Saturday, December 28, 2013

Gingerbread House Competition 2013

This year was open to anyone to submit a gingerbread house, so Agatha and I cooked up a little hut on stilts for the Hawaiian themed contest. I used the term cooked metaphorically because we really modified a kit and went from there. The only thing we made was icing (see below for secret recipe).

Agatha did all the best parts, like the water, tiki masks, palm trees, and decoration. All I did was construction.

Photo Album I didn't think to take photos while I was at the contest, but I'll add competitors houses here when I get them.

Sunday, December 08, 2013

Security Through Obscurity Analogy

I missed my November post, which had me thinking about productivity again. Going back through my notes on blog post ideas I always seem to come back to security.

To be honest, I don't like security. I'd much rather live in a perfect world where it wasn't necessary. On the other hand, the need for security drives innovation.

Poor guy is going to get made fun of by the geek
community for the rest of his acting career, but my gf
thinks he's cute and that's what matters to actors.
One of my favorite misunderstood security phrases is "security through obscurity". Even though it is what it sounds like, Hollywood has been known to misuse it (No Mr. Bond writers--I expect you to Google phrases before you use them).

As an IT guy working for smaller companies I've had the luxury of making practical use of security through obscurity. It comes down to the fact no one cares or knows my servers exist. Even if they did know about them there isn't anything on them worth the effort.

I'd imagine this is true for the majority of businesses, which is why only the big corporations with real secrets higher security experts. The rest of us are okay with patches from Microsoft and Canonical.
For years I've had conversations about the phrase. Eventually I started using an analogy, and then expanded on it.

Think of the idea of security through obscurity as an unlocked box filled with a million dollars somewhere in New York city. No one knows where the box is, what is in it, or even that it exist. The box is obscure. It is secured only by the this fact no one knows about it. If someone was to stumble upon it, they'd get a million dollars.

Now normal security practices might put a luggage lock on this box. If anyone stumbles on it they will see it's locked and move on unaware of the box's value. If this is analogous to the Internet there are now hundreds of thousands of boxes all over the city. Most filled with pocket change and not worth the effort to break the luggage lock. A mischievous person might break into a few boxes just to see if they can, but odds are they will get nothing of value out of it.

Of course, we could extend the analogy to include large corporations that have security experts to better secure their box (maybe a bullet proof master lock). Just like in the real world that will let people know there is something better in that box than the others. Perhaps this makes them a target, maybe it makes some steer clear... I couldn't say, I'm not a mischievous hacker.

All I can say for sure is the luggage lock that protects my worthless box that looks like the other millions of worthless boxes has always worked for me. I enjoy reading others weigh in on these kinds of topics, but when it comes down to it "security through obscurity" is what most of us use because in the grand scheme of things there isn't much worth protecting.

Actual actual reality: nobody cares about his secrets.
(Also, I would be hard-pressed to find that wrench for $5.)

Sunday, October 20, 2013

Length trumps complexity

The idea of password length trumping password complexity has been around since before "correcthorsebatterystaple", but lately it's been on my mind because I'm in a class that covers permutation and combination.

The idea can be miss leading. While working out some stuff on a scratch pad the first thing I chose was a five character password comprised of only lower case numbers. The math comes to

26^5 = 11.8 million unique passwords

Increasing the length by one creates 26x more unique passwords.

26^6 = 308.9 million unique passwords 
But doubling the complexity creates 31x more unique passwords.
52^5 = 380.2 million unique passwords
What was my problem? The math seems simple enough, but the problem is I was only considering a simple case. The real world is a bit more complicated than lower case and upper case characters. (also, the interesting thing about exponents is they are exponential).

A better, more real world, example. Consider the complexity of an eight character password that could be made with lower case, upper case, digits, and 14 special characters. This gives 76 characters to pick from.
(26 + 26 + 10 +14)^8 = 1.1 quadrillion unique passwords (short scale)
That's a lot of passwords. But to me that begs the question, "Well how long would it have to be to make 1.1 quadrillion passwords if it was made up of only lower case letters?" The answer is surprisingly short.
26^11 = 3.6 quadrillion unique passwords
We had to go to 11 characters because 26 to the power of 10 is only in the trillions. For three more characters I can make more passwords using only lower case letters. It's a neat little Sunday afternoon experiment, but is this important in any way?

