Nelz's Blog

Last night I had an idea. I want to support the Occupy Wall Street movement, but I don’t have the time to actually fly out to NYC to sit with everyone. But, I do have enough discretionary cash around that I could buy the flight. Why not find someone (or several someones) how is either flexibly- or un-employed, and I can send them to represent both their voices as well as mine?

I went about casting a net on my Twitter account, and I already have two potential occupiers lined up. But, from that post I also received encouragement to scale this up and accept donations.

I’ve never done this before, but I signed up for an account on WePay. I am now accepting donations if anyone wants to add their support sending people to sit with the #OWS movement.

This blog post serves as a way of providing the social proof of who is behind the donation page. If you donate and you don’t like how your money got spent, I am the guy you’re going to come talk to.

So, if you want to help have your voice, as a part of the 99%, to be heard but you don’t have the time to spare, please consider donating.

At one point in my life, I was a volunteer Firefighter/EMT. During my time working in paramedicine, I learned a valuable concept: the pertinent negative.

Let’s say you’re examining someone who fell from a height. In your report you node that yes, they had a laceration on their hand. But it is also important to note that you examined them and found no evidence of any other broken limbs. Not noting your investigation into broken limbs could mean one of two things: either you didn’t check their limbs, or you did and found nothing of concern.

By noting the pertinent negative, you clear up that ambiguity.

I find this concept incredibly useful in software. Frequently, I need a pertinent negative to do my job well. (Did that script complete without errors, or did it not even run? In a report, a 0 entry tells me that the item did fit my search criteria and it had no requests. Etc.)

I have to say that this concept of pertinent negatives keenly reminds me of how important an ‘invention’ zero was.

I recently went to my second South by Southwest Interactive (SxSW or SxSWi) in Austin, TX. If you’re not familiar with the conference, it is a 5-day internet and technology subsection of the greater SXSW conference which also has Music and Film components.

SxSWi has a long history of being a great place for cutting-edge technology makers and creators to mingle and share ideas. I personally saw, felt, and benefited from this great tradition. However, people who have been attending the conference for more than 3 years say that it has changed substantially as its influence has been recognized, and there are continually growing populations of the ‘business-y’ (read ‘douchebag’) hangers-on: marketers, salespeople, and those I think of as ‘traders in idea derivatives’. (Luckily, for my part, I was able to find a tribe of people who are actually creative and engaged in what they do, so I was able to minimize my exposure to the unsavory, financially-motivated elements.)

But not fully. There are several blog posts I’m sure I could write about the interactions between ‘the Makers’ and ‘the Sellers’, but one aspect of our differences really calls out to me for comment: business cards.

Some people can be really, really intense about business cards. (Check out this guy.) In some business cultures, not treating the business card exchange with the proper respect can end up costing you potential partners.

My impression is that at SxSW, people think of business card dispensing as a quantity-over-quality proposition. Some members (with whom I am friends) of the “How Not to Be a Douchebag at SXSW” panel (2010, 2011) panel even give advanced warnings that there are people who approach business-card delivery in this manner.

The whole business card thing is so ripe for mockery that @scottyiseri and I created a fake ‘Angel Investment’ firm, just so we could give out the fake business cards you see at the top of the post. (I ended up dispensing these cards out to friends, so they could in turn use them as a way to avoid giving their actual information to someone who was being egregiously douche-y.)

But it wasn’t the blatant card-distributors that got to me, it was the nuanced ones. After one session, I ended up with a card from a recruiter from North Carolina, and another from a small-business efficiency consultant from New Jersey. These cards were handed to me while I was having actual, pertinent conversation about the session with the card-givers. Twenty minutes later in my hotel room I was tearing the cards up and throwing them away. I had zero need for these cards.

On the plane ride home I got to thinking about those cards. I realized that every single unwanted card that ended up in my possession was a symbol of laziness: my laziness in protecting my integrity. (And I’m pretty into my integrity.) If I have absolutely no interest in your business card, and have no intent of ever trying to contact you ever again, why accept the business card? (You may say ‘politeness’, but I don’t buy it, because any ‘good’ marketer will politely bully their way into your wallet if you give them the chance.)

Going forward I have a new resolution. I will no longer passively accept business cards, I will either actively accept (less likely) or actively reject (more likely) any business card that is offered to me.

Will you join me? (Why not?)

So, I go to check some traffic stats on one of my silly sites, and I find some wierd referrers:

Both of the the Bit.ly referrers (like “forexmarket”) just resolves to this URL “www.plus500.com/SiteNotAvailable.aspx”.

It’s just a stupid banner page with a big GIF built to look like an actual web page.

What the fuck is the point? Yah, I was interested enough to investigate it, but only forensically… There is no way I would ever do any business with this place.

