Instant answers are those little boxes at the top of the DuckDuckGo search results page. I made one for discovering international calling codes — or dialing codes if you prefer.

If you want to hack on DuckDuckGo and add your own instant answer its pretty simple to get started. You can use Vagrant and VirtualBox to get a complete working dev environment. But if you are already running Ubuntu or OSX the following recipe is easier:

curl http://duckpan.org/install.pl | perl 
cpanm App::DuckPAN
duckpan installdeps # installs dependencies from DuckPAN (not CPAN) to locallib

Next fork the repository you want to hack on. To choose the correct repository think about what kind of data source you are using to generate your instant answer.

• Fork the spice repo if you have a real time data source like a JSON web API.
• Fork the goodie repo if you generate your instant answer with code and need no network access.
• Fork the fathead repo if your data source can be placed in a key/value store.
• Fork the longtail repo if your data source requires a full text search.

Now you can start hacking. I’ll show you how the capitalization instant answer from the goodie repo works. Below is the code. I added comments to explain things a bit.

package DDG::Goodie::Capitalize;
use DDG::Goodie;

# If a DuckDuckGo search query contains any of these words at the start or
# end of the query, the 'remainder' handler below will run.
triggers startend => 'capitalize', 'uppercase', 'upper case';

# This block of code is pretty much meta data describing this instant
# answer.  Mostly it is used by https://duckduckgo.com/goodies.
zci answer_type => "capitalize";
primary_example_queries 'capitalize this';
secondary_example_queries 'uppercase that';
description 'capitalize a string';
name 'Capitalize';
code_url 'https://github.com/duckduckgo/zeroclickinfo-goodies/blob/master/lib/DDG/Goodie/Capitalize.pm';
category 'conversions';
topics 'programming';
attribution twitter => 'crazedpsyc',
            cpan    => 'CRZEDPSYC' ;

# This is is where the magic happens.  $_ contains the query minus the
# trigger word.  The return value from this sub shows up on the DuckDuckGo
# search results page as an instant answer.
handle remainder => sub { uc ($_) };

To test your new instant answer you can launch a little web server with the following command:

duckpan server

Then open your favorite web browser and surf to http://0:5000/?q=capitalize+aliens+smell+better+than+dinosaurs and you should see something like this:

Recently Ovid pointed out large projects are much more likely to fail. I have a few large goals I’d like to accomplish. For example I want to improve my front end design skills. Rather than trying to tackle this problem all at once, I made up a small project for myself.

I created a Readline cheat sheet and I was able to complete this project in about a day. Here are some of the things I learned:

• Bootstrap – I always worry libraries and frameworks like Bootstrap are overkill and bloat since I only need a tiny portion of their features. But its undeniable that I was able to quickly build a responsive mobile friendly website without needing to worry about the technical details.

• Readline commands – If I had to pick one keyboad shortcut to recommend it would be Ctrl-r which allows you to search backwards through your history. I also like the incremental undo command: Ctrl-_.

• Text::Xslate – People keep mentioning Text::Xslate so I wanted to give it a try. The docs say its full featured and very fast. I liked that HTML metacharacters are escaped by default to avoid cross site scripting attacks. Also it supports Template Toolkit syntax. I didn’t find any new killer features, but it was a pleasure to work with.

• Some new CSS tricks – The best trick I learned is how to keep my footer at the bottom of the page even when it has only a few lines of content.

I was able to practice design, layout, color, and font selection. And who knows — perhaps this project will also drive a tiny bit of traffic to my github profile and increase my luck surface area.

The momentum feels good. I need to remember to keep my projects small more often.

For years I have been hearing people say sugar is the new bad thing. So I finally got around to reading up on this claim. Here is what I learned.

Nutrition

Food is composed of carbohydrates, fats, proteins, water, vitamins, and minerals. Of course, I sometimes swallow stuff that is not on that list but the list is comprehensive in the sense that it covers everything my body needs. Notice that sugar is not in the list. My body breaks down carbs and fats into glucose (sugar) which can be used by my body as energy.

This means sugar has zero nutritional value. There is no reason to ever eat any. Humans do not require sugar.