My take away from this is that long simple passwords are going to be easier to remember and more secure. I'm a second year computer science major and have worked in IT for about almost a decade, and I know it is easier for me to remember "icanhazpassword" than "P@sSw04d".

icanhazpassword = 26^15 = 1.7 sextillion possible passwords assuming the attacker knows it is only a lower case password.
 P@sSw04d = 95^8 = 6.6 quadrillion, that is using all ASCII printable characters 
Which brings me to my point; do attackers even bother to check for lower case only? I don't remember the details (and the information is now burred in the Internet), but a while back when the bitcoin exchange was hacked a list of usernames and passwords made it's rounds on the bitcoin forums (all dead links these days). My passwords was 10 characters long and was exposed, in plain text right next to my email. That's an eye opener for anyone. Granted my password was lower/upper and digits (no special characters) but there were plenty of other passwords on there that were more complex.

Now I can't go back and say for sure because I don't have the data, but it would make since the cut off was length not complexity. Odds are they ran a dictionary attack to get all the easy passwords (mine would not have been picked up in a dictionary attack), then a brute force attack for anything else. Based on my password, the brute force attack looked for at least lower/upper and digital characters. Which makes me think even if my password was all lower case, but really long, an attacker isn't going to know to check only lower case. Just to be sure, I like to have something more than just lower case though, but knowing what I know now I don't go nuts with the complexity.

Side note: you look way cooler entering a 32 character password you know well than hunting and pecking for 8 characters and toggling the shift key.

Sunday, September 29, 2013

Bitcoin mining - Moving from GPUs to ASCIs

Amazing mining rigs belong
in crappy cases.
Application-specific integrated circuit, that's what ASCI stands for. I always have a hard time remembering, not only what it stands for but what order the letters go in (for some reason I always type ACSI). Bottom line is that it really doesn't matter when it comes to bitcoin mining (also, is Bitcoin supped to be capitalized--maybe we need a consortium to answer these questions).

Recently I retired my two AMD Radeon HD 5830's because the difficulty has skyrocketed so high it's not worth the electricity to run them. I thought about switching them to litecoin, but wasn't happy with the way it worked. I've been easy on these cards. They always had a small overclock (10%), and I kept the intensity down to keep temperatures low. I decided longevity is better than higher speed, and they did a good job for a couple of years. Most recently I sold them on ebay for about half what I paid. Financially speaking these two video cards are the highest return on investment than anything I've ever done with money.

I mine on btcguild (who doesn't these days?), and when they started offering ASCI block erupters for bitcoins I jumped on it. Each one of these things mines faster than the a 5830, and they use less electricity--far less. The fact I could buy them with bitcoins made the deal great.

The only downside was I had to spend real money USB hubs (block erupters are USB devices), and without much thought I picked up a Satechi 12 port hub. To Satechi's credit, they have a great customer service department. Unfortunately this product was not so great. I fully expected the 2 amp DC converter not to power 10 block erupters and a fan, but this hub limits the power... not the converter. When I wired up my own 50 amp power converter I was still limited to the number of erupters that would run. Really who buys a 12 port USB hub to run 12 low power devices? Lesson learned: there is a lot of great information in Amazon comments. Had I read them I would have purchased a hub that works the first time around. After leaving a 1 star product review, Satachi refunded the full cost including shipping of my order. That was even after I informed them I cut the power cable to make use of the DC jack with my other power converter. Not many companies I know would go to such lengths, so props to them.

What was the right hub? Fellow miners and Amazon reviewers agree that Anker makes the right hub for block erupters. They easily power 9 erupters and a fan (I'm really sad to say I broke one of my fan blades... be careful with those things--they are the delicate flowers they look like). Nine erupters per hub makes for almost 3Gh/s. Three hubs later I was mining at ~9Gh/s. Which felt like a lot until I realized difficulty was jumping up like crazy because I am one of thousands of miners moving to easy to acquire ASCI equipment.

