comments edit

I have the lovely task of importing a POP3 mailbox with 144524 messages into our database. I’m using a 3rd party component, but am quickly learning more than I ever wanted to know about POP3. For example, ideally you don’t want to use POP3 for large mail boxes because POP3 isn’t scalable.

Having read RFC 1939 which specifies the Post Office Protocol Version 3, I now understand why it isn’t scalable. There are three phases to a POP3 session, the AUTHORIZATION phase, the TRANSACTION phase, and the UPDATE phase.

The AUTHORIZATION phase is simply a login phase. The USER command specifies the username to log in the mailbox with and the PASS command specifies a password. Once authenticated, the server enters the next phase.

The TRANSACTION phase is where the POP3 client does the real work. For example, the STAT command returns the message count within the mailbox. In order to retrieve an individual email, the Message Id is required. To get that, issue the LIST command with no arguments, and the POP3 server will list all the message ids and the size in octets. There’s no way to specify a number of messages to return. So in my case, the command has to return the IDs and sizes for all 144524 messages. But wait, it gets better.

Once, a POP3 client is done issuing commands to delete messages in the TRANSACTION phase, none of those messages are actually deleted until the client issues the QUIT command. At that point, the POP3 session enters the UPDATE phase and the server starts to delete messages marked for deletion. As you can deduce, that could be problematic for a large mailbox.

Also, you might consider deleting messages in batches which is fine, but there’s a hitch. The QUIT command terminates your session after the UPDATE phase is over and POP3 does not guarantee that the message ids you listed before will be the same in a separate session. Therefore you have to issue the LIST command at the beginning of each session to list every message even if you only plan to process a small subset.

In any case, I’m working with the author of the POP3 component I’m using to iron out some kinks and make this work. Once I trim this mailbox down, it should hopefully never get so big again.

comments edit

Last night Akumi and I attended the Laugh Factory on Sunset to see our friend and up and coming comic Rick Ramos perform. I met Rick through Kyle as the two of them went to Northwestern together and both Rick and I gave toasts at two of Kyle and Cara’s wedding receptions.

Most of the comics were latino, but there was a suprise appearance by Malibu’s most wanted Jamie Kennedy who was there to try out some new material. However, Jamie didn’t bring it like the other comics.

Before the show we didn’t know what to expect and were admittedly a bit worried. We had never seen Rick perform and we asked each other,

“What if he’s not funny? How akward will that be?”

The first guy was off to a slow start, confirming our fears that this show might be a bomb. But Rick took the stage like a Hurricane in the Bahamas and just rocked the floor. My gut is still busted from laughing too hard.

Several other top notch acts followed including one by a half-Filipino guy named Jo Koy who made everyone look like crying epileptics in a strobe light from laughing so hard.

comments edit

If you’re having problems with your computer after upgrading to Windows XP SP2 and you are using a software firewall such as ZoneAlarm or BlackIce, try uninstalling your firewall software and re-installing it. That solved the problem for me. BlackIce recommends uninstalling their firewall before upgrading to SP2.

On two different machines (one with ZoneAlarm and the other with BlackIce), I had simply upgraded to SP2 and turned off the Windows Firewall. Even so, my machines would freeze up, especially when performing network operations. It seems that even with the Windows Firewall off, there’s some sort of contention for the network devices that is resolved by reinstalling.

comments edit

One thing that bothers me about the CommentAPI is that the only response you get is the HTTP status code.

HTTP/1.1 200 OK

However, there are cases where it would be helpful to return more information. For example, when I post a comment on a blog that moderates its comment, the blog should note in the response that comments are moderated, allowing the application to notify the user as such.

Otherwise I might assume that maybe there was a problem in posting the comment and then use the web form within the blog itself to repost the comment, only to discover that comments are moderated.

comments edit

This cracks me up.

It always infuriates me to see the conservative right quote the Bible to justify some of their policy choices. Mainly because I believe in a separation of church and state, but especially because of the passages they conveniently neglect that happen to fall in line with the liberal movement.