The other thing that frustrates me is that Bit.ly let the redirect through, even though they know it’s a spammy thing. (A couple of weeks ago when I first found these types of referrers, I tried to follow the link, but Bit.ly warned me about not-above-board behavior of the link. Why no longer?)

Also, the landing page is using Google Analytics. Does this mean all the good tools that those of us who aren’t devil-spawn are being used by they outright shitheads? I guess I know the answer, even if it does hit me right in my idealism.

For the past few months I’ve been commuting from San Francisco to Palo Alto via CalTrain, which was the impetus for me to finally get a Translink card ClipperCard. (I actually got my card right at the tail end of stock of Translink-branded cards, just before they renamed the whole system. At that time you could either order the card from the website, which was an ineffectual joke, or you could cough up five bucks and get just get a new one at your local Walgreen’s, which is what I did.)

Not that I have a whole lot to hide nor do I wear a tinfoil hat, but every once in a while I like to do a personal audit of where my privacy could be (or is) getting invaded. So, I’ve been collecting informal data points about my experience with the ClipperCard, which is what leads to this post.

What They Expect

Here is my daily paper trail (all times are approximate):

• 0800: “tag on” an inbound #14 MUNI near Duboce & Mission
• 0810: “tag on” an outbound #47 MUNI near 11th & Mission
• 0840: “tag on” at the CalTrain station at 4th & King
• CalTrain conductor scans my ClipperCard on the 0844 Southbound train
• 0926: “tag off” in Palo Alto on the Southbound side of the tracks
• 1700: “tag on” at the CalTrain station in Palo Alto on the Northbound side of the tracks
• CalTrain conductor scans my ClipperCard on the 1706 Northbound train
• 1744: “tag off” at the CalTrain station at 4th & King
• 1746: “tag on” to an inbound #47 MUNI at 4th & King
• 1800: “tag on” to an outbound #14 MUNI at 11th & Mission

Ways to Mess With the System

1. I have a monthly pass for the CalTrain. I’ve realized that my pass doesn’t ever require that I tag on and tag off, as long as it responds appropriately to the on-train scanning by the conductors.
2. The only times I’ve gotten away without being scanned by a CalTrain conductor is when the train is packed to standing-room-only because of a baseball game in the city. You might be able to sneak past the conductors, but I wouldn’t count on it.
3. Similarly to CalTrain, I don’t really need to tag on to the MUNI busses, as long as my monthly pass resolves itself to a Fare Inspector. Most of the drivers will either look at you funny or explicitly require you to least flash your card by the reader. However, you can get a beep out of the readers by placing your card on the reader, but then removing it quickly. The reader realizes there’s some kind of card in front of it, but I’m assuming it can’t figure out exactly whose card is there, so it gives an error-sounding beep. This usually satisfies the drivers. (Only once in a month of doing this did a driver shame me into fully tagging the reader.)

What They Can (Still) Learn

If I didn’t take the pains to mess with my own data, you could have a pretty good idea that I live somewhere near Duboce & Mission and that I work somewhere in Palo Alto. With further analysis (and further data that I didn’t provide here), you could also notice that on alternating Wednesdays I don’t go to Palo Alto, but I seem to take the 14 to work somewhere in downtown, probably near 3rd and Mission.

I was able to mostly obfuscate my whereabouts with regard to the MUNI surface busses, except for the occasional pedantic driver. Plus, there’s a built-in obfuscation because they don’t require a tag off. However, this obfuscation doesn’t hold if you are trying to get into one of the underground stations downtown (or BART, for that matter).

For CalTrain, I was able to obfuscate the specific stops where I get on and off, but since my monthly pass is specifically identified as a Zone 1 (SF to San Bruno) to Zone 3 (Atherton to Sunnyvale) and I use “Limited” or “Express” lines (which only service certain stations), they can still get a general idea as to where I’m located.

Additionally, if you look at the records of the conductor scans, you’ll find that on my return trip I am repeatedly found within 2 or 3 scans of specific other customers. You might be able to deduce that since I am likely coming back from work, these other people are highly likely to be my coworkers. And if these people explicitly tagged on, there’s a high probability that you now know where I got on, even though I didn’t tag on myself.

Other (Potential) Problems With the System

To use the website to add cash in addition to the loaded passes, you had to do some configuration. I didn’t recognize it as a problem at the time, but it required that you have a valid credit/bank card. A friend of mine (who had to cut up her credit cards to pursue a debt-free lifestyle) said she was basically left by the wayside with regards to the ClipperCard and the benefits of its use. (Which is becoming, more an more, mandatory for monthly pass holders.) I do not know if this is still the case, but it sounds like something the ClipperCard implementers would do.

