Geek

Sane Password Strength Validation for Django with zxcvbn

While many admins and blog posts tell users that length is by far the most important factor in creating strong passwords/passphrases, the majority of password input fields are giving them a set of hide-bound rules: Eight characters, at least one upper- and one lowercase letter, some digits and punctuation marks, etc.

Even though it includes dictionary words, a passphrase like:

Sgt. Pepper's Mr. Kite

is far stronger than:

js72(.Tb8

(there’s a world of difference between 22 characters and 9, from a cracking perspective). But many password input fields would reject the first one. No wonder users are confused by the process of creating strong passwords!
Continue reading

Geek

What Is Code?

I’ve been thinking recently about how some people have jobs that most everyone can “understand” more or less – we all know kinda sorta what a teacher or a policeman does – while others work in areas that are virtually inaccessible to the general public. I’m often reminded how little my family and closest friends understand about how I spend my days.

So Paul Ford of Businessweek has written this colossal, 38,000-word article “What Is Code” that attempts to bridge that gap. I’m not sure it succeeds (or that any article could) but it’s a fine attempt and a damn good read. Even for coders. It took hours to get through, and reading is not generally how I like to spend my weekend time, but it was time very well spent. Super recommend.

What Is Code

Misc

Sheldon the Corn Snake

We raised a gorgeous orange/yellow corn snake up from a 6″ pup to a 4′ adult reptile in about three years. Sheldon, named after the character from The Big Bang Theory, became a reliable companion in our family, coming out occasionally to wander through our fingers, and often to consume mice and rats. We’ve let him move on to another family now, but he’ll always have a warm place in our hearts for our cold-blooded friend!

More images in the Flickr Set

Arts and Culture

Natural Medicine vs. Homeopathic Sugar Pills

Many people confuse the terms “homeopathic” and “naturopathic,” or think that all natural medicines are homeopathic. Not true! Homeopathic medicines are, by definition, diluted past the point of chemical detectability. In a typical homeopathic pill, not a single molecule of the original substance is present. They don’t work because it is not even conceptually possible that they could work (beyond their placebo effect of course). This is why you can swallow a whole bottle of homeopathic sleeping pills without dying from an overdose – you’ve swallowed nothing but lactose.

On the other hand, many natural medicines are perfectly effective in their recommended doses, and often preferable to their laboratory counterparts.

So if you want to take natural medicines but don’t want to waste your money supporting the scumbag snake-oil hucksters who sell homeopathics, how do you tell the difference? The issue gets especially cloudy when you have a single manufacturer selling both variants. Case in point: One of the world’s biggest homeopathic/naturopathic vendors, Boiron, sells Arnica as both a cream and as a homeopathic pill. But there’s a huge difference: The topical cream contains 7% actual Arnica, whereas the pill is a true homeopathic, therefore containing 0% Arnica. Consumers who don’t want to waste their money must read the label to know they’re getting a product that might actually help them.

How to tell the difference? It’s simple once you know the “code”.

Homeopathic “potency” is described with a “C” or an “X” – the more diluted the ingredient, the more potency it’s considered to have (which is of course absurd). For point of comparison, “one third of a drop of some original substance diluted into all the water on earth would produce a remedy with a concentration of about 13C.” Boiron’s Arnica pellets are sold at a dilution of 30C.

So:

1) Sugar pills (i.e. “diluted” homeopathics) will list their “potency” (which is really ​the opposite of their potency) as C or X, whereas actual natural medicine will list the active ingredient as a PERCENTAGE (i.e. 7% actual arnica root).

2) If there is an active ingredient, as with the cream, there will be an “Active Ingredients” section on the back label, listing those active ingredients and their percentages. But with sugar pills, you’ll often see only an “Inactive Ingredients” section (mentioning lactose, etc.) but NO “Active Ingredients” section (because there aren’t any and they can’t legally claim that there are any). So a missing “active ingredients” section on the label can be interpreted as code for “sugar pills.” In some cases, homeopathic pills will have an Active Ingredients section, but with a footnote pointing out in small print that **C, K, CK, and X are homeopathic dilutions.

bargain

Arts and Culture, Geek

Maker Faire 2015

More images in the Flickr Set.

