I recently read a post on a web development firm’s blog (anonymous to protect them and myself). It was talking about how open-source web software is inferior to closed-source. The main reasoning was that open-source allows attackers to find vulnerabilities just by sifting through the code. The company touts their proprietary CMS as better than Drupal or WordPress because only they (and their customers, heh) see the source code. Therefore it’s rock solid.

I was kind of blown away by this. Obviously it’s a marketing ploy to scare unknowing customers into using them instead of doing a simple WordPress install, but it’s blatantly wrong and I feel the need to respond. Oddly enough, their blog is in WordPress. Hmm.

First off, all software has vulnerabilities. All servers have vulnerabilities. Yes, it’s easier to find them if you know the setup or know the code, but from what I’ve seen in my lifetime of computer work is this: if someone wants to hack your site, they will. If there is a vulnerability, they will find it. And as I just said, all software has vulnerabilities. It’s stupid to assume that because the source is only readily available to people who pay you money and the people who work on their site after you that no vulnerabilities will ever be found. They will be found. Look at Google. They were just hacked by China. Does Google open source their Gmail app? No, completely closed-source. But someone wanted to hack them, so they got hacked. That’s what happens. Also, if your proprietary CMS is written in PHP, Python, Ruby, Perl, etc etc…you’re still using open source. Someone could attack the site at the language level. Does it make sense to now develop your own closed-source programming language so nobody will ever be able to hack it?

Secondly, most well-known open-source software has been around a very long time and has had hundreds of thousands (if not millions) of people using it. This means that over time, it gets battle-hardened. The common and not-so-common vulnerabilities are found, leaving the users with the latest versions a rock-solid code base that has gone through thousands of revisions to be extremely secure. With open-source, you’ve got hundreds of eyes looking over everything that’s added/changed/removed at all times. With proprietary code, you get a few pairs of eyes at best, with much fewer installs, much fewer revisions to harden and secure.

Is open-source better than proprietary? If you’re poor, most likely, but otherwise they both have their good and bad points. The main point of this article isn’t to bash proprietary software at all, it’s to refute the claim that because the source is open the product is less secure. I believe the exact opposite, in fact. If your code is open for everyone to look at, you damn well better be good at seeing vulnerabilities before they even get deployed…and if you don’t catch it, someone else developing the project probably will.

Is open source too open? Hell no.

I don’t know about everyone else, but I’m starting to get insanely pissed off with Google. They keep changing their site. First their homepage with the ridiculous Google Fade. Now their search listings have updated.

It appears Google is on a mission to alienate and anger their users. Mission accomplished. You know why I don’t use other searches? Because there’s too much clutter in the results. Google is simple. You type something, it shows results. Thanks. End of transaction. No need to show me “OH! Because you typed ‘gonorrhea’ you might like AIDS!!!” or “See news about ‘gonorrhea!’” No thanks. Just show me the listings. Or would you like to see images of gonorrhea?? If I did, I’d click the “Images” link you so graciously supply on top.

So now Google is on a quest to be more like Yahoo. Idiots. Google, why do you think nobody uses Yahoo? Why do you think everyone uses Google? IT’S THE FUCKING INTERFACE, you dumb shits. Are you really too fucking stupid to realize this? The more you copy other search engines, the more your appeal slips into the ether.

I really want to not hate you Google, but you make it so hard lately. PLEASE STOP FUCKING WITH YOUR INTERFACE.

So I got to thinking. There are some good caching reverse proxies out there, maybe it’s time to check one out for beeets. Not that we get a ton of traffic or we really need one, but hey what if we get digged or something? Anyway, the setup now is not really what I call simple. HAproxy sits in front of NginX, which serves static content and sends PHP requests back to PHP-FPM. That’s three steps to load a fucking page. Most sites use apache + mod_php (one step)! But I like to tinker, and I like to see requests/second double when I’m running ab on beeets.

So, I’d like to try something like Varnish (sorry, Squid) but that’s adding one more step in between my requests and my content. Sure it would add a great speed boost, but it’s another layer of complexity. Plus it’s a whole nother service to ramp up on, which is fun but these days my time is limited. I did some research and found what I was looking for.

NginX has made me cream my pants every time I log onto the server since the day I installed it. It’s fast, stable, fast, and amazing. Wow, I love it. Now I read that NginX can cache FastCGI requests based on response caching headers. So I set it up, modified the beeets api to send back some Cache-Control junk, and voilà…a %2800 speed boost on some of the more complicated functions in the API.

