Skip to content

Blog

Going Lower-Level

I just released, on GitHub, IdleTaskTerminatorLite, my first foray into the lower-level world of programming directly with the Win32 API.

We use an old custom shutdown.exe (BeyondLogic Shutdown) to provide a timed screen lock feature, where a user is notified their screen will lock in a period of time and can cancel the locking of the workstation.

Clicking the Cancel button within the time limit, however, seems unnecessary and requires precisely clicking the Cancel button when the user is under time pressure! This is not a good user experience. A simple change to the idle state of the machine (any keypress or mouse movement) should cancel the timed locking of the workstation.

This lightweight background application detects user activity and forcibly kills the beyondlogic.shutdown.exe process, effectively cancelling the locking of the workstation without requiring the user to actually click Cancel.

This is currently rather ‘opinionated’ in that it specifically checks for hard-coded named processes running. It Works for Us(tm), but you may need to modify it for your environment. 😉

This whole solution is a little bit hacky, but it works. 😐

I had written something along these lines to terminate this workstation lock program in C#, but as a .NET process running in the background, you were looking at dozens of megabytes of RAM for something always running in the background. It felt thoroughly inefficient and unnecessary for something so simple.

I have always found myself honestly a little frightened of C and C++. Horror stories around coding securely, the undefined behaviour of doing ‘pointer stuff’ yourself… but this little project represented an opportunity to take this relatively rudimentary functionality and learn how to implement it the Win32 API directly in a C program — and in doing so, cut resource usage (hopefully) significantly.

So, I did. Using the oft-abused WH_KEYBOARD_LL hook (and its WH_MOUSE_LL cousin), I periodically update a counter as to the user’s last idle time. If the hook is called (i.e. the user is typing or moving the mouse) and it’s been long enough since we last noticed such interaction, I check for the beyondlogic.shutdown.exe process and, if present, kill it.

This began life as whatever Visual Studio template gave me a buildable project that let me work with the right APIs, so there is likely unnecessary stuff still present and it could be more lightweight still. And, there’s a good chance I’ve made mistakes that need correcting, so please do get in contact if you’re willing to educate me in some small (or large) way!

I have tried to be particularly careful with buffers — string handling is either done with (I guess, inefficient) fixed-size buffers where I check what I put in will fit first, and I’ve tried to use the ‘safe’ string functions where possible too.

So, it’s a baby step towards working on more low-level projects. But, I’ve taken some action to tackle my pointer anxiety. 🙂

Maybe next the whole program should do the workstation locking, warning message and idle detection in one program.

DfontSplitter 0.4.2 for Mac — Critical Security Update

DfontSplitter icon

Today I release DfontSplitter 0.4.2 for Mac. This is a critical security update that fixes an issue relating to the Sparkle software update framework when the update pages are served over HTTP. As of 0.4.2, the update pages are now, naturally, served over HTTPS. (It was more than five years ago when the last release was made!)

The vulnerability means that in a scenario where an attacker could launch a man-in-the-middle attack during a Sparkle-enabled app’s update detection process, arbitrary JavaScript could execute in the WebView hosting the release notes. Due to the context that the WebView runs in, the app could then be convinced to run local files, expose local files to a remote server and even execute arbitrary code. More details and a full breakdown are at the post on Vulnerable Security.

This update fixes the Sparkle-related security issue by updating Sparkle and requiring HTTPS for all future DfontSplitter app update communications. Due to new build requirements in Xcode 7.2, the application now requires at least OS X Snow Leopard (10.6) and a 64-bit Intel processor.

The automatic updates feature within DfontSplitter should detect the update, but you can also download and install it manually.

Thanks to Kevin Chen for pointing out the existence of the issue with Sparkle and that it affected DfontSplitter. I had somehow missed the original reporting of the vulnerability, so I particularly appreciate Kevin bringing this to my timely attention.

The astute among you may note that in the Info.plist for this update, I explicitly disable the OS X 10.11 SDK’s check for HTTPS forward secrecy in the HTTPS communications to the update server. Once I figure out a cipher suite configuration that I am happy with, and understand, in Pound (my reverse proxy acting as the TLS terminus), I will update the app again to require forward secrecy.

SaveTimer

About a month ago (whoops!), I released another open source project into the wild, SaveTimer.

This was one of those “wouldn’t that be a cool idea” moments that spontaneously resulted in a modest little project. The whole thing was conceived, built and published in the space of a few hours!

Save Timer

SaveTimer screenshot

Notify a user if they have not saved in a ‘watch directory’ for a certain interval.

Basic Description

This is a very simple application, written in C#/.NET 4.5.2, which observes a specified ‘watch directory’ on a given interval. The most recent file in the watch directory is examined to determine its last modified time. If this is older than the specified interval time, the user is shown a message reminding them to save their work. The user can suppress the messages for an indefinite period of time by right-clicking the icon in the ‘clock box’/system tray and choosing ‘Stop reminding me’.

