Programming

What Employers Are Looking For in a Junior Rails Developer

I just published a post on the [Treehouse blog](http://blog.teamtreehouse.com) called What Employers Are Looking For in a Junior Rails Developer. Check it out! Or don’t. I’m not the boss of you.

Part of my job as the Ruby teacher for Treehouse is to stay on top of what employers are looking for when hiring people to fill Ruby and Rails positions. The landscape changes often but below are some of the trends that I’ve noticed. Having a willingness to learn, being able to embrace new technologies, staying motivated, and strong communication skills are important for any job. The following list focuses more on the technical side of things.

Link

Rails 4, MySQL, and Emoji (Mysql2::Error: Incorrect string value error.)

You might think that you’re safe inserting most utf8 data in to mysql when you’ve specified that the charset is utf-8. Sadly, however, you’d be wrong. The problem is that the utf8 character set takes up 3 bytes when stored in a VARCHAR column. Emoji characters, on the other hand, take up 4 bytes.

The solution is in 2 parts:

Change the encoding of your table and fields:

ALTER TABLE `[table]` 
  CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_bin,
MODIFY [column] VARCHAR(250)
    CHARACTER SET utf8mb4 COLLATE utf8mb4_bin

Tell the mysql2 adapter about it:

development:
  adapter: mysql2
  database: db
  username: 
  password:
  encoding: utf8mb4
  collation: utf8mb4_unicode_ci

Hope this helps someone!

Installing Ruby, Rails, and MySQL on Mac OS X Lion

This is a quick heads-up! I have a blog post up on the Think Vitamin blog on installing Ruby, Rails, and MySQL on Mac OS X Lion. The instructions will also work on Snow Leopard (sorry Leopard users) and it walks through setting up gcc, homebrew, git, and mysql. It also uses RVM to install the latest release of Ruby. Check it out.

Automatically updating your IP with DNSimple

DNSimple

I’ve been using DNSimple for most a lot of my domain hosting lately. It’s a great service and I highly recommend checking them out for domain hosting. Recently I went out of town but wanted some way to be able to SSH home if I needed to. Luckily, DNSimple has a nice REST API that lets me update records easily. I created a "home" record for one of my domains and created a script to auto update:

#!/bin/bash
 
LOGIN=""
PASSWORD=""
DOMAIN_ID=""
RECORD_ID=""
IP="`curl http://icanhazip.com/"
 
curl -H "Accept: application/json" \
     --basic -u "$LOGIN:$PASSWORD" \
     -H "Content-Type: application/json" \
     -i -X PUT https://DNSimple.com/domains/$DOMAIN_ID/records/$RECORD_ID.json \
     -d {"record":{"content":"$IP"}}

It uses the awesome new jsonip service to grab your ip. It then does a quick sed parsing on that output to grab just your ip. Finally it does a put to the record in DNSimple updating it with the new information. You must have already created a record and domain in order for this to work. I saved this script as dnsimple_update.sh in my ~/bin directory.

Fill in your login and password credentials (or set some environment variables) and domain and record ids and you’re good to go. You can get your domain and record ids by hovering over the edit link in the advanced editor in DNSimple for the record you want and copying and pasting the domain and record ids.

Finally, I set it to run as a cronjob every 15 minutes:

# m h  dom mon dow   command
*/15 * * * * /home/my_user/bin/DNSimple_update.sh

This worked out very well and with some port forwarding on my home router I was able to ssh in to my home machines without any problems.

Update: Kristopher Murata gave a correction to the script in the comments since jsonip changed their format. Twice!! Thanks, Kris!

Textmate Next and Previous Tab Keys

If you’ve just upgraded to Revision 1616 of Textmate, you may be wondering why your next and previous file tab keys stopped working. The author of Textmate recently changed the next and previous file tab key shortcuts to the universal mac application equivalents. Here it is in the release notes:

[CHANGED] Change next/previous file tab key equivalents to shift command [ and ]. This has become the de facto standard.

I tried to deal with this for a few days but that keyboard shortcut is just too ingrained in my brain. You can fix this, though, by going in to your Keyboard preference pane, then the "Keyboard Shortcuts" tab. Under "Application Shortcuts" click the plus button, find TextMate, and add the following:

TextMate Keyboard Shortcuts

Voila. Fixed! Now you can get back to coding at the speed of thought.

On Passwords

On a recent episode of The Dev Show Dan and I talked about passwords. In particular, the topic of password hashing came up. I’d like to say up front that I’m not a security guy and most definitely not a cryptographer. However, I don’t have to be because there are much smarter people who have already done a lot of work on encryption schemes and have done it much better than I ever could.

Spaceballs Above: discussion of best practices in passwords.

This should go without saying: you shouldn’t be storing your passwords in plain text in your database. Unless you need to be able to retrieve the password later, it should be stored in the database in a hashed format. Thomas Ptacek, a very highly respected security professional, explains all you need to know about passwords in this blog post. I’ll save you the trouble of reading the whole thing: just use bcrypt as your encryption scheme. It’s the slowest to generate the encrypted hash. By virtue of being slow to generate, it would also take a very long time to perform a successful lookup using rainbow tables. See that blog post linked for much more information and a thorough explanation.

