which determines how computational expensive the hash is to calculate (a :cost of 4 is twice as much work as a :cost of 3). The higher the :cost the harder it becomes for attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check users’ passwords.

But I’m getting off topic. The reason I wanted to write this post was to create a list of popular open source software and see what kind of passwords hashing schemes are in use. Here’s the list I’ve compiled so far:

  • Django
    Encryption Scheme: SHA1, MD5, or crypt
    Notes: Previous Django versions, such as 0.90, used simple MD5 hashes without password salts. For backwards compatibility, those are still supported; they’ll be converted automatically to the new style the first time check_password() works correctly for a given user. More info:
    http://docs.djangoproject.com/en/dev/topics/auth/
    http://docs.python.org/library/crypt.html

  • MySQL
    Encryption Scheme: Double SHA1

  • WordPress
    Encryption Scheme: PHPass
    Notes The awkwardly named PHPass library defaults to bcrypt (awesome) and falls back to DES or MD5 based salted hashes depending on the php version and supported features.

  • Expression Engine
    Encryption Scheme: SHA1

  • Joomla
    Encryption Scheme: MD5

  • phpBB
    Encryption Scheme: Proprietary hash method using /dev/urandom and md5

  • ASP.Net Authentication
    Encryption Scheme: Uses a concept of "providers".
    Notes: There’s a BCrypt open source option available.

  • Rails: restful-authentication
    Encryption Scheme: SHA1
    Notes: This was the defacto standard for a long time in the Rails world as far as authentication goes. Changing the encryption scheme in an application would be a relatively painless process.

  • Rails: Authlogic
    Encryption Scheme: bcrypt, aes256, md5, sha1, sha256, sha512
    Notes: This is configurable to any of the listed options. Default is SHA512. The author doesn’t recommend using MD5 or SHA1 in the README but provides the options for migration and compaitiblity. How awesome is that?

  • Drupal
    Encryption Scheme: MD5 by default
    Notes: Christefano points out in the comments that MD5 is used by default but PHPass and AES are available via third party modules.

If you don’t see your favorite software here, either leave it in the comments or contact me and I’ll add it to the list. These are in no particular order, so I’m not trying to favor anything in particular (though we all know I’m mostly a Ruby developer).

Rails Reminder: DATE_FORMATS

A friend of mine recently asked me about adding time formats to Rails apps. It’s not completely intuitive on how to add new "default" symbols for date and time formats or to get a list of the built in ones. The API has the built-in lists of constants under DATE_FORMATS but it’s a bit difficult to read on that page. Here’s a link to the current stable version of the Rails time formats: rails/activesupport/lib/active_support/core_ext/time/conversions.rb. In order to add new ones you use the ruby strftime function.

ActiveSupport::CoreExtensions::Date::Conversions::DATE_FORMATS.merge!({
  :quick => "%m %d, %Y at %I:%M %p",
  :end_date => "%B %d, %Y"
})
 
ActiveSupport::CoreExtensions::Time::Conversions::DATE_FORMATS.merge!({
  :job_list => "%B %d, %Y"
})

This lets you do something like <%= model.created_at.to_s(:quick) %> in your code.

And here’s the strftime options from the cheat page as a refresher:

  %a - The abbreviated weekday name (``Sun'')
  %A - The  full  weekday  name (``Sunday'')
  %b - The abbreviated month name (``Jan'')
  %B - The  full  month  name (``January'')
  %c - The preferred local date and time representation
  %d - Day of the month (01..31)
  %e - Day of the month without leading zeroes (1..31)
  %H - Hour of the day, 24-hour clock (00..23)
  %I - Hour of the day, 12-hour clock (01..12)
  %j - Day of the year (001..366)
  %k - Hour of the day, 24-hour clock w/o leading zeroes ( 0..23)
  %l - Hour of the day, 12-hour clock w/o leading zeroes ( 1..12)
  %m - Month of the year (01..12)
  %M - Minute of the hour (00..59)
  %p - Meridian indicator (``AM''  or  ``PM'')
  %P - Meridian indicator (``am''  or  ``pm'')
  %S - Second of the minute (00..60)
  %U - Week  number  of the current year,
          starting with the first Sunday as the first
          day of the first week (00..53)
  %W - Week  number  of the current year,
          starting with the first Monday as the first
          day of the first week (00..53)
  %w - Day of the week (Sunday is 0, 0..6)
  %x - Preferred representation for the date alone, no time
  %X - Preferred representation for the time alone, no date
  %y - Year without a century (00..99)
  %Y - Year with century
  %Z - Time zone name
  %z - Time zone expressed as a UTC offset (``-04:00'')
  %% - Literal ``%'' character
 
