No block given aye? One of the problems with the magic of rails is that you get very magic error messages back. In my case the fix was to use find(:all) instead of find_all() which has now been deprecated

I'm releasing two small perl scripts I wrote which provide the client-connect and client-disconnect scripts for OpenVPN such that you can dynamically create IPtables firewall rules based on LDAP group memberships. You push out routes to all your internal networks to the user then using IPtables only allow traffic to specific destinations and ports. This allows you to give out customized and limited VPN access, or VPN access based on roles.

Rules are looked up in an LDAP database using the common name of the certificate as the unqiueMember to a groupOfUniqeMembers. Details of how to install it are in the zip.

Currently it only supports TCP protocol. It could easily be extended to support other protocols.

Download: openvpn_ldap_iptables.0.1.zip

I signed up my django project to WebFaction. I'm currently evaluating their service and will post my opinion of them once I get the site up and running.

I just donated $25USD to Wikileaks. Please go there and watch their latest video, it was very disturbing but its important that you we the war in Iraq as it really is.

So me and some friends decided it would be a good idea to start up a group music blog.

Its still very fresh but I enjoyed hammering out a few posts. If your also a music lover contact me and we will continue adding you to the blog (after a rigorous interview process of course).

Sound Fleet Blog

Was looking around for a good free background desktop switcher, and I found so much crap. Google struggles to find good free software and instead preferences spam websites and commercial software, its very frustrating. Anyway I've started using John's Background Switcher and so far it works great.

Not all SSL certificates are the same, here is a rough round-up of differences:

Verification Levels

There are three basic levels of verification: domain only, domain and business, and domain business and identity of representative. Domain only is actually quite weak authentication when you think about it, it doesn't prove you are who you say you are or that you have the right to use the brand. However to most end-users they won't know the difference and they will see the locked icon. Domain and business is what is typically provided, and they normally require something trivial like a corporate credit card to verify you are the business in question.

Extended Verification is the new standard that requires extra steps by the CA to verify you are actually who you say you are and are the legal entity allowed to trade under that name. See wikipedia's entry for more details. In Firefox an EV certificate will show as a Green box slightly to the left of the URL itself with the company name.

Indemnity

Each SSL provider will give different Indemnity insurance should you someone else fraudulently either use your certificate or your domain coming from the same CA. I think its very rare that people actually need to go down this path

Coverage across browsers

Typically all major SSL providers will be supported on all major OSes out of the box straight away. Some may require you to serve an intermediate chain bundle, which can be a hassle. Revocation

Revocation

Not all CA's support the ability to revoke certificates - surprisingly to me when I last looked at this only a handful had certificate revocation url's listed. If your serious about your security pick one that does have a revocation URL. Summary

Cost

Certificates can vary wildly in cost. Consider the vendors reputation and staying power when considering a certificate, and don't assume more cash means a better product. Consider the interface and flexibility you have in your CSR - all should support uploading a CSR directly.

Encryption Support

All modern certificates should support 256-bit encryption.

Summary

If your needs sound basic and simple, I would recommend you purchase something cheap. RapidSSL, InstantSSL, GoDaddy or any of the other large players are all fine.

If you are a bigger player, considered upgrading to a new EV certificate. It gives your site a professional look especially among internet savvy users. The process can be timing consuming so budget extra time to get an EV certificate

. See also: Wikipedia Comparison of SSL certificates.

In my short running series extremely obscure pieces of code that hopefully someone else in the universe will find useful I bring you a pre-commit hook for subversion that checks to make sure your sudoers file has correct syntax. This is useful for us because we have a very large sudoers file and once commited into subversion it will get deployed to all of our boxes. If it contains a syntax error this would be quite nasty.

While coding it I ran into a fun little bug that means if you try and print too much to stderr it hangs which made things a bit more interesting.

Enjoy

Every now and then you come across a genuine new command that you haven't heard of before that does something useful. lshw lists basically everything hardware related you would want to know about a new box you have just jumped on to. It is extremely detailed and easy to read and should be available with a simple "apt-get install lshw" on either ubuntu or debian.

Flickr-CAPTCHA is a captcha program that uses flickr images and tags to decide whether someone is human. A random thing is selected (from a list of things) and a random number of flickr images are chosen a long with a set of decoys. Each decoy contains at least one other thing in order to prevent images that are ambigious and to try and keep it obvious they are decoys. The user must then select all images and if they get 50% right (with minus marks for wrong answers) we consider them definitely human. It should be quite difficult for a computer to guess which images to select but fun and enjoyable for a human. It requires only very basic english skills.

SECURITY

Image ID's are hashed then proxied through a PHP page so that a bot cannot simply lookup the image themselves through the flickr API. They could potentially use the author and the title so an option exists to hide the title as well if you are paranoid. You will also want to adjust the acceptedRatio if you are really paranoid.

IMAGE LICENSING

We are only selecting images that have attribution licenses, not those that are all rights reserved. Every image being displayed is attributed to the author with a link to their flickr page. I am not a lawyer, see the LICENSE file for warranty (hint: there is none).

Pros

• Fun and easy to use
• Easy for human / hard for computer
• Customizable

Cons

• Slow to load all the images
• Not secure

To get started check out the README file

Download Flickr-CAPTCHA v0.2

Flickr-CAPTCHA online tester

Older Releases: 0.1.