Geek - 3

The observant amongst you will have noticed that this website has become entirely secured by HTTPS.

If you didn't notice, then I've done my job correctly!

By redirecting every page to its HTTPS counterpart, every page you see here will be secured. However, I'd prefer all traffic was secured and reduce the number of redirections from non-secure to secure pages, and that's where HSTS (HTTP Strict Transport Security) comes into play. In this article, I'll explain my motivations, and how to implement HSTS on your own site.

Remember my new computer? Well, it's dead. It died a few weeks ago, and after some diagnostics it's clear that the CPU was completely cooked. Yes, the most expensive part of the build is the part that died.

I guess this is all part of the fun of the so-called bleeding edge.

Everything's a computer these days, and with so many of these devices being connected to the Internet it seems that engineers are getting lazier. Being a software engineer myself, I'm starting to wonder if I shouldn't become a plumber.

I worked a full day yesterday despite it being a Saturday, mostly performing code deployment and system maintenance. For those of you who work in the industry, you'll know that it basically means sitting around waiting for progress bars. I've returned home and want to decompress from my day of waiting, only to find more progress bars waiting for me!

After building the new computer and the arrival of the new monitors, it's been a while since I've been able to complete my “evil plan”. The final pieces of the puzzle arrived today, including a shiny new 30" HP ZR30w monitor (another S-IPS panel).

Secure shell (SSH) is the workhorse of a UNIX system administrator. Due to its ability to secure connections, protect login details, provide authenticity and even tunnel traffic, SSH replaced telnet in the real world many years ago. Authenticity is not guaranteed, and for administrators working with a large farm of servers it's important to ensure you're talking to the server you really wanted, and not something that's moved into its place.

SSH employs a private/public asymmetric keying system, keeping a private key closely guarded and using the public key to not only secure the connection but help prove that you're talking to the right server. Most SSH clients will allow you to remember the public key for a server after your first connection; ensuring subsequent connections are to the same server by revalidating a hash of this key, known as a “fingerprint”. To help validate the fingerprint on your first connection, you can store a fingerprint of the SSH server's public key in DNS for additional verification.

Following on from the new computer, two-thirds (or possibly one-half) of my monitors have arrived, finally! Backordering can be painful sometimes. They're two 20.1" Hewlett-Packard LP2065 monitors S-IPS panels; all part of my evil plan.

With a native resolution of 1600×1200, that should help with my desktop real estate issues (effectively 3200×1200). The anti-theft feature is a nice idea, but I really appreciate the dual dual-link DVI connectivity.

I have a bit of saving to do before this is done…

I've been holding back from buying a new PC for quite some time now. Actually, it's been years. My main PC has been a Toshiba Satellite M70 (1.6GHz Pentium M, 2GiB RAM, 60GB HDD, surprisingly good speakers, and an annoying DVD drive which cannot be flashed with RPC-1 firmware). It's a great little laptop, even today, and aside from the low-end GPU and slow HDD, it runs really well.

This poor thing has travelled the world with me, but it's about time I upgraded. For several projects I've been needing a lot more processing grunt, RAM, local storage, and (eventually) desktop real estate. Today most of the stuff has arrived, and it's taken so long because I've been very picky about what I wanted in the build. It's been a long time since I've built a PC, and a few people have asked me to show them the build…

Yesterday I blogged about jumping off the Atomium. In that post, I included a video for you to see, using the relatively new WebM video standard. It took me five hours of piss-farting around to get that video on there.

To save myself some frustration in the future, I thought I'd take some (more) time to note down the eventual combination used to re-encode the video. Maybe it will be useful to you too.

Like it or lump it, our hands are tied at work to continue using ARCserve as our back-up software. It's horrible, but the alternatives are also horrible in their own ways. It's become a case of “better the devil you know” and to keep our auditors happy we need to use the ARCserve backup agent on our Linux boxen now too.

That's all good and well if you're running major “corporate friendly” distributions like Red Hat or SuSE, but for the rest of you: Computer Associates will tell you that it won't work at all and you're just going to have to reinstall your server with something “not used by kids in their parents' basements”.