This year was the 10th birthday of “The Greatest Show and Tell on Earth” – that Rainbow Gathering of robot makers, sculptors, hackers, welders, Burning Man attendees with kids, benders of light, food artisans, bicycle tweakers, DJs and artistic misfits.

Watches

I’m proud to be able to say I’ve taken my child to Maker Faire @ San Mateo every single year since 2006, meaning we haven’t missed a single event.

Iris

Light Sculpture

Despite the annoying aspect of the ever-growing crowds, it’s become a father-son tradition we look forward to every year, and we can’t imagine ever skipping it at this point. Every year is both “more of the same” and completely different.

Creature Quad

Certain exhibits seem almost perennial, but there are always tons of new surprises. It was especially nice to have cooler temperatures this year – low 60s meant we were able to do a full eight hours on the fairgrounds without missing a beat.

More fire-breathing giant beastie sculptures than ever before:

Robot sculpture fire

Riding Cyclecide’s collection of hacked bicycles is always our favorite part of the day. Bikes with hinges in the middle of the frame are almost impossible to ride, but you do kind of get the hang of it after a while.

Cyclecide

Same with the reverse-steering-gear bike that turns the opposite of the direction you turn the wheels. Our fave this time was the bike with off-center axles, making it feel like it’s navigating bumpy terrain even on flat ground.

Cyclecide

The “dark room” seemed better than ever, with more sophisticated interactives, plus a truly gorgeous wall-sized mixed-materials glowing sculpture reminiscent of a time tunnel receding into space.

Light Sculpture

We’ve admired the masking tape cities and gardens every year (now represening 10,000 hours of work and more than 27 miles of tape!), and for the first time this year we actually sat down for a 30-minute lesson on masking tape “origami.”

Masking Tape Art

And Miles had his first opportunity to sit at the helm of an original Apple IIe, just like the ones we used in high school in the early 80s:

Apple IIe

Totally loved the “junk” drumming of John F. King:

More images in the Flickr Set.

Misc

Notes on Organizing Digital Image Collections

I’ve spent the past few months going through and organizing my entire iPhoto -> Photos.app collection. It’s been a tedious but wonderful process. I’ve come to a few conclusions:

Snoopy mud flats

  • Everyone is sitting on tens of thousands of digital images.
  • No one can find a damn thing in that giant pile.
  • If you can’t find it five or ten years from now you may as well have not taken it in the first place.
  • The time to deal with your images is the day you shot them.
  • Delete the duds. Bad exposure. Out of focus. Not the best of the set. Delete delete delete. Delete heaps and you’ll still have more keepers than you’ll ever be able to enjoy. Don’t be a hoarder.
  • For the keepers, the key is findability.
    • Image titles. Album titles. Faces. Keywords. Doesn’t matter. Just make sure one or more keyword exists for search.
    • When adding titles, imagine a future version of yourself searching for this image.
  • Be disciplined. The longer you wait, the more daunting the task.
  • Chip away. Do it now.
Music

Trix.py – Metadata/Converter for Hunter’s Trix

Hunter’s Trix is an incredible (and very large) collection of “matrix” recordings of some of the best Grateful Dead shows. The series is produced and mixed by Jubal Hunter Seamons and includes CD cover artwork for each volume/show.

trix1

A “matrix” involves taking a high-quality soundboard recording and merging (matrixing) it with one or more audience recordings (Auds) of the same show. The resulting matrix brings you the maximum fidelity of the soundboard source and the ambience/electricity of being in the audience at the same time.

There are more than 100 Hunter matrixes being traded as legal torrents on etree.org.

Unfortunately, there are two problems: 1) They’re all in FLAC format, instead of Apple Lossleess (ALAC). Since most people use iTunes, this means most people must go through a manual transcoding process; 2) The first 94 shows are missing embedded metadata and cover art (the cover art is beautiful). I’m obsessive about having perfect metadata and cover art in every single track in my collection, which meant manually copying and pasting metadata (including track and disc numbers, show dates and venues, track and album titles, etc.) from text files in the download directory into individual track files. It was taking 20+ minutes to process each album. So I decided to automate the process with this python script.

trix2

I had originally planned to share the completed ALAC versions of the collection back to the community, but Hunter talked me out of it. So I’m doing the next best thing here and sharing the conversion script. With everything installed and working, I was able to cut the processing time down from ~20 minutes per recording to 1 minute. The final results are added to your iTunes collection automagically.

trix3

Git it here: https://github.com/shacker/trix

Geek

Django Unit Tests Against Unmanaged Databases

A Django project I’m working on defines two databases in its config: The standard/default internal db as well as a remote legacy read-only database belonging to my organization. Models for the read-only db were generated by inspectdb, and naturally have managed = False in their Meta class, which prevents Django from attempting any form of migration on them.

