CakePHP 2.3 adds native support for the bcrypt hashing algorithm, which is often recommended because of the amount of analysis that’s gone into it and its configurable cost function.

Using it isn’t obvious, however. The 2.3 migration notes merely say, You can now use Blowfish in your $authenticate array to allow bcrypt passwords to be used.

Due to limitations in how Auth works, a new authentication type was added in addition to a new hash type. So to use bcrypt, your $authenticate variable should look like this:

$this->Auth->authenticate = array(
            AuthComponent::ALL => array(
                'scope' => array('User.active' => 0)
            ),
            'Blowfish',
        );

That only affects checking the password. To hash passwords using bcrypt, you also need to modify your model because Auth::password won’t work.

    public function beforeSave($options = array()) {
        if (isset($this->data[$this->alias]['password'])) {
            $this->data[$this->alias]['password'] =
                Security::hash($this->data[$this->alias]['password'], "blowfish");
        }
        return true;
    }

Note that you can configure the cost by using Security::setCost (the default is 10).

Here’s something really easy to screw up:

<?php
echo date("Y-m-d H:m:s");
?>

Spot the mistake? The “m” format code can only mean one thing, which is “months”, not “minutes”. Yet, when you’re writing code in a hurry, it’s so easy to quickly write this code and assume it works. After all, it raises no errors or warnings, and always generates valid datetime strings. It’s just wrong.

Googling for ‘site:github.com “Y-m-d H:m:s” php’ returns hundreds of examples of mistakes. I tried to fix a couple instances but realized that there’s so much abandoned code on Github that it would’ve been useless.

This is a prime example of something that static analysis could warn about: just look for “H:m:s” or “h:m:s” in the first argument to date. This mistake isn’t limited to PHP, of course, as this Java example shows.

Yeah, your startup. You know, the one that had the nifty HTML5 responsive launch page? The one that promised big things and nifty features? The one where we typed in our email address so we could be notified when it launched? You spent the last five months working your butt off to productionize and bugfix your startup, and when the time came, you crafted together a short but sweet email asking us to try out the beta.

Thing is, you forgot to remind us what your startup does. So I get this email from some website with a sufficiently hip name asking me to check them out right this instant. I don’t recall ever seeing them before, so it must be spam, and the few seconds I have before my train arrives, I trash it and move on to the next piece of mail.

What is a divshot and why should I care about it?

After working on your startup for the last year and spending every waking moment thinking and talking about it, it’s easy to assume people know about what you’re doing.

But for the rest of us, it wouldn’t be too much work to include your one-line pitch, would it?

If you’re like most hackers, you’ve spent so much time on the computer that the jargon and lingo have become natural. You instinctively know where the OK and Cancel buttons are, and get upset when they’re switched around for no apparent reason. You scan dialog boxes and make the right decision in a second, because who hasn’t seen “Do you want to set Firefox as your default browser?” a million times?

We are perplexed when users click through confirmation windows without a second thought. We sigh when someone doesn’t know where to find their terminal emulator. We become frustrated when people complain about poor performance but can’t even tell us whether they’ve maxed out their RAM and have swapping.

Look at these words! We’ve churned out so many abbreviations and neologisms that other developers can’t even understand us! But what about our users? What if they’re not computer professionals with 10+ years of Internet experience? What if they don’t know what we’re talking about? Or what if they’re using your product in something other than their native language? Why aren’t our users like us?

Try this. Switch your software into a language that you don’t know very well. If you took Spanish throughout high school or a couple years’ German in college, switch your computer to that. It’s very easy to do in OS X and iOS, and almost as easy on Ubuntu. Google products can be switched by adding the “hl” param to most Google URLs. For example, “hl=ja” switches the page to Japanese.

Just drag’n'drop another language to the top.

It’s a completely different experience.

Don’t just switch back after a day. Force yourself to use your computer in another language. After all, there are millions of people who simply can’t switch their computer to their native language. Use your now-alien computer, and you’ll find your habits changing.