As dumb luck would have it, right as the difficulty got so high that my 9Ghz/s was bringing in as little coin as my two old video cards, I get an email from Butterfly Labs. The Jalapeno I ordered in February was shipped. It came a couple of days later in nicer packaging than I expected. They even included this coffee cup with a giant handle. Doesn't that handle seem giant? When I hold it my hand feels really far from the coffee.

This added ~7Gh/s to my mining efforts. No doubt after a jump or two in difficulty it will all be in vain.

Not to be a product review post, but the Jalapeno was much louder than I expected. In it's favor, it is every bit as easy to mine with as block erupter.

I managed to whip up a lame attempt at monitoring software. If you can call it software, it's just a website that grabs the RPC info from bgfminer. It's been a good learning experience as it is my first attempt with the backbone framework. This has been my current side project, and hopefully it will get better as I find time to tinker with it.

Saturday, August 03, 2013

The End of Time

Thanks to everyone for the kind feedback about At Your Own Pace and especially to the contributors who pushed the project way beyond anything I could have done alone. It is flattering to be linked to by the comic.

Just because the comic ended doesn't mean we can't have any more fun with it. I realized I had all this data so I made a chart. It's not the greatest chart, but can be zoomed in by clicking and dragging. Also the chart fills up the window, so bigger the better (there are 3099 frames)

So what does it mean?

Hovering over each point will show some numbers. Here is an example from frame/point 1. Sorry the display is a little confusing.

(1, 37,411) Size: 4,322

Inside the parenthesis, the first number up to the first comma is the frame.

The second number is how much action that frame got according to Google Analytics during the month of July. If it is a large number, like this frame 1 example, the chart library is kind enough to throw in a confusing second comma. In this example fame 1 got 37,411 hits (that would be direct links to It should also be pointed out, frame numbers with four digits do not have a comma.

The Size: is the number of all time Yes votes the frame has received from the vote submission system. I almost deducted No votes, but that returned negative numbers I wasn't sure what to do with.

Bitly also records clicks and shares. I found their data difficult to work with in volume so it is not included on this chart.

Some of the data is predictable, but there are some interesting oddities.

The raw data, available on Google Docs, includes no votes. If anyone has an idea for a better chart or two (shouldn't be hard to get better than this) please share it. I'd like to see it too. I'll update the data in a couple of weeks, no doubt it will get interesting as Time goes on.

Saturday, May 25, 2013

AYOP Updates

All my blog posts have been about my At Your Own Pace project, but that's what sucks up most of my free time these days. Today I decided the acronym, AYOP, is pronounced a-ya-op (almost like awop but with a y instead of a w).

Big news today, the database version of the site is now the default. It was set up separately for testing and a number of people sent good feed back on it. It sucked much less than I expected. Now anyone can vote for frames to be special. I've also set up a section below the comic image that shows how many votes a frame has received and whether or not it is a debated frame. Currently there are only a few debated frames; 1503 and a couple in the low 1400's are the only I know of. They're subject to change as people vote.

Photo courtesy of my girlfriend who loves pink.
In addition to that, now there is a mobile site (that link works for desktop users too, but be warned you're going to see some huge stick figures). It's not much but it shows the comic at 100% width and has larger navigation buttons. I've only got two mobile devices to test it on, so it might not be great. Added bonus: it comes with massively reduced features; no preloading, no image difference, no auto play, no nifty panels that open and close.

The mobile redirect uses a script from, which is a nice service. I had no idea how to redirect for a mobile device and that was the first search result I found.

Finally, two new panels at the bottom that show all frames for the last 24 hours or the last week, for quick ketchup.

Wednesday, May 08, 2013

Lessons Learned on XKCD Time - At Your Own Pace

The frame showing when I started this post.
I started compiling a list of things I've learned from this XKCD At Your Own Pace project. Arguably I've learned more on this than what I learned last semester at school.

The number one lesson learned was an unexpected feeling. I know putting a project on Github is opening it up to the world to do with as it pleases. In my case it was this guy named MaPePeR. I'm somewhat ashamed to admit it now, but my very first thought was "Who's this guy fiddling with my code?" Then I started reading what he changed. My next thought was, "Holy crap all of Github must think I'm a newb," because the changes he made were great. They made sense and I learned something from them. I found I liked it. Social coding  who knew right? I was so excited about it I made my own awful software license. It's bad, don't use it.