This was written to support academic examination access arrangements, where users are intentionally only given access to a cut-down word processor such as WordPad, without spellcheck support. Unfortunately, WordPad does not autosave, so this application provides a regular reminder for the user to save. In this usage, the user is given a blank mapped drive to save in. In addition to the regular save reminders, the application also ensures that the user has saved in the correct directory to avoid data loss and ensure compliance with controlled conditions of where they must save.

SaveTimer logo

SaveTimer logo (the Dashicons clock, licensed under GPLv2 or later with font exception)

At the risk of sounding immodest, one of the most enjoyable things about this project was jumping right back into the C#/.NET environnment, with which I have spent less time recently, and discovering that I still had all of the intuition of how to build the functionality I desired. Perhaps this is testament more to Visual Studio’s IntelliSense suggestions and the simplicity of the application, rather than my memory, but it nevertheless was a rewarding feeling to quickly go from zero to an app that does a specific task quite well!

I’m also pleased to say it ran in… shall we say, production… without causing any issues. If it saves one piece of work, I think it will be worth it!

SaveTimer is released under the GNU GPLv3 or later. The code is available on GitHub and you can also download a ready-to-run executable, if you have .NET 4.5.2 installed. No installer required!

Cautious Unattended Upgrades

I’m very excited to have put the ideas mentioned in my previous blog post about Cautious Unattended Upgrades into practice!

To quickly recap, the idea is that, on a Debian-based test system (‘the canary’), this is a software package that runs the latest security updates, runs an automated browser-based test suite to make sure these new updates have not broken any critical functionality on our clients’ sites, then ‘pushes’ just these package updates to the production servers.

In keeping with my original plan, the software is written in Ruby and uses Watir/Selenium WebDriver to run a suite of tests that verify, just as a human being would in a live web browser, that client websites work correctly.

A canary — as in ‘the canary in the coal mine’

Cautious Unattended Upgrades — the canary in the coal mine. Image by stevep2008 on Flickr, licensed under CC-BY 2.0.

I was expecting the biggest challenge would be getting this browser automation side of things working, but actually that proved very easy, which is a testament to the design of those projects.

The software is still a little rough around the edges, as I explain in the README file on GitHub, but I’m very pleased with the project’s progress. We have put it into use on our live systems at Van Patten Media, so we can keep servers promptly up-to-date with security patches without our intervention, but retain a greater peace of mind that our clients’ sites are still working as they should post-upgrade. (This is of course dependent on the quality and breadth of the tests that we write!)

I am particularly excited that this marks the first ‘real’ project in Ruby that I have written. Ruby isn’t a platform I have worked with too extensively before, so I have enjoyed challenging myself to be exposed to a different environment and quickly pick up how to achieve what I want to do. There is definitely more work to do — it really should be organised in a slightly more ‘Ruby-like’ way, and perhaps become a proper Ruby Gem, listed on rubygems.org, so those are things I will be looking at over the longer term for this project.

If you are interested in using Cautious Unattended Upgrades, or contributing to making it better, the project is licensed under a BSD-style licence and the code is available on its GitHub project page.

Total Slider 2.0

Total Slider Banner

I am very excited to be able to announce that Total Slider 2.0 has been released!

Version 2.0 is a significant milestone in the plugin’s history, and brings a very important behind-the-scenes change to the way your slide information is stored. In addition to that, and a lot of cleanup work in the code itself, there is now the capability of having draft slides as well as auto-saving of those drafts, making it much more difficult to lose data!

Total Slider 2.0 draft functionality

Being a side project that has to fit in around my day job and other work, this has taken much longer to get out there than I would have liked, but I am very happy with the result. The particular challenge of making sure the data format upgrade goes without a hitch involved some extensive testing, but I’m pretty confident (about as confident as you can be!) that the upgrade process will be very smooth. In the unlikely event there is an issue, you can roll back the plugin to v1.1.5 without any loss of data. Obviously, taking a database backup is a good idea, though! 🙂

With this big infrastructure change out of the way, I’m looking forward to the future of this plugin. I hope we can deliver more graphical goodness (a slider template previewer would be nice!) and a greater variety of templates that ship with the plugin to support the different preferences people have for their sliders.

It’s really exciting to finally get this released to the 1,000+ active users (according to its WordPress plugin page) this software has, and I’m looking forward to making it even better as and when I can!

You can download Total Slider from the WordPress Plugins Directory.

5.0

As I move closer to the significant milestone of one decade of having this personal blog, I felt that it was time for a significant overhaul of the look and feel of this site, as well as some of its non-blog post content.

Enter the 5.0 release! 🙂

Responsive and Refined…

pwdb50_fullsize

Rather than evolving the existing stylesheet and making changes, I actually started over, using a new SASS-based CSS workflow. If you look really hard, you will see bits and pieces of the old CSS hanging around that I have migrated forward for the moment. In the fullness of time, though, any of the old code should be gone!

The result is a site that is truly responsive — it is designed for small screens first, then it scales up to larger displays, rather than having a full-size only layout, but removing content for display on smaller screens. I did have a retro-fitted responsive system before, but this approach is much cleaner and delivers a more consistent result.

PWDB 5.0 Mobile display

A Font First!