I have always been smug about the fact that I don’t throw away my money on a caffeine addiction. But suddenly I realize I have been foolishly spending my money on sugar.

No dessert forever

As part of my long term plan to someday somehow acquire a svelte physique, I hereby reject and repudiate the harmful cultural ritual known as dessert. The rules are:

• No dessert forever. No ice cream, no cake, no pie.
• No candy forever. No free candy or chocolate from the nice people at the office.
• No fruit juice forever.
• Exceptions
  • 85%+ dark chocolate
  • Honey
  • Fruit
  • Small quantities of desserts that I have never had before.

Sources:

• Wikipedia: Food energy
• Evidence for sugar addiction
• Abundance of fructose not good for the liver, heart
• Nick Winter

To explain how salt and pepper work in encryption, I will walk through a few scenarios.

No salt

Summary for the impatient: Using no salt means an attacker doesn’t need to generate a rainbow table because they can reuse an existing one.

If an attacker obtains my database of encrypted passwords it will be very time consuming to brute force them. However there exist pre-computed tables of encrypted values of thousands of commonly used passwords. These tables are called rainbow tables. It is computationally inexpensive to match the encrypted values in a rainbow table with the encrypted values in my database.

One salt

Summary for the impatient: Using the same salt for all your passwords means an attacker must generate 1 rainbow table.

Salt is data used as an additional input to the algorthim that encrypts a password. If I use a salt when I encrypt a password the resulting output will be different from someone who did not use the same salt. That means my attacker cannot reuse an existing rainbow table. They must generate a new one using the same salt I used.

Note that salt is usually stored as plain text in the database with the encrypted passwords. So the attacker usually has access to the salt. Even so, I have successfully made the attack more expensive.

A random salt per password

Summary for the impatient: Using a random salt for each password means an attacker must generate 1 rainbow table per password.

Instead of using a single salt for the entire database I can use a different (random) salt for each user’s password. This means the attacker must generate a set of rainbow tables for each password which is even more expensive.

Note that I also need to store the salt for each password I have generated. This is a pain to do manually. Happily some clever person came up with RFC 2307 which suggests a much simpler solution.

Instead of storing the just the encrypted password in the password column, store a string which concatenates the salt and the encrypted password. This may not sound easier. It implies the need to parse and concatenate strings. However this is handled for me by the encryption libraries so its 100% pain free. Lets see an example.

To encrypt the plaintext string ‘pie’ use the following Perl code

my $blowfish = Authen::Passphrase::BlowfishCrypt->new(
   passphrase  => 'pie',
   salt_random => 1,
   cost        => 16,
);

say $blowfish->as_rfc2307; 
# the output will look like this:
# {CRYPT}$2a$14$sS80d1JlF3oR6Q4UHT.9w.DIXnV0/dLQMoVBsOp2gMRT65bWvP0P2

That crazy {CRYPT}$2a$blarblar mumbo jumbo is what we will save to the db in the password column. However if I know what to look for, I can see the mumbo jumbo is actually several things smushed together:

{CRYPT} $ 2a $ 16 $ sS80d1JlF3oR6Q4UHT.9w.DIXnV0/dLQMoVBsOp2gMRT65bWvP0P2

• {CRYPT} – This is the scheme identifier. It indicates which scheme is being used so I know how to parse the rest of the string.
• $ – These are field separators
• 2a – A version number for this scheme
• 16 – The cost
• Then there is the salt (22 base 64 digits — plain text)
• Followed by the encrypted password (31 base 64 digits)

To check if a user has submitted a valid $password use the following code

my $secret   = ''{CRYPT}$2a$16$sS80d1JlF3oR6Q4UHT.9w.DIXnV0/dLQMoVBsOp2gMRT65bWvP0P2';
my $blowfish = Authen::Passphrase->from_rfc2307($secret);

if ($blowfish->match($password)) {
    say "You may enter";
}
else {
    say "You did not say the magic word";
}

Of course we want to build this into our ORM so the Authen::Passphrase objects are inflated and deflated for us. Here is what that looks like in a DBIx Result class:

__PACKAGE__->load_components(qw/FilterColumn/);
__PACKAGE__->filter_column( password => {
    filter_to_storage   => sub { $_[1]->as_rfc2307() },                      # deflate
    filter_from_storage => sub { Authen::Passphrase->from_rfc2307($_[1]) },  # inflate
});

But I only showed you that so you would understand what DBIx::Class::InflateColumn::Authen::Passphrase does under the covers. I use that because it makes my code simpler:

__PACKAGE__->load_components(qw/InflateColumn::Authen::Passphrase/);
__PACKAGE__->add_columns(
    ...,
    password => {
        data_type          => 'text',
        inflate_passphrase => 'rfc2307',
    },
    ...,
);

This is how I encrypt passwords on networthify.com and iijo.org.