That was my big eye opener. I'm more attached to my code than I expected to be, but letting it go has been wonderful. The project is much better for it. I might have to dance with the shift key to type his Github handle, but MaPePeR is a good programmer. I'm glad to have his input.

Some random lessons
  • I should have called it "At Your Pace".
    • Because that's shorter and I keep typing it anyway.
    • Also AYP is a cooler acronym than AYOP.
  • I enjoy working with others. Bouncing ideas around, getting feedback. It's a fun way to "refactor" ideas quick.
  • Firefox is the pain-in-the-butt browser now (when you choose to ignore IE<=9).
  • Web Design, granted plenty more to learn here but I was surprised to get positive feedback from how the site looks.
  • Speaking of feedback, user feedback is awesome. Not only does it keep me interested in a project it's a wonderful source of unsolicited ideas.
    • The many "step" buttons was from user feedback, so was the linkable frame differences.
    • The play back at ludicrous speed was our idea, but everyone was thinking it.
    • We were able to troubleshoot a bug that only came up on Mac's because of user feedback. Neither of us own a Mac (okay MaPePeR troubleshooted the bug and I heard about it).

Frame showing when I finished this post
Things I've never had to use before now
  • Git merge, because no one forked my junk.
  • How to handle a merge conflict. I could really use more practice at this, but at least I've done it once.
  • Getting url variables with Javascript.
    • Funny story, I was doing this with PHP and having the PHP write Javascript. Yeah that was like the first thing pointed out to me.
  • Preloading bunches of images (when necessary), okay I didn't write the script that made it happen, but I get why it's great now.
  • Bitly api was watching out for guys like me (see figure 1).
  • Google Analytics is cool (I like data see figure 2).
    •  particularly data hub activity (I can troll on a new level).

A list of things I never knew existed until I did this project and started working with other people.

figure 1 - I had a bug in the bitly link creation code.

figure 2 - Google Analytics
This is not a complete list, but it's a start.

Wednesday, April 10, 2013

Thanks Randall Munroe

I don't know you and you definitely don't know me, but I am a regular reader of your comic XKCD and your What If? blog. Thank you for helping me gain a little confidence.

Guess what day I posted it to

The Time comic has been all around interesting, but for me it's been exciting. It represents a crossroad of my mediocre coding skills and the XKCD fans. For the first time I am decent enough to produce a website people are using. This is the whole reason I started learning to code.

It's a project that has undergone a few changes since it gained popularity. The initial version didn't even use CSS. Aubron Wood's post helped me with the idea of how to grab the pictures. It also represents my first use of github issues--a feature request for previous and next buttons!

I have intentionally chosen not to add ‘Like’ and ‘+1’ buttons because I am tired of seeing them all over the web. Some places make sense, but so many pages are cluttered with "share this".

I don't like to admit it, but I often don't have the confidence to post things for fear of ridicule. I know it’s silly, and it’s taken a long time to change my thinking to "who cares?" So I wanted to thank the creator of XKCD because he has motivated me to share something I did. That is, to step out of my humble comfort zone and show a little pride (yes, I am an Ultima fan). For the first time ever I have accounts on Reddit and Hacker News. My project has earned a few thumbs down ratings, but the feedback from folks who use it has been a wonderful experience.

Update: April 13, 2013
I got a few more hits than my usual 2 or 3 per month on this one, so here is some more about this project.

There is a log file that gets made from the cronjob and bitly (that's new) url shortener code. Some pretty good oops'es in there.

This is the data file that holds the list of images.

And this is the bitly data file, admittedly not interesting, but if you ever need to prove someone has used a space separated value file, there it is.

Tuesday, March 26, 2013

Acronis Bootable Agent Management Console frustration (crtl+m is the answer)

I decided a long time ago my blog is here to help me and whoever shows up (both of you). This morning I have been reminded of something that is annoying about Acronis' recovery disc and I spent all of five frustrating minutes looking up things I've looked up before.