Adding to the use of Colaborate for headings from my last design refresh, this design actually débuts my first experiment with editing fonts.

Thanks to the GPLv3 licensing terms of Colaborate, I was able to take it into TypeTool, and tone down its rather characterful lowercase ‘t’ for use as body text. The result is a custom font that, while it has its imperfections with kerning and missing ligatures, is an exciting first experiment for me — putting my interest type design to some practical use. I hope I will look back upon this first experiment with embarrassment later on when I have learned so much more, but for the moment it is very gratifying to have something to say “I did this” about!

You can download my source files for this font. This font, as it is based on Colaborate, is also licensed under the GPLv3 with font exception.

A More Modern Portfolio

The content on my Portfolio page had definitely aged, and was long overdue an overhaul. It now focuses on four main areas — Devops and Automation, Systems Administration, Web Development and Software Development.

More to Come!

As mentioned, this is a big change, but that doesn’t mean I am done! There are various other places where older content and design still might be evident, and I hope to get to more in the coming weeks.

Working on Total Slider 2.0

Total Slider Banner

I’ve been fortunate this week to have a little time to work on Total Slider, my (and Van Patten Media’s) open source WordPress plugin for making those neat little slideshow things, like so:

Example Total Slider slider

I have been meaning to get to this project again for a while, so it is great to get a moment or two to give it the love and attention it deserves.

My focus thus far has been on a complete overhaul of Total Slider’s data storage format — away from using wp_option records and using a custom post type.

This change is not only the right thing to do to clean things up and follow best practices, but it opens doors to other neat features that will make Total Slider feel like it fits into the WordPress Way even more. Without making undeliverable promises, I’d love to see automatic saving of slide drafts make it into 2.0! 😉

One of the things I have found that is pleasing is that much of the code I have already written is sufficiently abstracted that ripping out the fundamentals of the data format has been a lot less painful than it could have been!

It is nice as well to use this blog for one of its original purposes, to give updates on the projects I am working on. 🙂

You can follow progress in the unstable branch on the project’s GitHub page.

Announcing Total Slider

Total Slider icon

I’m really pleased to announce that the WordPress plugin I have been working on with Van Patten Media, Total Slider, has now been released!

Total Slider is a plugin for WordPress from Van Patten Media that will transform your experience with sliders forever. Build your own templates in PHP and CSS, then preview the output in a beautiful WYSIWYG interface designed to blend seamlessly with the WordPress core.

Total Slider is released under the GNU GPL version 2 or later. We’d love your feedback, ideas, bug reports, translations and more.

Here is a quick 2-minute video introduction:

You can find out more at TotalSlider.com, and download Total Slider from the WordPress plugin directory.

The Very Simple PayPal Bridge

Just a quick note to say that I’m proud to announce the release of some more open source code, as part of my collaboration with Van Patten Media.

The Van Patten Media Labs site has all the details of the Very Simple PayPal Bridge — a simple way to connect to the PayPal API.

Interacting with the PayPal NVP API is something that a lot of e-commerce websites need to do. If you’re writing your own code for a bespoke e-commerce solution, rather than shoehorning in generic ‘Shopping Cart’ software, there is quite a lot to think about in order to communicate successfully with the API and provide a great payment experience for the site’s customers.

The Very Simple PayPal Bridge is a PHP class that, as the name suggests, provides a very simple interface for the PayPal NVP API.

In any situation where you need to interface more directly with the PayPal API, the VSPB provides a clean interface for the other layers of your code, dealing with all of the implementation details of sending requests via cURL, encoding and decoding the arguments, as well as offering full support for graceful error handling with PHP exceptions. It is great as a lower-level component of a wider PHP e-commerce solution.

For more information, see the post on Van Patten Media Labs and check out the code at GitHub!

New Year, New Site Design

A change of scenery here at my personal site has been long overdue, I think, so I’m pleased to usher in 2012 with a refresh of the site’s design!

A screenshot of the new site design

Keeping Things Compact

The first thing you’ll likely notice is the new compact, fixed header, with the navigation to the major parts of the site. It stays fixed in place, so you can always get back to any of those pages at any time. (It also swaps out the legacy image gradients for exciting new CSS3 gradients where available!)

Who Shot the Serif?

I have also moved away from Bitstream Charter/Georgia as the main font around the site, in favour of Helvetica Neue/Helvetica/Arial, combined with the existing accents of Gill Sans (where available!) for the headings. I think the site now has a more contemporary feel — and reads particularly well on devices where Helvetica Neue is available, like the iPad.

There is also a new webfont in use for the ‘Peter Upfold’ text in the header — Charis SIL (generously licensed under the SIL Open Font Licence).

Practising What I Preach

Cookie picture, by amagill -- http://www.flickr.com/photos/amagill/34754258/

As a strong proponent of users having control over their privacy online, I am pleased that the Do Not Track initiative, for indicating the user’s preferences about tracking technology on the web, has gained traction in many web browsers. Because I support the rights of users to make choices about the code running in their browsers and what information it is collecting about them, I took this opportunity to begin the implementation of Do Not Track support on my site.

» Read the rest of this post…