Locked Fire Door at SOGO Kuala Lumpur

I can’t help noticing that all fire doors next to the elevators are all locked. I do understand that fire doors need to be kept closed at all times and some are locked electronically but these were locked using padlocks. In the event of an emergency, would the person responsible be running from floor to floor unlocking the doors?

[singlepic=25,600,600]

Deleting Emails From Someone Else’s Mailbox

No, it’s not possible unless you have their passwords.

From my moonlighting jobs and previous jobs I usually include myself in the SysAdmin or IT email groups or distribution lists. I received a good one yesterday (translated from Malay):

There are different headaches in maintaining email servers, for example one might complain of too many spams but sometimes “valid” emails gets filtered. But this one really made my day.

Be Careful With OpenID

No, there is nothing wrong with OpenID, and there is nothing to worry about security or privacy. Giant players like Yahoo! and Google has also been implementing OpenID for quite some time.

I lost my account at Stack Overflow because I was using WordPress.com as an OpenID. Well, I lost it for about a day because the nice people at Stack Overflow was nice enough to help me merge my previous account and a new account I just created.

What happened? I used OpenID without a full understanding on how it works. I used my WordPress.com URL http://romantika.wordpress.com which I used as a placeholder back then to get an API key for Akismet. What WordPress does is embed the OpenID endpoints into each of the blog URL. For example:

<link rel='openid.server' href='http://romantika.wordpress.com/?openidserver=1' />
<link rel='openid.delegate' href='http://romantika.wordpress.com/' />

One important thing that you need to realize is that once you deleted a blog URL in WordPress.com, you will never get it back and a page saying that the blog has been deleted will be displayed. I deleted my WordPress.com blog to prevent it from becoming an eyesore, and to avoid redundancy. Little did I know that my OpenID vanishes along with the blog.

I would not have lost my Stack Overflow account if I realized earlier that they already allow multiple OpenIDs. So if one OpenID provider vanishes, I can use the alternatives and not bug the guys at Stack Overflow. Although, they did mention:

Accounts are keyed on unique OpenID strings, so if by some accident you end up with multiple accounts, or a “new” registered account you don’t want — don’t fret! It is super easy for us to merge any two (or more) Stack Overflow accounts. Just email us at [email protected] with the user IDs or the user page URLs. We’ll merge them for you no problem.

For my next projects, if I include OpenID support I will definitely follow the steps of Stack Overflow by allowing multiple OpenIDs to be attached to one account.

Facebook Is A CIA Device?

I’ve recently received a chain of emails, originated from a celebrity in Malaysia on how Facebook is a device used by CIA and how CIA is harvesting data of the world population in order to reach world domination. The email was quite elaborate, and I am impressed by the level of thinking the celebrity has.

I am not saying I know for sure, or even have the slightest idea whether or not CIA is really using Facebook to reach this objective. All I know for sure is that Facebook is located in the US and there may be a law to dictate that all data must be surrendered to the law enforcement authority when requested.

One thing that I am sure about is the value of privacy. It is indeed true when someone shares their home address, contact numbers, family members, and profession it is at least available to the owners of the site. Any site. We’re no longer talking about Facebook. It has been around at least since Sir Timothy John Berners-Lee invented the world wide web in 1990. Well, thinking carefully it can also happen on paper.

So, we can’t really focus on Facebook alone. Avoid inserting too much information even in forums or advertising spaces. I’ve seen how naive people can be when they post their full names, ID numbers, phone numbers, home addresses, including the full name of their child inside public forums, just to allow the forum administrator to send birthday gifts or vouchers. Post the pictures along, and it’s complete. Now everyone knows how you look like, and you can easily become a crime target.

That is why I am pissed off with something as little as publishing my ID number online, which is practiced by many public bodies in Malaysia. On survey forms at the shopping store, when asked to fill in personal details I input dummy data. Do you know they sell valid phone number and addresses for good money? After a while you will receive phone calls from telemarketers selling stuff you don’t really need.

I value my privacy. Do you?

Ice Lemon Tea with Roach, Anyone?

This is the yuckiest experience I have so far with restaurants. As it was a hot day I was relieved to see my Season’s Ice Lemon Tea arrived at Kenny Rogers and quickly took a sip.

Something went into my mouth with the drink, and at first I thought it was some lemon pulp separated from the added lemon slices but it started to move!

It was a little roach, yucks! I called a change for the drink and asked the manager to come to see me. She was being very apologetic about it and even offered us to convert everything gratis including anything we want to order next. Since we were not looking for free food I said we will pay, but you must make sure that your restaurant is clean!

She gave us a bowl of fancy ice cream anyway, complimentary; but we didn’t really enjoyed it that much.

They regretted that ever happened and according to them this is the worst case they ever had (was the worst case for me too!). If they were rude about it I would have reported them to MPSJ immediately as MPSJ opened a few service counters just outside their doors.