   t = Time.now
   t.strftime("Printed on %m/%d/%Y")   #=> "Printed on 04/09/2003"
   t.strftime("at %I:%M%p")            #=> "at 08:56AM"
   t.strftime("%e %B, %Y")	       #=> "9 April, 2003"
   t.strftime("%Y-%m-%dT%H:%M:%S")     #=> "2003-04-09T08:56:07" (EN 28601)

The preferred method for doing this is to add these in an initializer in your app. Something along the lines of config/initializers/my_time_formats.rb.

Stand Up While You Read This!

The New York Times has an article up on standing while you work. People who sit all day without moving around much are at higher risk for medical problems typically associated with obesity. This includes doctors who even do the same job but just walk more during the day:

Just to underscore the point that you do have a choice: a study of junior doctors doing the same job, the same week, on identical wards found that some individuals walked four times farther than others at work each day. (No one in the study was overweight; but the “long-distance” doctors were thinner than the “short-distance” doctors.)

So part of the problem with sitting a lot is that you don’t use as much energy as those who spend more time on their feet. This makes it easier to gain weight, and makes you more prone to the health problems that fatness often brings.

Obviously it’s not the best idea to take medical advice from an opinion writer but I can personally attest to the benefits of sitting on an exercise ball throughout the day for work. In addition to building core muscles, for some reason it helps me focus more on coding.

Here are a couple of quick tips on choosing an exercise ball:

  • If you plan on working out with one, get a high quality one so you don’t have to fear having it burst. Duraball and TOGU Powerball Premium are high quality ones for that. The Chek Institute has a good DVD for a home workout as well.
  • If you plan on sitting on one while working, get one that’s the next size up from the recommended size for your height.
Link

Using Concentrate for the Pomodoro Technique on OS X

concentrate.png

Concentrate is a Mac only app. It lets you do a number of things like block web sites, launch apps, play sounds, etc. Combinations of these things can be configured to go on for varying amounts of time. I use it for the Pomodoro Technique when programming. Corey Haines introduced me to Tomatoist when I paired with him during one of his journeyman tours. While that site is awesome, I prefer using the Mac app to force eliminate distractions.

The Pomodoro Technique

The root of the idea is that you program for 25 minutes straight and then break for 5 minutes. This seems like a pretty simple idea but when you’re working by yourself things can happen. For example, maybe you want to send a quick email to someone but want to refer to something in their Facebook account you can’t quite remember. So then you look it up. While looking it up you notice something else interesting by another one of your friends and the distractions start. By the end of the distractions you’ve ordered enough parts for a fully functional robot suit off eBay. If you only had 5 minutes to do this stuff, maybe that wouldn’t have happened.

Setting Up Concentrate

Concentrate New Task

Concentrate is actually a very simple application to use. Click on the “New Activity Button” and set your options. I called mine "Program Pomodoro." It’s set to block any site that could potentially distract me, Growl a message, and play a sound on completion. The typical Pomodoro technique lasts 25 minutes so drag the location slider over until you see 25 minutes. Boom, good to go. Now you can’t look at anyone’s Facebook account or respond to any threads on hacker news for a good 25 minutes. You’ll get to that during your break.

Concentrate Activities

The next task you’ll want to set up is the break. This is the most rewarding task. I just have this one Growl a message ("Get back to work!") and play a sound when it’s done. The duration slider should be set to 5 minutes.

Get To It!

That’s about it. It’s simple software and well worth the $30 to eliminate distractions. I use it only for those two techniques listed above and have been very happy. Special thanks to Corey Haines for introducing me to the Pomodoro technique.

8 Chrome Extensions For Web Developers (Mac too!)

I’ve been using Google Chrome as my default browser ever since 1Password came out with an extension for Chrome. The state of web browsing on the Mac still, unfortunately, leaves something to be desired. However, after using this full time for a little while I can say that I’m really liking it. As a web developer I have a need for good developer tools in a browser. For that, Firefox and Firebug will always be king of the hill. Daily browsing and light development in Chrome has been suiting my needs just fine.