Adding pepper

Summary for the impatient: Using pepper means an attacker must generate many rainbow tables per password. But few people use pepper and its controversial.

Pepper is the same as salt except that I don’t save the value anywhere. Lets say I choose an 8 bit value for my pepper. That means there are 256 possible values. If I don’t save that value anywhere then when a user logs in I will need to try up to 256 values to see if the user has the right password. However it means my attacker will need to generate up to 256 rainbow tables for each password.

One big problem is that trying 256 possible values is going to take me about 4 minutes on average hardware.

Even if I ignore that issue, this option is controversial and my understanding is that few people do it. It is generally accepted that messing about with salt and pepper should be left to the professionals who are writing the encryption libraries. Pepper is not supported by Authen::Passphrase.

Caveats

Salting is done to make rainbow tables inneffective. For various reasons crackers rarely use rainbow tables anymore. Instead they use sophisticated brute force algorithms which combine dictionary attacks with databases of known or commonly used passwords. These kinds of brute force attacks can often crack battery-horse-staple XKCD style passwords even if they are very long. Password are not secure unless they are very long and very random.

And there is more bad news. While salting makes it harder to crack all the passwords in the database, cracking a single targeted password is often not computationally hard. A single completely random 8 character password can be cracked with brute force in 10 days.

The only way to protect your users is to require very long and very random passwords. Make sure your website requires a minimum password length of 8 characters or more.

Sources

• Anatomy of a hack: even your ‘complicated’ password is easy to crack (Wired magazine)
• Authen::Passphrase
• Authen::Passphrase::BlowfishCrypt
• DBIx::Class::InflateColumn::Authen::Passphrase
• frew
• crypto.stackexchange.com
• security.stackexchange.com

I have been reading Ray Dalio’s Principles. Ray Dalio is the CEO of Bridgewater which is a big famous successful hedge fund he started in the 70’s. Principles, is a 123 page philosophical text he published in 2011 about how to live your life and how to manage people and organizations. Its extremely good. I’m not done yet but I have a feeling it is something I’m going to be rereading many times over the next few years. You can download it from the Bridewater website.

Here is a sample:

Most people react to pain badly. They have “fight or flight” reactions to it: they either strike out at whatever brought them the pain or they try to run away from it. As a result, they don’t learn to find ways around their barriers, so they encounter them over and over again and make little or no progress toward what they want…

Believe it or not, you are lucky to feel the pain if you approach it correctly, because it will signal that you need to find solutions and to progress. Since the only way you are going to find solutions to painful problems is by thinking deeply about them – i.e., reflecting – if you can develop a knee-jerk reaction to pain that is to reflect rather than to fight or flee, it will lead to your rapid learning/evolving.

And from that he derives this equation:

Pain + Reflection = Progress

So I’ve been trying to do this. Whenever I experience conflict, stress, anger, or pain, I will try to make that into an opportunity to evolve and to become stronger.

Quite a lot of Principles feels like common sense. But at the same time I can see that some of that common sense stuff is stuff I haven’t been doing or have been doing half way or just have not thought through as much as Dalio has. I think that having this set of considered formalized principles to refer to will help me to get what I want from life.

By the way, I discovered Principles via Sebastian Marshall. Sebastion is an American who has been living and working in Japan for about 10 years. His writing is always interesting and is a great source of new ideas for me.