Anyway I told them again and again I would come again but they must make sure the same thing would never happen to anyone else ever again.

Photo Printing Experience

On Friday I dropped by the Ferry Sabak photo shop at Equine Park to drop a digital photo for printing. It’s for a birthday present we planned for our sister – a family photo. Since A4 is not a standard photo paper size I asked the guy to print out a 9R size (8″ x 12″) which should fit fine in the frame we bought.

The price was RM15. The time taken was considerably alright, but when he called me out and said the photo was ready, I was stumped. There were grime and stain from the roller inside the machines! It’s either he thought that I was blind, or he was blind. Go figure. I asked him to reprint and the next print out was also stained. I argued with the fact on how can I frame this? His answer was that I can use Zippo lighter fluid to clean that up? What?

I asked him, “Why should I go buy Zippo lighter fluid to clean this up? It should come out flawless.” and he asked, “So you don’t want these photos?”. Since I am very strict about privacy I took both of the printouts for the price of one.

On Saturday I decided to visit the MyKamera.com shop in Jusco Equine. Although the girl on duty was not very technical, she explained to me that the price is RM12 and the photo would be ready by Tuesday. When I asked whether there is any express service, she said I would need to add RM3. Okay, cool! So the RM15 price is the standard price for an express service. I received the photo the same day and was happy with the result. I noticed that Ferry Sabak used “Kodak Professional” digital paper while MyKamera.com used “Kodak Gold” digital paper. The difference is that the Kodak Gold is not glossy and would not leave a finger print when touched. I am not sure whether that’s the effect of the printer or the paper.

Also, I noticed that Ferry Sabak may have not color calibrated the old machine because their photo came out too turquoise and the whites are not pure as you can see below. Skin color was affected too. Maybe they didn’t realize that I have already converted the JPG to CMYK?

[singlepic=24,600,600]

Left – original JPG, middle – Ferry Sabak, right – MyKamera.com. Circled are are the stain from the printer at Ferry Sabak. The photos above were scanned after printed so the brightness might differ a little and should be ignored.

That will be the last time I visit the Ferry Sabak photo shop.

W3C = Disability Access?

It’s amazing how this website can equate the World Wide Web Consortium to “Disability Access”. Unless the brackets mean something else.

I was attracted by the announcement at the front page “… now equipped with W3C function. Click to know more.”

Shouldn’t the correct term be “Accessibility”?

W3C is a body that develops interoperable technologies and standards for the web. While it’s true that they are the body maintaining the Web Accessibility Initiative (WAI), W3C is not entirely about accessibility. W3C is neither a function nor a software so it’s really weird to put it as panduan penggunaan W3C (guideline to use W3C).

[singlepic=23,600,600]

Perl CGI + Apache + Windows

I have always thought it’s difficult to migrate Perl CGI script to Windows. I was wrong, and today I learned how to do it. The configuration part is actually 100% similar!

# This line will ensure only .cgi and .pl files are executed as CGI
AddHandler cgi-script .cgi .pl
 
Alias /request/ "C:/request/"
<directory "C:/request">
    AllowOverride None
    Options +ExecCGI
    Order allow,deny
    Allow from all
</directory>

Now, all .cgi and .pl files are executed as CGI when run from the /request URI. You might have seen the ScriptAlias directive before – it processes everything in the specified directory as CGI. As an example:

ScriptAlias /request/ "C:/request/"
<directory "C:/request">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</directory>

See the lack of the AddHandler directive? It’s no longer needed but it may be included if needed for other locations or directories. Now everything will be executed as a CGI. A CSS file in the directory will cause the server to return Error 500 (Internal Server Error).

One important thing when working with CGI is the shebang – the first line of the script that contains the full path to the interpreter. On Linux it looks like this:

1
#!/usr/bin/perl

While on Windows it will look like this:

1
#!C:/perl/bin/perl

This is the only problem with portability as you can’t have more than 1 shebang line!

Installing Perl is another part of the exercise. On Windows, the easiest way to get Perl is to install ActivePerl from ActiveState. If you’re migrating some code over to Windows, other than the Shebang you will need to install the required Perl modules. CPAN is available, but I suggest that you don’t use it unless very necessary. Since CPAN downloads the source code and tries to compile libraries, on a bare Windows system it’ll fail.

If you’re missing Perl modules you’ll see the error “Premature end of script” depending on how your Error 500 pages are configured. In Apache log, you’ll see:

[Fri Feb 13 10:00:21 2009] [error] [client 10.xx.yy.zz] Premature end of script headers: test.cgi
[Fri Feb 13 10:00:21 2009] [error] [client 10.xx.yy.zz] Can't locate DBD/mysql.pm in @INC (@INC contains: C:/Perl/lib C:/Perl/site/lib .) at C:\request/utils.pl line 7.