Them's fightin' words!

It's taken its sweet time getting here, but IPv6 is quickly becoming not only a reality, but a technical necessity. After debates at work with the network administrators over whether it's really needed (they don't think so), I figured it's time to take my own (little) stand on the Internet and prove it's not the scary step into the big unknown that people think it is.

My involvement with IPv6 goes back to 2002, after participating in the experimental 6bone network. As ISPs are still very slow to take up IPv6 support, I've ran a dual-stack IPv6 network with Internet connectivity through the free Hurricane Electric Tunnel Broker service on and off since. For those of you not willing to play too much, an alternative has popped up known as Teredo which essentially does the same thing, and support is built into Windows Vista (or you can do it under Linux using Miredo, which has proven to work well on our proxy servers at work).

But this isn't enough.

Just a quick one: Anyone out there that needs to embed Microsoft Office into their application somehow can do so using a sample OCX available from Microsoft called DSO Framer (KB311765) as a starting point. The sample does everything you need it to out of the box, but the biggest trick is to make sure you're closing each office instantiation cleanly.

It also allows you to play with disabling menus, toggling read-only, and redirecting other functions, and can be quite powerful. At the time of writing, it still works for the up-coming Office 2010, but I would recommend you avoid embedding office in future unless you're unable to argue the point with your managers. While it works with Office 2007, it's a bit flakey, so I suspect Microsoft will ditch it at some point, but you can always download it here (468KiB ZIP).

Importantly, it's free. Do not spend your money on Edraw Office Viewer as it's the same thing, only with renamed symbols and a hefty price tag! Go for the public domain version.

I'm sick of fixing other people's code. I love the open-source community for all of the free and high-quality software that's out there. I've even contributed my own little bits and pieces, mostly in the form of patches, here and there.

What I hate about the open-source movement are the egos. The problem is that the people who started a project end up actually belittling the project because of their own arrogance. Suggest something, or even provide a patch, and these particular people will tell you that your idea is wrong, that you don't know what you're doing, and so forth. On the other hand, they may never respond. I can understand this to a certain extent; I work in IT, and we're all control-freaks at some level.

Over the next year or so, I'm going to start rewriting my blog from the ground up, because this is ultimately the only way I can get the performance and feature-set I want without hacking at someone else's system. This also means my little DVD collection database will be frozen and remain incomplete until I rewrite that part too.

Submarine cables have always fascinated me, initially from the sheer length of some of these cables, or from the sheer number of them, but also from the fact that the concept was commercially proven as long ago as 1850!

Of course, back then the cables were simple copper wires wrapped in gutta-percha (a kind of latex) and couldn't compete with today's fancy multi-strand fibre optic self-healing rings.

Curiously, PIPE have formally opened a blog that follows the installation of their new PPC-1 cable between Guam and Australia, which is set to be quite interesting.

I've found myself needing access to the Internet from some remote areas, so it made sense to finally “bite the bullet” and give up; After many years of deliberation and procrastination, I recently bought myself a GPRS/EDGE data plan for my mobile phone.

So why would someone like myself — who carries around a Nokia E70 — not have bought into this earlier? Well, it's very simple: The cost of data through a mobile phone is ridiculously high compared with other more conventional broadband Internet connections.

It's not just Internet connectivity that's expensive, but SMS text-messages also seem disproportionately expensive compared with e-mail. A while ago, someone with too much time on their hands went a bit overboard detailing the cost of an SMS but neglected to understand the big picture.

I like movies.

I hate cinemas.

I'm a home theatre kind of guy.

While I may not actually have the fantastic home theatre setup now, my DVD collection has grown significantly over the last two years. People around me have taken notice, and it's become a common gift for me, especially since I'm a difficult person to buy presents for.

This collection has grown to the point where it's become somewhat of an addiction: I'm now faced with a queue of DVDs I've bought or been given as gifts that I still haven't watched!