Don’t be afraid to delete files from your git repository. You can get restore them. You can even search for a string in a deleted file. Here is how to find a deleted file and its commit:

git log --diff-filter=D --summary                  # all deleted files ever
git log --diff-filter=D --summary .                # all deleted files in cwd 
git log --diff-filter=D --author=Batman --summary  # all files deleted by Batman

How to restore a deleted file:

git checkout <commit>~1 <filename>

To make this process a little easier next time I need to do it, I created a git alias for finding deleted files by adding this to my .gitconfig file:

[aliases]
deleted = log --diff-filter=D --summary

Now I can find and restore files like this:

git deleted                         # find a deleted file and its commit
git checkout <commit>~1 <filename>  # restore the deleted file

How to search the contents of deleted files

But lets say I don’t remember the filename of that file I deleted in a fit of cleanup passion. I do remember the name of one of the functions in it though. Here is how to deal with that. Search the contents of all files that have ever existed in git for a string:

git log --summary -S<string> [<path/to/file>] [--since=2009.1.1] [--until=2010.1.1]

Another way to do this:

git rev-list --all | xargs git grep 'string'

Git is all knowing and all seeing and all powerful. Hail git, powerful arcane lord of source control.

To reload your tmux configuration without restarting the server, add this to your ~/.tmux.conf file:

# reload the config file without restarting the tmux server
bind R source-file ~/.tmux.conf \; display-message "Config reloaded"

Notice thats a capital R not a lowercase r. I keep forgetting that.

I use and love OSX growl and Ubuntu notify style desktop notifications. They are gorgeous. But they are also distracting and after a few vibrant and whimsical but fleeting seconds they are gone forever and you have no way to get them back.

A more useful (and less glorious) way to receive notifications is in your tmux status bar. tmux is the brilliant successor to the venerable screen which hasn’t been actively developed for quite a while.

Here is how I configure notifications in my .tmux.conf file:

set -g status-interval 15    
set -g status-right !exec my_shell_script

This tells tmux to run my_shell_script every 15 seconds. It displays the first line of output from the shell script. Now I can get unobtrusive status updates which don’t go away. And if I ate a good breakfast, feel rested, and have the wind at my back I can write some code to log my notifications to a file so that I don’t miss any.

Here are some ideas that might be useful which I might someday do maybe perhaps possibly:

• Status updates when someone says your name on irc
• Status updates when jenkins tests fail
• Status updates when people push code live
• Status updates when people merge branches

Any other ideas?

Also don’t miss the tmux powerline status bar.

Recently I started breaking out of my Perl-only isolation bubble and dabbling with other languages. I was surprised how easy and comfortable other languages are. I think its because these days good ideas spread from one language to the next incredibly fast. Even in a new language when I reach for a tool I can usually find some Perl technology analogue.

For example, I’ve been a perlbrew person for a long time and it has served me well. Ruby has its own version of perlbrew called rbenv which is pretty great. But actually it seems every language has a clone of rbenv.

• Python has pyenv.
• PHP has phpenv.
• Node has ndenv.
• Java has jenv.
• Perl has plenv.

So I thought, what the heck — lets try that out. The nice thing is all the envs have pretty much the same command line options and the same approach to managing dependencies. I thought it might be calming and soothing for my brain to have one way of doing things.

I found Anyenv just a second ago as I was writing this. It claims it will manage all my envs. Looks like brilliant stuff. Fortune favors the bold. (I eat danger for breakfast.) I’ll try it.

git clone https://github.com/riywo/anyenv ~/.anyenv
echo 'export PATH="$HOME/.anyenv/bin:$PATH"' >> ~/.my_profile
echo 'eval "$(anyenv init -)"'               >> ~/.my_profile
exec bash -l
anyenv install rbenv    # ruby
anyenv install plenv    # perl
anyenv install pyenv    # python
anyenv install phpenv   # php
anyenv install ndenv    # nodejs
anyenv install denv     # dunno
anyenv install jenv     # java
exec bash -l            # <-- useful trick btw
anyenv versions

Ok now I have all the envs. But I want to actually do some work with plenv. Lets see if I can do that.

plenv install --list  # list all the potential perl versions you can use
plenv install 5.19.6  # install perl v5.19.6
plenv rehash          # reload the shell environment with the new perl
plenv global 5.19.6   # use v5.19.6 everywhere by default
plenv local  5.19.6   # use v5.19.6 in this directory for this project
plenv install-cpanm   # install cpanm for this version of perl
plenv rehash          #
plenv which cpanm     # see where cpanm is installed. should be ~/.anyenv