That’s when we need to use ppm utility provided with ActivePerl:

> ppm help
Type 'help command' for more detailed help on a command.
  Commands:
    describe   - describes packages in detail
    exit       - exits the program
    help       - prints this screen, or help on 'command'
    install    - installs packages
    .... snip ....

Based on the error above, it’s time to install DBD::MySQL module.

ppm install DBD-mysql

I’m all set!

Since we’re already talking about Perl, if you need mod_perl you can use ppm to install:

ppm install http://theoryx5.uwinnipeg.ca/ppms/mod_perl-2.0.ppd

At the end of the installation it’ll ask for your Apache’s module directory and copy mod_perl.so there.

The rest is easy:

LoadFile "C:/perl/bin/perl58.dll"
LoadModule perl_module modules/mod_perl.so
 
Alias /mprequest "C:\mprequest"
<location /mprequest>
     SetHandler perl-script
     PerlResponseHandler ModPerl::Registry
     Options +ExecCGI
     PerlOptions +ParseHeaders
</location>

Of course, PerlResponseHandler should be set depending on what you need.

Have fun with Perl!

The Freelance Developer’s Dilemma

As many have probably known by now, I do freelance work after office hours and during weekends. In other words, I moonlight. I do all sort of things, from developing websites to managing and installing Linux servers.

I have done so many web development jobs, but I can’t really disclose anything with the fact that I am always hired by web design companies or bigger companies who claims they do everything themselves. Because of this, I have an empty portfolio.

While puffing some cigarettes last weekend I thought of asking my current client, a graphics design company whether it is alright if I list them as my client on my official business website. Something like this:

Clients:

XXXXXX Management System – Company X Sdn. Bhd.

They refused to provide me permission to do so; one of the reasons being that they don’t want to be called an “Ali Baba” company. In my opinion, companies have certain expertise areas and can’t possibly cover all the grounds. Since they require my service to develop the system, they are our client. I don’t intend to put their client on my site, and I am not even asking them to include my company name on their client website.

What I have seen so far with design companies, they have a footer that looks something like this:

Copyright 2009 The Real Client Sdn. Bhd. All rights reserved. Website designed and developed by Company X Sdn. Bhd.

In my opinion, the word developed should not be there because they are not the one who developed the website (in my case). Heck, for the last project I even had to build the CSS from scratch because what they provided were screen shots.

Hey wait, the previous system didn’t have the word developed but the new mock designs include the word. Hmm…

Anyway I can’t escape from feeling unappreciated when this happens, especially with the amount of support I provide, and the technical knowledge I pass to them when they ask even if it’s not related to the work at hand. I know I will still get the money, but similar to regular day job money alone is not enough. Humans require appreciation and credit for what they have done. That’s why I love my current day job so much.

Although “learning how to design” has crossed my mind a thousand times, I felt that I don’t need to step on other people’s toes and it is much better to collaborate. But I do feel that design companies are being too stingy to share the proper credits (and link). Perhaps I should stop thinking like that and get the proper credit I deserve? How do other developers promote their services other than word of mouth?

Note: If you guys from Company X are reading this, I still respect your decision but this is my personal space.

The Power of Assumption

When it comes to personal life, “assume” or “assumption” is the ugliest word. My good friend Ijoy has written about assumptions in his blog, most probably after someone assumed something that is not true about him.

WARNING: This is a partialy emotion driven post and should only be read by the open minded. Continue at your own risk.

Continue reading The Power of Assumption

When Security Is Not Secure

I was going after a moron who was disturbing my wife’s blog and reached an IP number. Utilizing nmap, I found out that port 80 on the IP is open.