For example, when you look at the early Christian church, they pooled their resources and shared everything. When Ananias and his wife Sapphira sold a possesion and tried to keep back a part of the price, they were struck dead (Acts 5:1-11). Talk about socialism, no? Bush should heed that warning while he tries to give the rich a tax break while cutting back social programs. Luke 12:48 “For unto whomsoever much is given, of him shall be much required…”

Found on here via BoingBoing.

comments edit

Fountain Pen I read with amusement this recent post on Scoble’s blog in which someone writes him a note dictating the tools that “Influencers” use.

Influencers use weird crap. They use Macs and Linux, Mozilla, and other eminently hackable systems. They don’t generally run Windows and IE.

This is very similar to Paul Graham’s view of what makes a great hacker, which revolves around the tools a hacker uses.

I don’t understand this focus on trying to nail the qualities of a great person (be it hacker or influencer) by focusing on the technologies the person uses. Let’s look back at influential writers such as Shakespeare and Whitman, they used pen and paper. Aha! Great writers use Pen and Paper.

When history looks back on great writers, I guarantee you that we do not focus on the tools they used. Rather, we focused on what they did. Their output. Do I know or even care what tools Steinbeck used to write The Grapes Of Wrath or Silvia Plath used to write Ariel? Hardly. It’s the legacy of their work and accomplishments that are remembered.

Call To Action Stop wasting your time trying to find the root of greatness by taking your narrow microscope and examining the tools a great person uses. This is as effective as documenting a randomly chosen idiosyncratic tick a person has to determine the cause of his or her influence. You’re trying to push an agenda and you’re not helping anyone. If you want to be a great hacker, influencer, or writer, focus on the necessary skills instead.

comments edit

Dare puts this quote from Tim Bray up on his blog.

This has nothing to do with a California chip maker. Rather, its about a trip I recently took to a conference called Intelink, where the people gather who run one of the worlds biggest and most interesting intranets; the one that serves the community of U.S. Intelligence professionals\ … \ I was amused to note that on one of the sub-intranets distinguished by being loaded with particularly ultra-secret stuff, they were offering RSS Bandit for the people to download and use.

[Via Dare Obasanjo aka Carnage4Life]

Ok, I know 007 is actually a British Spy, but I couldn’t think of a good U.S. counterpart.

comments edit

Aaron Skonnard mentionsthat

When you take the custom authentication route and write a UsernameTokenManager (UTM), your implementation of AuthenticateToken must return the same secret (e.g., password) used on the client side to generate the hash/signature, depending on which option you use.

As he correctly points out, this makes security experts cringe and hide under the bed (see Keith Brown’s cringing response where he proposes a solution).

The big issue is that your UsernameTokenManager needs access to the original cleartext password. But like any good security conscious developer, you don’t store passwords as cleartext, do you? (I sure hope not. Bad security conscious developer. Bad!). Hopefully you do something along the likes of what Keith suggests in his MSDN column. For each user, he stores a randomly generated salt value and a hash of the cleartext password combined with salt value. The salt value is unique per user.

Keith points out that the secret returned by the AuthenticateToken method doesn’t have to be the actual cleartext password. It just has to match the secret sent by the client. So if you store your passwords as an SHA1 hash, your client just needs to hash the password before creating the UsernameToken.

However, if you store your password as an SHA1 hash of the cleartext password + salt value, you’re going to have to do a little more work. Your client isn’t going to know the salt value for every user, so your client needs a way to discover that. This may require calling a separate web method just to query for the salt value given a user name. Service clients would be required to store that value (probably on a “session” basis) and use it when calling methods on the main web service.