Now I will install the dependencies for my project. I will manage them with Carton.

cpanm Carton          # install carton for this version of perl
plenv list-modules

At this point I need to create a cpanfile. There are all kinds of cool things you can do in this file, but with your permision I will begin with baby steps. Here is mine cpanfile for now:

requires "Catalyst";
requires "Plack";
requires "DBD::SQLite";

And then I run carton to install these modules locally into local/lib/perl5.

carton               # install all the dependencies from the cpanfile
ls local/lib/perl5/  # see all the new modules installed here
plenv list-modules   # see mountains of installed stuff
cd /tmp
plenv list-modules   # see nothing installed except Carton

Notice that a carton.snapshot file was created. If I look inside, I can see a list of all my project dependencies, and all their dependencies, etc all the way down to the first turtle — AND there are version numbers for everything.

# carton snapshot format: version 1.0
DISTRIBUTIONS
Apache-LogFormat-Compiler-0.13
  pathname: K/KA/KAZEBURO/Apache-LogFormat-Compiler-0.13.tar.gz
    provides:
      Apache::LogFormat::Compiler 0.13
    requirements:
      CPAN::Meta 0
      CPAN::Meta::Prereqs 0
      Module::Build 0.38
...blah biddee blah etc...

I can add cpanfile and cpanfile.snapshot to my git repo. Now when I deploy or share the code, the user at the destination can run Carton and they will end up with the exact dependencies with the exact same version numbers I had. This way I can be sure my code will run as successfully for them as it did for me.

If your website goes down, you want to find out fast. There are a few ways to accomplish this, but I’m using monit. Monit is a mature unix monitoring daemon and it gives me the ability not only get alerts but to restart services that go down.

Monit has lotsa power and options and you can read about all of them on the man page. Or if you don’t want to mess around with that you can pay them for a pretty web admin interface and some phone/tablet apps for a one time fee of € 65. Another simpler and I think less powerful option is monitor.us.

I don’t want to pay. So I installed monit like this:

apt-get install monit

The configuration file for monit lives at /etc/monit/monitrc. You probably don’t need to bother with that. When monit runs, it looks in /etc/monit/conf.d and executes any scripts it finds in there. Like many people I’m running nginx in front of my Starman web apps. So I want monitor both of those processes.

Here is how to do that. Created a script named /etc/monit/confd/nginx:

check process nginx with pidfile /var/run/nginx.pid

    start program = "/etc/init.d/nginx start"
    stop  program = "/etc/init.d/nginx stop"

    alert kablamo@example.com with mail-format {
           from: monit@example.com
        subject: monit alert: $SERVICE $EVENT $DATE
        message: $DESCRIPTION
    }

    if failed port 80 protocol HTTP
        request /
        with timeout 7 seconds
        then restart

Then create a second script named /etc/monit/conf.d/mywebapp. Its very similar. This assumes you are running your web app as the user web on localhost port 22222.

check process mywebapp with pidfile /var/run/mywebapp.pid

    start program = "/etc/init.d/mywebapp start" as uid web and gid web
    stop  program = "/etc/init.d/mywebapp stop"  as uid web and gid web

    alert kablamo@example.com with mail-format {
           from: monit@example.com
        subject: monit alert: $SERVICE $EVENT $DATE
        message: $DESCRIPTION
    }

    if failed port 22222 protocol HTTP
        request /
        with timeout 7 seconds
        then restart

With these scripts, anytime your processes disappear or stop working you will get email and monit will try to restart them.

But I’m paranoid. So I created a third monit script to do an end to end test in case something ever gets misconfigured somewhere. /etc/monit/conf.d/end2end:

check host networthify.com with address 71.19.156.131

    alert kablamo@example.com with mail-format {
           from: monit@monit@example.com
        subject: monit alert: $SERVICE $EVENT $DATE
        message: $DESCRIPTION
    }

    if failed port 80 protocol HTTP
        request /
        with timeout 9 seconds
        then alert

Suggestions for improvment?