Your eyes don’t immediately zero in on the correct list item any more. You avoid using the menu bar until you know you have to, and when you do, you’re still guided by a spatial-positional “feel” of where things are. And if it’s a rare need, like changing your accessibility settings, you sit there and slowly read each menu item until one of them vaguely sounds like what you’re looking for.

And it’s not just an issue of knowing words. You might know the words, for some superficial meaning of the word “know”, but when ordinary words are applied to computers, it often takes mental processing to understand their new meaning.

When you click “Cancel” in a dialog box, what are you cancelling? Is it cancelling in the same sense that you would cancel a reservation or a plane ticket? (We are all guilty of genericizing “OK” and “Cancel” as the default dialog-box buttons.) When I see “Ventana”, I think of a big hole in my wall filled with a glass panel. I can’t help it—that’s the meaning I learned—and it takes a second or so to recognize that that’s where I should go to find a list of my terminal instances. And when I first saw “終端”, which could be defined as “end extremity”, it was only by recognizing its icon that I knew it meant “terminal”.

Why would expect people to know that “terminal” means that little window with monospace text and funny symbols? We don’t even think to ourselves that historic terminals were the endpoints for mainframe communications.

So notice how your usage changes in an unfamiliar environment. You’re afraid of clicking words you don’t understand, because it might be even harder to undo your changes (e.g. setting your keyboard to “드보락”). When you don’t know how to get the functionality you need, you’d rather work around the problem or Google for the answer, because you can’t skim long drop-down menus very quickly. And textual documentation is useless, because the time and energy it takes to decipher the documentation is more than you’re willing to spend on your problem anyways.

Suddenly, customizing your computer becomes a chore, made worse by the nagging uncertainty of being able to remember how to reset those options. You notice subtle differences in localization between vendors as well—why is it that you some times 复制 and other times 拷贝 to send the selection to your system clipboard? You tend to stick to applications you’re familiar with, because you’d much rather get things done than spend so much time figuring out a new interface. You can feel your textual comprehension speed drop by a factor compared to what you’re used to.

And when you’re not sure, you rely on visual cues to confirm your guesses. The System Preferences icon to change your language back might be “言語とテキスト”, but it looks especially promising because it has a wavy UN flag as its icon. (A globe or a couple characters from different character systems would be great too.) The default options in dialog boxes, along with their positions, become important too, because you don’t feel like reading the actual message, and you’re likely to pick the rightmost or highlighted option anyways.

You like things with fewer options, because it takes less time to read them all, and it means fewer chances to mess something weird up. Visual layouts help with understanding things, because you can draw analogies to what you know. And it’s not always obvious which things are action widgets that you can click on, especially if they’re not styled like a button (I’m looking at you, Android).

So go ahead, change your system language and use it for a month. You might be surprised at what you’ve taken for granted.

There is a pseudo-function in PHP called empty, that tells you whether a variable is “empty” for someone’s definition of empty. The empty string, zero, null, and undefined variables are all considered to be empty.

<?php
$x = null;
echo empty($x); // prints "1"
echo empty($nothere); // prints "1"

Well, how did they make it work for undefined variables? They made empty a language construct, not a function, so that its argument isn’t evaluated before the empty check happens. This leads to some great errors:

$x = 0;
echo empty($x); // prints "1"
echo empty(0); // PHP Parse error:  syntax error, unexpected T_LNUMBER in php shell code on line 1

Or better yet,

function y() { return 0; }
echo y(); // prints "0"
echo empty(y()); // PHP Fatal error:  Can't use function return value in write context in php shell code on line 1

PLT is basically magick.

Minecraft! On Ubuntu! It actually runs great, once you actually get it to run, but there were two little things mere mortals can’t be reasonably expected to debug.

Can’t connect to minecraft.net

My Internet connection worked, minecraft.net was up, friends were able to connect just fine, but I couldn’t. Running it from the terminal via java -jar minecraft.jar showed the error message java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.