Below is some sample code for doing just that. This assumes that user passwords are stored as described in the aforementioned article using salt and hash (no eggs, but do bring the ketchup). (My apologies for the ugly formatting, I didn’t want the code to be too wide)

//Make an initial web service call to get the 
//the salt value for the user "haacked".  
//This should be stored by the client so its 
//not called for every method of our main service.
MyServiceWse proxy = new MyServiceWse();

//In order to get the salt value, a special account
//"saltAdmin" is used to call GetSalt().  This account
//only has access to this method.
//This also requires that the client app knows the;
//saltAdmin's salt value up front.
string adminPassword = GetAdminPassword(); 
//implementation not shown.

UsernameToken adminToken 
    = new UsernameToken("saltAdmin", adminPassword
                    , PasswordOption.SendHashed);

string username = "haacked";
string salt = proxy.GetSalt(username);

// Hash password and salt.
string pw = "Password"; //assume this came from the user.
SHA1CryptoServiceProvider hashProvider 
    = new SHA1CryptoServiceProvider();

byte[] inputBuffer = Encoding.Unicode.GetBytes(pw + salt);
byte[] result = hashProvider.ComputeHash(inputBuffer);
string hashedPassword = Convert.ToBase64String(result);
//Set up the user's token.
//Notice we the hashed password instead of the cleartext one.
UsernameToken token 
    = new UsernameToken(username, hashedPassword
                    , PasswordOption.SendHashed);


//Make the actual service call.

The AuthenitcateToken method of your custom UsernameTokenManager class can now just return the hashed password value for the calling user from your data store and everything will work just fine and security experts can come out from under the bed.

comments edit

Found this on Wesner Moise’s blog. He’s discussing the performance implications between managed and unmanaged code.

The working set for SharpReader is 30Mb, FeedDemon is 23 Mb, and RSS Bandit is 4 Mb in their initial configuration on my machine. (In comparison, the working set for MS Word and MS Excel are about 18 Mbs.) So, actually in their bare configuration, RSS Bandit is the tightest of them all, even considering that RSS Bandit also uses the .NET runtime.

[Via .NET Undocumented]

comments edit

Toshiba M200 So I am in the market for a Tablet PC and after a bit of research, the Toshiba Portege M200 is the top contender for my hard earned dollar.

I’m trying to cut down on the time I spend sitting at a desktop by using a tablet PC for email, reading and writing blog entries, etc… Basically non gaming and non development tasks. I think the high resolution of the M200 makes it a nice choice for reading.

So my main question for you is do you think there’s a better Tablet PC out there (or about to be released) worth me looking at over the M200? Let me know. Thanks!

comments edit

If you installed SP1 for the .NET framework, you may notice that certain feeds are broken and return an HTTP Protocol Error. Dare looked into this and posted an explanation and workaround to the problem.

Apparently a lot of web servers out there are a bit loose with the HTTP specification while SP1 tightens compliance. So c’mon people, stick the chest out, shoulders back, stand up straight, and stick closely to the spec.

comments edit

Whoa! I saw this on Wired News. If anyone is in danger, it’s me. I love getting right up to the subwoofers and feel the wind generated (of course wearing my etymotic earplugs).

Doctors report several cases of collapsed lungs apparently caused by loud music. They theorize that lungs may start to vibrate in the same frequency as the booming bass, which could cause a small rupture.

[Via Wired News]

[Listening to: Beat Blender - - (0:00)]

comments edit

I think Chris Anderson is totally wrong here. I am currently the smartest person in the room. I don’t CARE if I’m also the dumbest person in the room. He’s still wrong. ;)

(while talking to another senior person at Microsoft)

ChrisAn: “Have you driven a feature from scratch?”

Other: “Uhm, yes. I’ve worked on various platforms for the past 30 years, worked on the first release of DOS for Arabic and Windows for the Middle East”.

ChrisAn: “I’ll take that as a yes”

Remember to self, you are never the smartest person in the room… ever.

[Via simplegeek]

comments edit

Wired printed an article recently (I wish I could remember the title) that discussed the network structure of relationships and fame. For example, imagine individuals as nodes in a big graph. Join the nodes by drawing directional vertices that indicate whether a person knows of another person. An arrow drawn from Bob to Alice indicates Bob knows Alice. The fact that there’s no arrow from Alice to Bob indicates Bob’s a total loser (or stalker).