Another thing to keep in mind is that all my travel is also hooked up to my Credit Card via the ClipperCard website. You’d have to talk to other black-hat-ier people than I to learn how vulnerable the ClipperCard site is. (As a none-too-impressed end user of the website, I am sure the implementation has plenty of security holes.)

One last thing to keep in mind is who has access to your ride records. A co-worker said he was able to get a CSV file of all his ClipperCard tag ins, just by calling the Customer Service line and the rep running a quick query to get all his activity. This means the reps probably have access to everyone’s records at their whim. I have dealt with Customer Service at ClipperCard, and I’m sure it’d be pretty easy to socially engineer one of them into giving up a whole bunch of information.

Do I Care?

What does this all mean? Well, with a little bit of effort, you could figure out where I am likely to be at several points during the week. Why do I care about this? Imagine a universe where I am a vocal proponent of a measure that takes aim at MUNI drivers’ pay, and people within the union want to find me at some point to change my mind for me… Is my data easily obtainable, especially to those within the public transit system? I think so.

Conclusion

In this exercise, I’ve tried to show just how vulnerable your personal location data can be, and how it could be used to gain some further bits of knowledge about you.

In reality, the biggest risk to the average person in the ClipperCard system are the potential for a third-party (hacker) to get your credit card and personally-identifying information. A far smaller secondary risk is having your historical transit records and patterns made vulnerable, specifically because access to this information is a lot less regulated than access to your personal financial information.

At Widgetbox, I sometimes get to play around with interesting technologies that are outside of our regular stack. A couple of weeks ago, I was asked to use Google App Engine‘s Java environment (GAE/J) to prototype a resizing image proxy.

At first, I just developed the prototype in the default GAE/J Eclipse environment until I could deliver a functional POC. After finding the GAE/J capabilities more than adequate for what we wanted to do, I was challenged to bring the project into our standard IntelliJ + Maven development environment. For the rest of this post, I’ll share a couple of tips and tricks for getting your GAE/J project to operate in this environment.

Basic POM File

There’s some funny business and frustration around the Maven community’s adoption of GAE/J, but I’ll skip that part of the story for right now. What I found is that the maven-gae-plugin project is the best place to go to for help Mavenizing a GAE/J build.

I have to say that it’s not ‘use the archetype’ easy (their archetype failed for me), but with a bit of elbow-grease and rummaging through their documentation I was able to get a decent and functional POM file built. Here it is (with some of our proprietary information scrubbed to protect innocent servers):

 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.widgetbox</groupId>
   <artifactId>image-proxy-webapp</artifactId>
   <version>1.0-SNAPSHOT</version>
   <name>Widgetbox :: Image-Proxy :: Webapp</name>
   <packaging>war</packaging>
   <properties>
     <gae.version>1.3.0</gae.version>
     <gae.app.name>qa-image-proxy</gae.app.name>
   </properties>
   <dependencies>
     <dependency>
       <groupId>javax.jdo</groupId>
       <artifactId>jdo2-api</artifactId>
       <version>2.3-eb</version>
       <exclusions>
         <exclusion>
           <groupId>javax.transaction</groupId>
           <artifactId>transaction-api</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
     <dependency>
       <groupId>javax.transaction</groupId>
       <artifactId>jta</artifactId>
       <version>1.1</version>
     </dependency>
     <dependency>
       <groupId>com.google.appengine.orm</groupId>
       <artifactId>datanucleus-appengine</artifactId>
       <version>1.0.4.1</version>
     </dependency>
     <dependency>
       <groupId>org.datanucleus</groupId>
       <artifactId>datanucleus-core</artifactId>
       <version>1.1.5</version>
       <exclusions>
         <exclusion>
           <groupId>javax.transaction</groupId>
           <artifactId>transaction-api</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
     <dependency>
       <groupId>com.google.appengine</groupId>
       <artifactId>datanucleus-jpa</artifactId>
       <version>1.1.5</version>
       <scope>runtime</scope>
     </dependency>
     <dependency>
       <groupId>com.google.appengine</groupId>
       <artifactId>geronimo-jpa_3.0_spec</artifactId>
       <version>1.1.1</version>
       <scope>runtime</scope>
     </dependency>
     <dependency>
       <groupId>com.google.appengine</groupId>
       <artifactId>appengine-api-1.0-sdk</artifactId>
       <version>${gae.version}</version>
     </dependency>
   </dependencies>
   <build>
     <plugins>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
         <version>2.0.2</version>
         <configuration>
           <source>1.6</source>
           <target>1.6</target>
         </configuration>
       </plugin>
       <plugin>
         <groupId>net.kindleit</groupId>
         <artifactId>maven-gae-plugin</artifactId>
         <version>0.5.3</version>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-war-plugin</artifactId>
         <version>2.1-beta-1</version>
         <configuration>
           <filters>
             <filter>${project.build.directory}/version.properties</filter>
           </filters>
           <webResources>
             <resource>
               <directory>src/main/external</directory>
               <targetPath>WEB-INF</targetPath>
               <filtering>true</filtering>
             </resource>
           </webResources>
         </configuration>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-antrun-plugin</artifactId>
         <version>1.3</version>
         <executions>
           <execution>
             <phase>compile</phase>
             <configuration>
               <tasks>
                 <echo file="${project.build.directory}/version.properties">
                     friendlyversion=${project.version}
                 </echo>
                 <replace file="${project.build.directory}/version.properties" token="." value="-"/>
                 <replace file="${project.build.directory}/version.properties" token="SNAPSHOT" value="snapshot"/>
               </tasks>
             </configuration>
             <goals>
               <goal>run</goal>
             </goals>
           </execution>
         </executions>
       </plugin>
     </plugins>
   </build>
   <repositories>
     <repository>
       <id>maven-gae-plugin-repo</id>
       <name>maven-gae-plugin repository</name>
       <url>http://maven-gae-plugin.googlecode.com/svn/repository</url>
     </repository>
   </repositories>
   <pluginRepositories>
     <pluginRepository>
       <id>maven-gae-plugin-repo</id>
       <name>maven-gae-plugin repository</name>
       <url>http://maven-gae-plugin.googlecode.com/svn/repository</url>
     </pluginRepository>
   </pluginRepositories>
 </project>