The ability to have extensions is what really makes Chrome shine. It’s fast and nimble in OS X and I was able to recreate nearly everything I did in Firefox via extensions. The down side is that extensions don’t work on the latest stable build of Chrome. To use extensions you’ll need to get a beta or dev channel. In order to do that you can go here.

Eye DropperEye Dropper
The Eye Dropper lets you click your mouse on an element to get the color of it in HSB, RGB, or Hex. This differs slightly from the Firefox extension in that there is a pop-up involved and you have to do one more click to get the dorrect color.

Firebug Lite
Firebug Lite is a not-as-fully-featured version of the very popular firebug extension. It’s fine for doing basic inspection of elements, though, and the built in console takes care of script running needs for basic experimentation.

FlashBlock
While Flash may be fine on PCs it makes the fan on my laptop spin like crazy. This is the equivalent of the FireFox extension and lets you whitelist sites as well. Browsing the web without flash is really a much more pleasant experience the majority of the time and the Flash files are only a click away if you want to load them.

measureit.jpgMeasureIt! MeasureIt! is a port of the same FireFox extension. It gives you a ruler that lets you draw a box around a portion of a page to get its width and height in pixels. It comes in pretty handy.

Google Chrome.jpgSexy Undo Close Tab This extension lets you re-open recently closed tabs. There’s another version called “Undo Closed Tab” but this one is obviously the sexier of the two which is why I use it. I mean, given the choice between sexy and non-sexy I think it’s a no-brainer.

tabmenu.jpg Tab Menu
Tab Menu is a simple extension that gives you a drop down list of all currently open tabs. This is useful if you have a lot of tabs open and can’t see the titles. On one hand I wonder why this wasn’t included in the browser by default in some form. On the other hand I can completely understand their desire to not clutter the browser and I don’t imagine that the vast majority of people have that many tabs open.

RSS Subscription Extension RSS Subscription Extension
The RSS Subscription Extension automagically recognizes the RSS auto discovery links and pops open a new tab to subscribe. I included this for developers because you’ll want to make sure those RSS auto discovery tags are working. You could also make sure that it correctly subscribe in Google Reader and maybe take a few minutes off while you’re at it to read some feeds. Just saying.

SeoQuakeSeoQuake
SeoQuake is also a port of the Firefox extension. It allows you to see a ton of info about a site including Google PageRank, Index, Delicious index, and more. I keep this disabled most of the time unless I really need it or want to see some information about a site.


Bonus Extensions

chromelicious.jpgChromelicious
Chromelicious is the best Chrome extension I’ve found for Delicioius integration. The reason is that view your bookmarks in an unobtrusive way from a dropdown menu and actually search your bookmarks and filter down via tabs. It’s prety handy..

GooglePreview The Google Preview extension inserts thumbnail images of Google searches in your search results. This is totally gratuitous for any real work but it makes search results look cleaner.

AdBlock Plus for Chrome Adblock Plus
This is the equivalent of AdBlock Plus for FireFox. It’s not necessarily for development but it is much more pleasant to browse the web with.

Better FacebookFixer Better Facebook Fixer
Facebook Fixer is actually a user script packaged up as an extension. You can do this at the Script2Chrome web site if you have any you want to convert. This extension makes the Facebook experience a bit more pleasant with options like hiding information from the right column, hiding 3rd party apps, and much more. This is a version of the Facebook Fixer extension with the javascript loaded locally instead of another server.


Mouse Gestures

Something I didn’t really touch on was mouse gestures. I use them heavily. For that I use a program called xGestures which will work in any application on OS X. I find that to also be an indespensable tool. As a bonus it supports rocker gestures. I use that to go to next and previous tabs in all applications. A rocker gesture means you hold down the right mouse button and click the left. If you bind this to the keystroke command + { as a global gesture it works in almost every app in Leopard. The other bracket (command + }) works as well. This is not a free program but it is well worth the price of admission!

Wrapping up, Chrome has come a long way, especially on the Mac. The developer version, for me at least, has been extremely stable and works well enough to be my daily browser. Check it out if you haven’t yet.

The Dev Show Episode 1

Dan Benjamin and I have launched a new podcast called The Dev Show. We aim to talk about new things in the programming community and point out things that may be of interest to developers. The first episode focuses on domain names, mongo db, javascript and a couple of other topics. Check it out!