Here’s the config I used:

# in http {}
fastcgi_cache_path /srv/tmp/cache/fastcgi_cache levels=1:2
                           keys_zone=php:16m
                           inactive=5m max_size=500m;

# after our normal fastcgi_* stuff in server {}
fastcgi_cache php;
fastcgi_cache_key $request_uri$request_body;
fastcgi_cache_valid any 1s;
fastcgi_pass_header Set-Cookie;
fastcgi_buffers 64 4k;

So we’re giving it a 500mb cache. It says that any valid cache is saved for 1 second, but this gets overriden with the Cache-Control headers sent by PHP. I’m using $request_body in the cache key because in our API, the actual request is sent through like:

GET /events/tags/1 HTTP/1.1
Host: ...

{"page":1,"per_page":10}

The params are sent through the HTTP body even in a GET. Why? I spent a good amount of time trying to get the API to accept the params through the query string, but decided that adding $request_body to one line in an NginX config was easier that re-working the structure of the API. So far so good.

That’s FastCGI acting as a reverse proxy cache. Ideally in our setup, HAproxy would be replaced by a reverse proxy cache like Varnish, and NginX would just stupidly forward requests to PHP like it was earlier today…but I like HAproxy. Having a health-checking load-balancer on every web server affords some interesting failover opportunities.

Anyway, hope this helps someone. NginX can be a caching reverse proxy. Maybe not the best, but sometimes, just sometimes,  simple > faster.

After being a customer for the Rackspace Cloud (formerly Mosso) for quite some time, I’m happy to say that my business and anyone who listens to our advice will never be using this hosting service, ever again.

Rackspace is an amazing company. They are know for having great servers, great support, great everything. You can’t beat them. Mosso was a side project that was swallowed up by them which aims to run websites in a real, actual cloud. This is a valiant cause. To be able to upload a site to one server and have it scale infinitely over however many servers their datacenter has without ever having to touch it…that’s a miracle. It’s a great idea, that unfortunately just doesn’t work.

Mosso has repeatedly let us down, again and again. Their service is always going down. It’s hard to find a month where one of our sites hosted on the “cloud” hasn’t seen at least an hour of down time. I’d expect this from a shoddy “HOST 100 SITES FOR $2.99/mo!!” host, but not from someone charging a base rate of $100/mo. Here’s what it boils down to: you’re paying Mosso a lot of money for the privilege of beta testing their cloud architecture. Great business model.

And while Rackspace is known for fanatical support, the Rackspace Cloud is known by us for support that is fanatical about ignoring or avoiding the issues plaguing them on a week-to-week basis. Questions go unanswered, support requests ignored, etc etc.

So all in all, it’s been a terrible experience. And yes, we have been using them for more than a month…a little over a year now. Yes, we stuck it out and payed outlandish hosting rates for horrible service. Why? Because I really do wish it worked. I wish I could put a site on it and have it be up 100% of the time. That’s the point of a cloud, no? To have >= 99.999% uptime? I really wish I could put a site on there and let it scale with demand as it grew without ever having to touch it – and I can do this – but the price is my site goes down for long periods of time at short intervals (oh, plus the $100/mo). We tried to give them the benefit of the doubt, and tried to believe them every time they told us that this was the last downtime they’d be having (yes, we heard it a lot). I just can’t lie to myself any more though. Mosso sucks.

So please save yourself some time and realize that it’s too good to be true. The Rackspace Cloud is the most real and cool cloud hosting you’ll ever see, but as far as I’m concerned they are still alpha-testing it, and your site WILL go down. Want hosting that scales automatically, is zero customer maintenance, always up, and has amazing support? You won’t find it anywhere.

Mosso comes close, but they just can’t get it right. Save your money and learn how to scale on a good VPS provider.

Yeah, so this amazing new device will, like, revolutionize the way we all look at things and stuff. Because you can touch it, things will be way better. Our lives just got a ton better. This revolutionary device will revolutionize the way we look at news and movies. Oh, and it will also change the way cities are structured.

So, in case you haven’t heard, Apple took their iPod touch, made it 5x bigger, and are now marketing it as the iPad (or “Tablet”). Where does that leave us? A portable device that’s not portable and really fucking difficult to use. The reason laptops have keyboards and pointing devices is because people don’t like on-screen keyboards. They suck. It’s necessary on small and mobile devices like the iPod touch, but on a bigger level it’s not…which why laptops exist.