(FYI, we’re not actively using any datastore functionality just yet, so if you are going to use this template please forgive me if those dependencies are a little bit wonky.)

Since Google hasn’t (yet) decided to publish their development environment in a Maven-friendly way, there’s a bit of dependency wonkiness involved in getting the maven-gae-plugin to work. I included the repository information required by the plugin (lines 121 – 134), but if you use a repository manager (like Nexus), you’ll want to remove those lines from the POM and add a proxy for the maven-gae-plugin’s repository.

To get the development environment working the plugin also requires access to the unzipped SDK as packaged by Google. The plugin tries to help you set this up (“gae:unpack”) but that failed for me. I was able to get stuff working by manually unzipping the SDK artifact downloaded directly from Google to the following directory:

~/.m2/repository/com/google/appengine/appengine-java-sdk/1.3.0/appengine-java-sdk-1.3.0

Incremental Improvments

Initially, I had kept the appengine-web.xml within the WEB-INF directory, but I realized I could make our Release Manager’s life a bit easier if I added a bit of build-time substitution.

Here’s our appengine-web.xml:

<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
	<application>${gae.app.name}</application>
	<version>${friendlyversion}</version>
	<system-properties>
		<property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
	</system-properties>
</appengine-web-app>

And you’ll see that I put it into a new source directory called ‘external’:

At build time, I use the AntRun plugin (lines 97-118) to create a small file under the target directory that holds a ‘sanitized’ version of the standard Maven version. (I.e. “1.0-SNAPSHOT” becomes GAE-friendly “1-0-snapshot”.) I then use the Maven filter functionality available in the WAR plugin (lines 80-96) to copy the appengine-web.xml into its proper directory with the version substituted in.

You’ll also notice in our appengine-web.xml that we substitute in our application name. By default this comes from the properties section of the pom.xml file (line 11). I did this because we’ve actually got 2 different applications up on GAE’s servers, the QA version and the Production version. By default we build using the QA server’s application name, but when our Release Manager is building to upload to Production, all that is needed is an additional command-line argument of “-Dgae.app.name=<prod-name>”.

Running, Debugging, and Deploying

The two most valuable targets that maven-gae-plugin provide are “gae:run” and “gae:debug”. These will assemble your code in the standard Maven webapp target directories and run your app. (Note: “gae:debug” didn’t actually work for me until the 0.5.3 version of the plugin.)

There is also a “gae:deploy” target that is supposed to invoke the Google-supplied shell script that will upload your application to the Google servers, but it failed for me several time. Since then, I’ve defaulted to using the shell script directly to deploy my app once it has been built:

~/.m2/repository/com/google/appengine/appengine-java-sdk/1.3.0/appengine-java-sdk-1.3.0/bin/appcfg.sh \
    update \
    ./target/myApp-1.0-SNAPSHOT

Results

So, this is how we got up and running with GAE/J in our standard development environment. Hopefully this post ends up helping people out to reduce their bootstrap time when evaluating/investigating GAE/J for their own uses.

So, I’m doing some stuff at work that has me looking at HTTP headers. As a reference, I looked at the feed URL for this blog, and I noticed the following header:

X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

I think this is a pretty cute and subtle way of looking for technically adept potential employees.