I've whined about Acronis before, and over all I am satisfied with their business products. In my opinion they get the hard parts of backup and recover done so well that the shortcomings of their UI are more noticeable. Here is a short list of my complaints with Acronis Bootable Agent Management Console.

  • Tabbing through text boxes don't always show a flashing cursor, so I have no idea where I am
  • Tab navigation doesn't make sense on some screens.
  • Tab navigation doesn't scroll the screen (and most of the time I'm in recover mode the screen is 1024x768 or less)
  • Not all menu items are accessible with the keyboard
That last one is solvable through a lame implementation of using the mouse through the keyboard, but it creates it's own list of nitpicks. I end up in the recovery console regularly enough without mouse support it becomes annoying, but I never remember crtl+m. That's why it's so big, next time I can't remember it I can come here and find it in less time than looking it up from scratch.

Tuesday, February 26, 2013

The Date Command... I mean Environmental Variable

It clicked for me how the date command environmental variable works in Windows. Seems like such a simple idea, and for all the information on the Internet about it no one explains it like this (at least not that I've found). Most only show what to type to get a desired result.

Let's say you run md %date:~10,4% from a command prompt. You just made a folder named 2013. Unless you run that same command a year from now, then you'll make a folder named 2014. This can get complicated quick. Consider:
This is a file at "z:\logs\2013-02-26_Server1.txt". Well, for today anyway.

At it's simplest you can copy and paste what you need below (why not that's what the rest of the Internet tells you to do--if you want to know why these work don't skip the last section).
  • Four Digit Year     %Date:~-4,4%
  • Two Digit Month    %Date:~-10,2%
  • Two digit Day      %Date:~7,2%
Note that in the considered example these chunks of text are separated by dashes '-' which is what makes the date look the way it does. Without them it would just be a jumble of numbers, 20130226, which is a personal preference. You could use slashes '/' if this didn't deal with a file name (slashes are invalid characters for a file name).

%Inside the Percent Symbols%

For those of use that like to know why things work open a dos prompt and type date /t. The output will be something like this:
Tue 02/26/2013
Calling %Date:~-4,4%, which can also be done from the command prompt by typing echo %Date:~-4,4%, will return the last four digits of the above date sting. Negative 4 means to start four places from the end, then the 4 tells it to go four  places to the right: which is where the year is kept. %Date:~10,4% will return the same thing, the difference is the command starts from the left, moves 10 places to the right, then grabs the next four places. The same is true for the month and day.

You can return anything in that 14 digit string, we only exclude the slashes in file operations because of name limitations. For kicks you could run echo %Date:~1,6% from the command prompt to get back "ue 02/2". If you had a need for that for whatever reason. Note the first place in the string is 0 not 1. To get the three letter day of the week would require echo %Date:~0,3%.

To learn more search results may be misleading if you are looking for help with "dos date", try a search on terms like "dos string manipulation". That pointed me in the right direction.

Bonus: Why am I using some goofy date format?

It's sortable.

Let's face it, Month/Day/Year just doesn't make sense. It's out of order. I could see an argument for Day/Month/Year, but that still lacks logical sortability.

EDIT: 2013-05-09 (see what I did there), It was pointed out to me there is a difference between the command date and the environmental variable %date%. This post deals with the environmental variable not the command.

Saturday, January 26, 2013

Gingerbread House Competition 2012

The annual gingerbread house contest was back in full force this year. The theme was haunted houses. My brother and I both had the idea to do a dry ice smoke effect (which was funny). This was the first year both houses were good; I'm glad the voting was left up to attendees of the family Christmas party.

He won the over all contest by a single vote. I feel I beat him on the engineering of the dry ice effect though. No doubt the victor deserves their win.

There are a few highlights posted below of the testing, construction and finished product, and the whole photo album (with a surprising number of bald spot shots) can be found here. There are a few pictures of the destruction in the album too, but the video better captures the explosions... I'll post that when I get a chance.

My Gingerbread House: Dr. Frankenstein attempts to summon the Christmas Spirit.

My Brother's house (and the winner).