Unfortunately, that also prevents the Django test runner from trying to create a schema mirror of it during test runs. But what if you want to stub out some sample data from the read-only database into a fixture that can be loaded and accessed during unit tests? You’ll need to do the following:

  • Tell Django to create the second test database locally rather than on the remote host
  • Disable any routers you have that route queries for certain models through the remote db
  • Tell Django to override the Managed = False attribute in the Meta class during the test run

Putting that all together turned out to be a bit tricky, but it’s not bad once you understand how and why you need to take these steps. Because you’ll need to override a few settings during test runs only, it makes sense to create a separate test_settings.py to keep everything together:

from project.local_settings import *
from django.test.runner import DiscoverRunner


class UnManagedModelTestRunner(DiscoverRunner):
    '''
    Test runner that automatically makes all unmanaged models in your Django
    project managed for the duration of the test run.
    Many thanks to the Caktus Group: http://bit.ly/1N8TcHW
    '''

    def setup_test_environment(self, *args, **kwargs):
        from django.db.models.loading import get_models
        self.unmanaged_models = [m for m in get_models() if not m._meta.managed]
        for m in self.unmanaged_models:
            m._meta.managed = True
        super(UnManagedModelTestRunner, self).setup_test_environment(*args, **kwargs)

    def teardown_test_environment(self, *args, **kwargs):
        super(UnManagedModelTestRunner, self).teardown_test_environment(*args, **kwargs)
        # reset unmanaged models
        for m in self.unmanaged_models:
            m._meta.managed = False

# Since we can't create a test db on the read-only host, and we
# want our test dbs created with postgres rather than the default, override
# some of the global db settings, only to be in effect when "test" is present
# in the command line arguments:

if 'test' in sys.argv or 'test_coverage' in sys.argv:  # Covers regular testing and django-coverage

    DATABASES['default']['ENGINE'] = 'django.db.backends.postgresql_psycopg2'
    DATABASES['default']['HOST'] = '127.0.0.1'
    DATABASES['default']['USER'] = 'username'
    DATABASES['default']['PASSWORD'] = 'secret'

    DATABASES['tmi']['ENGINE'] = 'django.db.backends.postgresql_psycopg2'
    DATABASES['tmi']['HOST'] = '127.0.0.1'
    DATABASES['tmi']['USER'] = 'username'
    DATABASES['tmi']['PASSWORD'] = 'secret'


# The custom routers we're using to route certain ORM queries
# to the remote host conflict with our overridden db settings.
# Set DATABASE_ROUTERS to an empty list to return to the defaults
# during the test run.

DATABASE_ROUTERS = []

# Set Django's test runner to the custom class defined above
TEST_RUNNER = 'project.test_settings.UnManagedModelTestRunner'

With that in place, you can now run your tests with:

./manage.py test --settings=project.test_settings

… leaving settings untouched during normal site operations. You can now serialize some data from your read-only host and load it as a fixture in your tests:

class DirappTests(TestCase):

    # Load test data into both dbs:
    fixtures = ['auth_group.json', 'sample_people.json']

    ...

    def test_stub_data(self):
        # Guarantees that our sample data is being loaded in the test suite
        person = Foo.objects.get(id=7000533)
        self.assertEqual(person.first_name, "Quillen")
Geo

Stranded Sea Lion, Angry Poison Oak, Ukulele Maiden

Huge day out with friends yesterday, along Coastal Trail to Alamere Falls (Pt. Reyes). Poison oak in full bloom. Recent stories about sea lion pups washing ashore, disconnected from their mothers who are out foraging for food made scarce by warming waters turned all too real when we encountered one, grumbling for a meal. Added another couple-three miles to route (for a total of 11?) as we walked up the beach looking for another access point to the trail above. Perfect weather, huge vistas, maltey barley wine enjoyed on a driftwood log after lunch. Great company, gorgeous day. Life is good.

Images in the Flickr set:

Alomere Falls - Steve & Andrew