-(~:#)-> nmap -A -T4 XXX.XXX.XXX.XXX
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-09 23:52 MYT
Warning: Giving up on port early because retransmission cap hit.
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
WARNING:  RST from port 80 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on XXX.XXX.in-addr.arpa (XXX.XXX.XXX.XXX):
Not shown: 1673 closed ports
PORT     STATE    SERVICE        VERSION
25/tcp   filtered smtp
80/tcp   open     http            (GoAhead-Webs embedded httpd)
443/tcp  open     ssl/unknown
1720/tcp filtered H.323/Q.931
5000/tcp open     UPnP?
5001/tcp open     commplex-link?
5100/tcp open     admd?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port443-TCP:V=4.11%T=SSL%I=7%D=2/9%Time=499051AA%P=i686-pc-linux-gnu%r(
SF:GetRequest,18A,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nContent-type:
SF:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20Feb\x202
SF:009\x2015:54:17\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x202009\x
SF:2015:54:17\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\
SF:n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemented\n</title></head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20Not\x20Im
SF:plemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x20is\x2
SF:0not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\n")%r(G
SF:enericLines,18A,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-type:\x2
SF:0text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20Feb\x202009
SF:\x2015:54:17\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x202009\x201
SF:5:54:17\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\n\r
SF:\n\r\n<html>\n<head>\n\x20\x20<title>400\x20Bad\x20Request</title>\n\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>400\x20Bad\x20Request<h SF:2>\n\x20\x20<p>\n\x20\x20Your\x20request\x20has\x20bad\x20syntax\x20or\
SF:x20is\x20inherently\x20impossible\x20to\x20satisfy\.\n</p></h></h2></body>\n</head></html>\
SF:n")%r(HTTPOptions,18A,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nConten
SF:t-type:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20F
SF:eb\x202009\x2015:54:18\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x2
SF:02009\x2015:54:18\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20c
SF:lose\r\n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemente
SF:d</title>\n</head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20No
SF:t\x20Implemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x
SF:20is\x20not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\
SF:n")%r(RTSPRequest,18A,"HTTP/1\.1\x20501\x20Not\x20Implemented\r\nConten
SF:t-type:\x20text/html\r\nPragma:\x20no-cache\r\nDate:\x20Mon,\x2009\x20F
SF:eb\x202009\x2015:54:18\x20GMT\r\nLast-modified:\x20Mon,\x2009\x20Feb\x2
SF:02009\x2015:54:18\x20GMT\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20c
SF:lose\r\n\r\n\r\n<html>\n<head>\n\x20\x20<title>501\x20Not\x20Implemente
SF:d</title>\n</head>\n<body \x20bgcolor=\"ffffff\">\n\x20\x20<h2>501\x20No
SF:t\x20Implemented</h2><h2>\n\x20\x20<p>\n\x20\x20The\x20requested\x20method\x
SF:20is\x20not\x20implemented\x20by\x20this\x20server\.\n</p></h2></body>\n</html>\
SF:n");
Device type: general purpose
Running: Microsoft Windows Longhorn
OS details: Microsoft Windows Longhorn Preview
 
Nmap finished: 1 IP address (1 host up) scanned in 122.444 seconds

And so I went to look at what the HTTP server offers. It’s a D-Link DCS-950 camera, most probably port-forwarded using a router since the browsing IP from the computers are also the same.

I went to the D-Link website to look for the product manual and as I suspected it is using the default password, admin/admin. Here’s what i saw:

[singlepic=21,600,600]

Anyone recognize this place?

The point here is that a device that is intended to serve as a security tool, can also be used against you. The dumbest thing you can do it leaving your devices on default passwords.

Ha… I can see someone changing tab to open their router configuration panel which have the default password. 😉

But hey, this camera is cool. I would not hesitate to install one or two at home. It can also be a PPPoE dialer (ADSL) so it can connect directly to a modem and dial the Internet. One bad thing I noticed is that to login and browse the images you need to use IE as it utilizes ActiveX.

One Bun To Rule Them All

I went out to Subang Parade on Sunday and passed by a Rotiboy outlet. This board was placed up front:

rotiboy-one-bun-to-rule-them-all

It was interesting, funny, and scary at the same time.

It’s funny and interesting to know that whoever designed the board is a LOTR fan because that is not even a tag line (I can’t find it on the website).

It’s scary to think that there is some kind of mind control substance in the buns, and them all refers to consumers! Who knows one day with a simple radio switch, the franchisers will turn us to zombies.

Of course, I am kidding. People are particularly testy these days I don’t want a lawsuit against me!

Filters! Yahoo! I Want Better Filters!

I have been a long time Yahoo! Mail user (since 2001), and a paying customer of Yahoo! Mail Plus for 5 years+ (since 2003). There were no Gmail back then, and I needed a permanent email with POP3 access. Yahoo! slowly improved their services, although one thing that I have always been annoyed about is the unavoidable error that will be displayed if I try to access the web interface while my email client is pulling email via POP3. Every time!

[singlepic=19]

In June 2004, I received an email informing some improvements. I didn’t really noticed them, really.

[singlepic=20]

But then again, this is what I am really disappointed about. The “temporary” message has been there since the release of the new GUI.

[singlepic=15,600,600]

And here is the antique filter form. Furthermore, Plus users can only create 50 filters. What’s that about?

[singlepic=14,600,600]

Come on, Yahoo! please improve Mail. While you’re at it, IMAP service wouldn’t hurt too.

Gmail Gone Offline

I have been actively glancing over to the settings page to see whether “Offline” has been activated for my account. And it was there so I decided to activate it:

[singlepic=12,600,800]

The settings for Offline is displayed, but not changeable (except to enable or disable the feature):

[singlepic=10,600,800]

I have no idea how the algorithm selects which labels to always synchronize.

Now I have enabled it and synced the emails:

[singlepic=11]

When offline, this indicator is seen:

[singlepic=13]

When using it offline I don’t really notice the difference, except when my Firefox gave me hiccups as it try to connect to the Internet for other websites.