In this graph, the average person’s node will have a roughly balanced number of arrows pointing in as arrows pointing out. That makes sense because in general, you’ll know around the same number of people that know you unless you’re a total loner. But for the truly famous, say for example Bill Gates, the arrows pointing in hugely outnumber the arrows out, which explains the hoard of people asking him for money. The effect of this is that there’s no way for Bill to have personal communications with everyone who knows of him. There’s literally not enough time (not to mention incentive).

The article goes on to discuss how this relates to websites and blogs. For the relative unknown majority out there with blogs (such as this one), the number of arrows pointing in is quite small. Yep. Most likely, your blog is downright obscure. However, there is one advantage. Having a small readership allows one to actually participate in the small number of inane conversations that spark from time to time in the comments section of a post. The fact I even have a comments section is often indicative of the small audience I serve.

However, once you turn it up a notch in audience size, things change. For instance, you’ll probably never get feedback from someone at the truly collosal sites such as Even sites that are somewhere in the middle such as Boing Boing and Slashdot have such a large audience that two-way communication is pretty non-existent.

To give you an idea of the mindshare these sites have, consider the following stats. A micro-node blog like mine gets around 40 web views and 150 aggregator views per post on average. That’s pretty darn insignificant, but at least I can be pretty sure that those aren’t all accounted for by my wife. Non-family members actually read this. “Hi y’all. Welcome! I come in peace!” Now suppose a site like BoingBoing decides to link to a post on this humble site like they did last week. Such an action leads to 18,365 web views (and counting) with 216 aggregator views. Keep in mind that this represents a small subsection of the entire Boing Boing readership who took the time to actually follow a link to some nobody’s blog. Talk about alot of arrows pointing in.

comments edit

Recently I blabbed on and on about how to create a sane build process. One question I’ve heard in the past is what’s the point of a setting up a big formal build process when you have a very small project, perhaps with a team of one or two?

Well, I’d have to say there is no point to a BIG FORMAL build process for a small project. Rather, the build process should match the size and needs of your project and team. However, I will say this. Start early, because before you know it, your project and team will get big and you’ll be glad you have a build process in place. In the early stages, a simple NAnt (or MSBuild) script will suffice. Over time, that script will grow and grow. That’s exactly what I’m starting off with for Rss Bandit.

At this point, the script simply gets the latest version of the source code from CVS into a clean directory, compiles the code, and generates a compiled help file (.chm) using NDoc.

I plan to add a task to run unit tests, perform an FxCop analysis, and increment version numbers. However, I need to discuss version numbering with Torsten and Dare first. Eventually, I hope to add CruiseControl.NET integration. The purpose of this is to gain some experience with CCNET since I can’t yet use it at work.

Please Help!\ So this is all great and dandy, but the build file doesn’t work. I’m not terribly familiar with CVS, so if anybody can help me get this working, I’ll check it in to the CVS repository for RSS Bandit.


comments edit

Restroom (A funny story I heard from somwhere. Supposedly its a true story.)

I was barely sitting down when I heard a voice from the other stall saying: “Hi, how are you?”

I’m not the type to start a conversation in the men’s restrooms at a rest stop but, I don’t know what got into me, so I answered, somewhat embarrassed, “Doin Just Fine!”

And the other guy says: “So what are you up to?”

What kind of question is that? At that point, I’m thinking this is too bizarre so I say: “Uhhh I’m like you, just traveling east!”

At this point I am just trying to get out as fast as I can when I hear another question.

Can I come over to your place after while?

Ok, this question is just wacky but I figured I could just be polite and end the conversation.

I tell him, “Well, I have company over so today is a bad day for me!”

Then I hear the guy say nervously…

“LISTEN, I’ll have to call you back. There’s an idiot in the other stall who keeps answering all my questions!”