Basically, Minecraft uses SSL to protect your login, but Java didn’t have the certificates needed to verify. The Minecraft launcher really should give a better error message, but this was really Ubuntu’s fault. You need the ca-certificates-java package installed, but on my Ubuntu install, it was broken. Try doing ls /etc/ssl/certs/java/cacerts. If it comes up missing, then you need copy it from a friend or a different Unix machine. You don’t want to copy security files from strangers…

Black screen

Looking in the terminal showed the error java.lang.UnsatisfiedLinkError: ...: libjawt.so: cannot open shared object file: No such file or directory. There’s no good reason why an OpenJDK install can’t find its own damn libraries, but you can manually set your LD_LIBRARY_PATH variable to contain it.

Try doing locate libjawt.so. You’ll want to set your LD_LIBRARY_PATH to include one of the directories it gives you (just the directory, not included the file). Depending on whether you have OpenJDK 6 or 7, you’ll do something like:

LD_LIBRARY_PATH=/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/ java -jar minecraft.jar

Again, check the results of locate versus your OpenJDK version (if you’re not sure, run java -version).

I’m really disappointed in Sparkfun. I recently purchased the EL Escudo shield for driving EL wire with a microcontroller, and woe be upon anybody who doesn’t do hours and hours of Internet research before plugging the thing in. There were 3 years of questions from poor customers with only a few answers, and the few answers that were there were often contradictory. Here are my conclusions from my Internet research, and the amazing Will Byrd helped me finally get it to work. Long story short, Sparkfun sets you up to fail and hasn’t fixed things in 3 years.

(more…)

I got my MSP430 TI Launchpad more than a year ago simply because of the price. It was (and still is) $4.30 (with free shipping!) for a development board, two MSP430 microcontrollers, external crystal, and USB cable. Unfortunately, Windows was the only supported OS at launch time with a couple proprietary bundled IDEs. It still is the only officially supported OS, but setting up Ubuntu 11.10 and newer for the msp430 has become trivial:

sudo apt-get install gcc-msp430 gdb-msp430 mspdebug

To test your Launchpad, try compiling “blink” from https://github.com/mrothe/ti-launchpad.

The build process goes something like:

msp430-gcc -Os -mmcu=msp430x2012 -o main.elf main.c
msp430-objcopy -O ihex main.elf main.hex # generate hex file
mspdebug rf2500 "prog main.hex" # download to the launchpad

Do mind your O, o, and 0.

What do universities want? The same as what everybody else wants, really. Power. Fame. Money. Well, the money’s actually a means to the first two, because you obviously don’t become powerful and famous (sorry, “prestigious”) without money.

How do universities rise up? They hire and sponsor press-worthy research and researchers, and save up money to build shiny new buildings every so often. That takes a lot of cash, so they have to keep the dough rolling in.

Universities generally rely on four or five sources of funding: (more…)

Today marks my final move from uncool, mainstream shared hosting to the fantastic world of pay-what-you-need technology mash-ups.

Shared hosting…

I used to have shared hosting at Site5. They were OK. I really can’t complain much except that their dashboard functionality for hosting multiple domains on one account seemed archaic. I signed up almost exactly 5 years ago on their The Five Dollar Web Hosting Deal, which offered seemingly huge allocations of 55GB of disk space and 5TB of bandwidth. The plan has long been discontinued and Site5 followed the rest of the industry towards “unlimited” shared hosting, but I never “upgraded” because I never hit those limits and the newer $5 plans couldn’t host multiple sites. Site5′s interface got slicker and their servers got stabler, but I eventually wanted to go beyond ordinary shared hosting.

Shared hosting has been such a smoke-and-mirrors industry designed to lure in inexperienced webbies with promises of “Unlimited!” and “One-click blogs!”. Sure, for many people, it’s perfectly fine for putting up some information about the local Habitat for Humanity or chess club, but even then, wouldn’t a free Tumblr or Google Sites account be just fine? Regardless, I decided to get more hands-on with my new setup.

(more…)