So before you follow the marketing hype and buy your new $500 tablet, ask yourself “What the fuck am I thinking?! I already have an iPod, and I already have a laptop. Those swindling asslickers don’t need more of my money!”

That’s right, the iPad is a shitty in between piece of shit which is shitty and smells like shit. It’s not quite a laptop, and it doesn’t quite fit in your pocket. Stay away!! Don’t be a dweeb!

Hey, this will be short. Me and my brother just launched our event site, beeets.com, in the Santa Cruz area. Check it out, post events, give feedback. We’ve been slaving away and we’re really excited about it. Thanks!

I just stumbled onto this tonight: The Mootools plugin forge. Pretty sweet. Tons of fan-based plugins for Mootools in one spot. Check it out!

Google recently made a change to their main search page. Everything besides logo, search box, and buttons is now hidden until the page is moused over.

<rant>
What the fuck? Your search page was so simple. So clean. There was nothing to fix, nothing to make simpler. There was minimalist navigation on the top, and a few links on the bottom. It worked very well and was very good design.

You took something very simple, and tried to make it simpler. You have not succeeded. You took what you view as a problem and swept it under the rug. Your homepage isn’t simpler at all…it just LOOKS simpler at first glance. Then with first mouseover, it fades in?! What the fuck are you thinking?

This is the kind of childish effect a high-schooler learning HTML 4 would hack into his first homepage with shitty javascript. It looks nifty the FIRST TIME but after that it’s completely obnoxious and frustrating. I don’t want to wait to click on Images or News. Even if it’s 1/2 second.

To use the words of a blog commenter: “Imagine being at your desk preparing to work, but the desk chair would not appear until you try to sit down.” This is exactly how I feel.

If you really want to keep your juvenile display of javascript skillz, please give people an option to disable it so we don’t have to keep a bucket nearby in case new the homepage induces violent bouts of vomiting. Until then, I (and several others from the sounds of it) will be using Bing.
</rant>

I recently got a WRT54G v3 (an older version of a Linksys router) off of ebay. I specifically got a version 3 because it’s the best router known to man that’s under $300. If you can get one for less than $50, my advice is to take it. Up until a few days ago, it was running the stock Linksys firmware. It’s not terrible but it’s not very extravagant either. We had a power outage and after that, wireless stopped working. I tried many things, including slapping the unit with my balls to make sure this wasn’t some sort of misguided power struggle. Putting it back in its place should fix that. No luck.

I had heard many, many times about the dd-wrt firmware. One of the good things about the WRT53Gv3 is that you can install just about any custom firmware you want onto it. I’d also heard in the past about a firmware called Tomato. It’s supposedly light, lean, fast, and has great QoS (although I never even bother with QoS).

I decided to give it a shot. I’m in love. It gives you all the options you need for the things you’d want, but doesn’t bloat up the interface with extra junk. It’s simply amazing. I really think Linksys should just stop bothering to make their own shitty firmware and just install Tomato on their routers.

Unfortunately, Tomato didn’t fix the wireless problem, so I had to plug in an old nemesis Netgear router I had laying around. It starting, in memory of times past, dropping my connection every 5 minutes. Fine for browsing the interweb, but not for streaming music or “videos.” I decided to give the Linksys one more shot…and it worked! Thank god. The best router ever with the best firmware I’ve seen so far, NOW with wireless. It must have been some strange hardware issue that fixed itself.

To be fair, I’ve never used dd-wrt and therefor can’t give a good comparison between it and Tomato. If I had a few extra routers laying around, I’d try it out…but each firmware flash is a dance with the devil and I can’t afford to get / find another one.

There are probably a billion guides for this already, but whatever. If you DON’T have a ~/.bash_profile (a file that gets executed every time you start cyg):

touch ~/.bash_profile
chmod a+x ~/.bash_profile

Now that you have the file, add this to it:

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
	eval `$SSHAGENT $SSHAGENTARGS`
	trap "kill $SSH_AGENT_PID" 0
fi

This will start up ssh-agent for each Cygwin shell you have open. Close your Cygwin shell (if one is open) and open a new one. Now type:

ssh-add ~/.ssh/id_rsa
[enter your password]

Voila! No more typing your stupid password every time you need to ssh somewhere. Note that if you close the Cygwin window, you’ll have to ssh-add your key again! This is good security…you can close the window when you’re done and someone who happens on your computer sitting there won’t have password-less access to any of your secure logins.