Just how much longer does it take to generate? The following is a quick ruby program I whipped up to benchmark. It uses each encryption scheme to generate a password 50 times. The following was how long it took to run on my macbook using ruby 1.9.1-p378. You can grab the script here if you’d like to run it locally. It contains absolutely no tests which makes my inner Corey Haines frown:

  Password to hash: password
                    user     system      total        real
  MD5           0.000000   0.000000   0.000000 (  0.001443)
  SHA1          0.000000   0.000000   0.000000 (  0.001679)
  SHA256        0.000000   0.000000   0.000000 (  0.001308)
  bcrypt (3)    0.080000   0.000000   0.080000 (  0.086532)
  bcrypt (10)   4.550000   0.010000   4.560000 (  4.601996)

The differences between the (3) and (10) are the "cost" of generating the password. The documentation for the bcrypt gem summarizes that very well:

Takes an optional :cost option, which is a logarithmic variable which determines how computational expensive the hash is to calculate (a :cost of 4 is twice as much work as a :cost of 3). The higher the :cost the harder it becomes for attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check users’ passwords.

But I’m getting off topic. The reason I wanted to write this post was to create a list of popular open source software and see what kind of passwords hashing schemes are in use. Here’s the list I’ve compiled so far:

  • Django
    Encryption Scheme: SHA1, MD5, or crypt
    Notes: Previous Django versions, such as 0.90, used simple MD5 hashes without password salts. For backwards compatibility, those are still supported; they’ll be converted automatically to the new style the first time check_password() works correctly for a given user. More info:
    http://docs.djangoproject.com/en/dev/topics/auth/
    http://docs.python.org/library/crypt.html

  • MySQL
    Encryption Scheme: Double SHA1

  • WordPress
    Encryption Scheme: PHPass
    Notes The awkwardly named PHPass library defaults to bcrypt (awesome) and falls back to DES or MD5 based salted hashes depending on the php version and supported features.

  • Expression Engine
    Encryption Scheme: SHA1

  • Joomla
    Encryption Scheme: MD5

  • phpBB
    Encryption Scheme: Proprietary hash method using /dev/urandom and md5

  • ASP.Net Authentication
    Encryption Scheme: Uses a concept of "providers".
    Notes: There’s a BCrypt open source option available.

  • Rails: restful-authentication
    Encryption Scheme: SHA1
    Notes: This was the defacto standard for a long time in the Rails world as far as authentication goes. Changing the encryption scheme in an application would be a relatively painless process.

  • Rails: Authlogic
    Encryption Scheme: bcrypt, aes256, md5, sha1, sha256, sha512
    Notes: This is configurable to any of the listed options. Default is SHA512. The author doesn’t recommend using MD5 or SHA1 in the README but provides the options for migration and compaitiblity. How awesome is that?

  • Drupal
    Encryption Scheme: MD5 by default
    Notes: Christefano points out in the comments that MD5 is used by default but PHPass and AES are available via third party modules.

If you don’t see your favorite software here, either leave it in the comments or contact me and I’ll add it to the list. These are in no particular order, so I’m not trying to favor anything in particular (though we all know I’m mostly a Ruby developer).

Using Concentrate for the Pomodoro Technique on OS X

concentrate.png

Concentrate is a Mac only app. It lets you do a number of things like block web sites, launch apps, play sounds, etc. Combinations of these things can be configured to go on for varying amounts of time. I use it for the Pomodoro Technique when programming. Corey Haines introduced me to Tomatoist when I paired with him during one of his journeyman tours. While that site is awesome, I prefer using the Mac app to force eliminate distractions.

The Pomodoro Technique

The root of the idea is that you program for 25 minutes straight and then break for 5 minutes. This seems like a pretty simple idea but when you’re working by yourself things can happen. For example, maybe you want to send a quick email to someone but want to refer to something in their Facebook account you can’t quite remember. So then you look it up. While looking it up you notice something else interesting by another one of your friends and the distractions start. By the end of the distractions you’ve ordered enough parts for a fully functional robot suit off eBay. If you only had 5 minutes to do this stuff, maybe that wouldn’t have happened.

Setting Up Concentrate

Concentrate New Task

Concentrate is actually a very simple application to use. Click on the “New Activity Button” and set your options. I called mine "Program Pomodoro." It’s set to block any site that could potentially distract me, Growl a message, and play a sound on completion. The typical Pomodoro technique lasts 25 minutes so drag the location slider over until you see 25 minutes. Boom, good to go. Now you can’t look at anyone’s Facebook account or respond to any threads on hacker news for a good 25 minutes. You’ll get to that during your break.

Concentrate Activities

The next task you’ll want to set up is the break. This is the most rewarding task. I just have this one Growl a message ("Get back to work!") and play a sound when it’s done. The duration slider should be set to 5 minutes.

Get To It!

That’s about it. It’s simple software and well worth the $30 to eliminate distractions. I use it only for those two techniques listed above and have been very happy. Special thanks to Corey Haines for introducing me to the Pomodoro technique.