I’ve been using DNSimple for most a lot of my domain hosting lately. It’s a great service and I highly recommend checking them out for domain hosting. Recently I went out of town but wanted some way to be able to SSH home if I needed to. Luckily, DNSimple has a nice REST API that lets me update records easily. I created a "p;home" record for one of my domains and created a script to auto update:

#!/bin/bash
 
LOGIN=""
PASSWORD=""
DOMAIN_ID=""
RECORD_ID=""
IP=”`curl http://jsonip.com | grep -Eo ‘([0-9]{1,3}\.){3}[0-9]{1,3}’`”
 
curl -H "Accept: application/json" \
     --basic -u "$LOGIN:$PASSWORD" \
     -H "Content-Type: application/json" \
     -i -X PUT https://DNSimple.com/domains/$DOMAIN_ID/records/$RECORD_ID.json \
     -d {"record":{"content":"$IP"}}

It uses the awesome new jsonip service to grab your ip. It then does a quick sed parsing on that output to grab just your ip. Finally it does a put to the record in DNSimple updating it with the new information. You must have already created a record and domain in order for this to work. I saved this script as dnsimple_update.sh in my ~/bin directory.

Fill in your login and password credentials (or set some environment variables) and domain and record ids and you’re good to go. You can get your domain and record ids by hovering over the edit link in the advanced editor in DNSimple for the record you want and copying and pasting the domain and record ids.

Finally, I set it to run as a cronjob every 15 minutes:

# m h  dom mon dow   command
*/15 * * * * /home/my_user/bin/DNSimple_update.sh

This worked out very well and with some port forwarding on my home router I was able to ssh in to my home machines without any problems.

Update: Kristopher Murata gave a correction to the script in the comments since jsonip changed their format. Twice!! Thanks, Kris!

[CHANGED] Change next/previous file tab key equivalents to shift command [ and ]. This has become the de facto standard.

I tried to deal with this for a few days but that keyboard shortcut is just too ingrained in my brain. You can fix this, though, by going in to your Keyboard preference pane, then the "Keyboard Shortcuts" tab. Under "Application Shortcuts" click the plus button, find TextMate, and add the following:

Voila. Fixed! Now you can get back to coding at the speed of thought.

Above: discussion of best practices in passwords.

This should go without saying: you shouldn’t be storing your passwords in plain text in your database. Unless you need to be able to retrieve the password later, it should be stored in the database in a hashed format. Thomas Ptacek, a very highly respected security professional, explains all you need to know about passwords in this blog post. I’ll save you the trouble of reading the whole thing: just use bcrypt as your encryption scheme. It’s the slowest to generate the encrypted hash. By virtue of being slow to generate, it would also take a very long time to perform a successful lookup using rainbow tables. See that blog post linked for much more information and a thorough explanation.

Just how much longer does it take to generate? The following is a quick ruby program I whipped up to benchmark. It uses each encryption scheme to generate a password 50 times. The following was how long it took to run on my macbook using ruby 1.9.1-p378. You can grab the script here if you’d like to run it locally. It contains absolutely no tests which makes my inner Corey Haines frown:

  Password to hash: password
                    user     system      total        real
  MD5           0.000000   0.000000   0.000000 (  0.001443)
  SHA1          0.000000   0.000000   0.000000 (  0.001679)
  SHA256        0.000000   0.000000   0.000000 (  0.001308)
  bcrypt (3)    0.080000   0.000000   0.080000 (  0.086532)
  bcrypt (10)   4.550000   0.010000   4.560000 (  4.601996)

The differences between the (3) and (10) are the "cost" of generating the password. The documentation for the bcrypt gem summarizes that very well:

Takes an optional :cost option, which is a logarithmic variable which determines how computational expensive the hash is to calculate (a :cost of 4 is twice as much work as a :cost of 3). The higher the :cost the harder it becomes for attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check users’ passwords.

But I’m getting off topic. The reason I wanted to write this post was to create a list of popular open source software and see what kind of passwords hashing schemes are in use. Here’s the list I’ve compiled so far:

• Django
  Encryption Scheme: SHA1, MD5, or crypt
  Notes: Previous Django versions, such as 0.90, used simple MD5 hashes without password salts. For backwards compatibility, those are still supported; they’ll be converted automatically to the new style the first time check_password() works correctly for a given user. More info:
  http://docs.djangoproject.com/en/dev/topics/auth/
  http://docs.python.org/library/crypt.html

• MySQL
  Encryption Scheme: Double SHA1

• WordPress
  Encryption Scheme: PHPass
  Notes The awkwardly named PHPass library defaults to bcrypt (awesome) and falls back to DES or MD5 based salted hashes depending on the php version and supported features.

• Expression Engine
  Encryption Scheme: SHA1

• Joomla
  Encryption Scheme: MD5

• phpBB
  Encryption Scheme: Proprietary hash method using /dev/urandom and md5

• ASP.Net Authentication
  Encryption Scheme: Uses a concept of "providers".
  Notes: There’s a BCrypt open source option available.

• Rails: restful-authentication
  Encryption Scheme: SHA1
  Notes: This was the defacto standard for a long time in the Rails world as far as authentication goes. Changing the encryption scheme in an application would be a relatively painless process.

• Rails: Authlogic
  Encryption Scheme: bcrypt, aes256, md5, sha1, sha256, sha512
  Notes: This is configurable to any of the listed options. Default is SHA512. The author doesn’t recommend using MD5 or SHA1 in the README but provides the options for migration and compaitiblity. How awesome is that?

• Drupal
  Encryption Scheme: MD5 by default
  Notes: Christefano points out in the comments that MD5 is used by default but PHPass and AES are available via third party modules.

If you don’t see your favorite software here, either leave it in the comments or contact me and I’ll add it to the list. These are in no particular order, so I’m not trying to favor anything in particular (though we all know I’m mostly a Ruby developer).

Concentrate is a Mac only app. It lets you do a number of things like block web sites, launch apps, play sounds, etc. Combinations of these things can be configured to go on for varying amounts of time. I use it for the Pomodoro Technique when programming. Corey Haines introduced me to Tomatoist when I paired with him during one of his journeyman tours. While that site is awesome, I prefer using the Mac app to force eliminate distractions.

The Pomodoro Technique

The root of the idea is that you program for 25 minutes straight and then break for 5 minutes. This seems like a pretty simple idea but when you’re working by yourself things can happen. For example, maybe you want to send a quick email to someone but want to refer to something in their Facebook account you can’t quite remember. So then you look it up. While looking it up you notice something else interesting by another one of your friends and the distractions start. By the end of the distractions you’ve ordered enough parts for a fully functional robot suit off eBay. If you only had 5 minutes to do this stuff, maybe that wouldn’t have happened.

Setting Up Concentrate

Concentrate is actually a very simple application to use. Click on the “New Activity Button” and set your options. I called mine "Program Pomodoro." It’s set to block any site that could potentially distract me, Growl a message, and play a sound on completion. The typical Pomodoro technique lasts 25 minutes so drag the location slider over until you see 25 minutes. Boom, good to go. Now you can’t look at anyone’s Facebook account or respond to any threads on hacker news for a good 25 minutes. You’ll get to that during your break.

The next task you’ll want to set up is the break. This is the most rewarding task. I just have this one Growl a message ("Get back to work!") and play a sound when it’s done. The duration slider should be set to 5 minutes.

Get To It!

That’s about it. It’s simple software and well worth the $30 to eliminate distractions. I use it only for those two techniques listed above and have been very happy. Special thanks to Corey Haines for introducing me to the Pomodoro technique.