Running a Ruby Executable Outside of Bundler

May 9th, 2014 - Brendon Rapp

One of our internal use gems includes some executable scripts which are basically wrappers around other gem executables.

Most of these gems are part of the application’s Gemfile, but sometimes, they are globally installed gems. An example of one such case is Mailcatcher, which, due to the gem’s own dependencies (mainly ActiveSupport), should not be included in a Rails app’s Gemfile.

The problem we ran into is that, when trying to execute the global Mailcatcher from this wrapper script, it would actually try to execute within the Bundler environment, and resulted in this error:

mailcatcher is not part of the bundle. Add it to Gemfile.

The script looked something like this:

#!/usr/bin/env ruby

... some setup stuff ...

exec 'mailcatcher -f -v'

What we needed to do was break out of the Bundler environment with Bundler.with_clean_env. The Bundler documentation describes as such:

Any Ruby code that opens a subshell (like system, backticks, or %x{}) will automatically use the current Bundler environment. If you need to shell out to a Ruby command that is not part of your current bundle, use the with_clean_env method with a block.

Updating our wrapper script as such solved the issue:

#!/usr/bin/env ruby

... some setup stuff ...

Bundler.with_clean_env { exec "mailcatcher -f -v" }

ActiveAdmin Filters with Ransack

May 1st, 2014 - russ

Recently, in the past three months or so, ActiveAdmin has updated their master branch to add Rails 4.1 support and migrate away from MetaSearch and on to Ransack for their filters.

If you use the stock filters or shallow relation filters then more than likely your current ActiveAdmin filters will continue to work. However, if you need more complex filtering or previously had defined “search_methods” in your models, you will need to update your code to make use of Ransack’s “ransacker” method instead. Your filter declarations in your ActiveAdmin models are the same format and can remain untouched but you may have to update the filter names and labels.

Like before, you will require changes in two files for a complex filter: one in your ActiveAdmin register and one in the associated model. Below is an example where an Order exists with many Products which each have one ProductColor and we want a drop-down select filter at the Order level for ProductColor:


ActiveAdmin.register Order do
filter :product_color_in, :as => :select, :label => 'Containing Product Color', :collection => proc { ProductColors.order(:name) }



class Order < ActiveRecord::Base
  has_many :products # and Product belongs_to a ProductColor
ransacker :product_color, formatter: proc { |selected_pc_id| results = Order.has_pc(selected_pc_id).map(&:id) results = results.present? ? results : nil }, splat_params: true do |parent| parent.table[:id] end
def self.has_pc(pc_id) self.joins(:products).where(products: {product_color_id: pc_id}) end


Cloud9 with a Private Server

September 13th, 2013 - russ


As far as developers go, I’m not too picky about the tools I use. I find this allows me to try out the latest and greatest without too much attachment to a specific toolkit. One type of toolkit that has been gaining popularity is a cloud-based IDE.

I’ve always been interested in a centralized workspace since I tend to blow through devices and workstations (usually to try out some new Linux distribution) and frequently have to reconfigure for the new environments. Yes, I could have just used dual-boot or swap hard drives but I really don’t care that much. All my important data is already in the cloud, through services like Google Drive, Dropbox, and Bitbucket.

In a way, I’m already set up for cloud-based solutions and for most people that may be the most difficult part, especially if you have a lot of data. If that’s the case, not all is lost. You can use many of these IDEs with any common git repository or in some cases, with SSH access to your own private server.

Cloud9 is one of these cloud-based IDEs and they provide a private PaaS (Platform as a Service) instance, or you can make use of your own FTP/SSH server. They also support directly deploying to Heroku, Azure, and Cloud Foundry. In my case, I use my own PaaS instance and connect to it through SSH. This does have one prerequisite: NodeJS.

In order for Cloud9 to access your workstation, you will need to not only configure your SSH server and keys, but you will also need to set up a NodeJS server (along with any firewall rules). Cloud9 provides excellent documentation.

Once these are configured, Cloud9 provides a full-featured IDE, including a decent terminal (though it’s not as responsive as other web-based terminals) that allows you to develop in any language you want.

This setup has been working well for me for the past few weeks across multiple platforms: Linux, OS X, Windows, and even my Chromebook. This is especially useful for quick fixes and testing when on the road with my $210 Chromebook, instead of taking my $1,200 MacBook Air.

Taking advantage of the recent SaaS (Software as a Service) and modern web browser improvements can save money in equipment, maintenance, security, and training. I look forward to seeing it improve even more.

Cave Lunch – January 2013

March 7th, 2013 - Brendon Rapp

Starting in January, the engineering team instated monthly “tech lunch” meetings. On the final Friday of each month, the team will meet for lunch, and each member will present a 5-10 minute “lightning talk” on some development topic of interest.

Below are the slides from January’s talks:

Selenium IDE by Renee Wall

The Normal Computer User’s Guide to Safe Computing

June 15th, 2012 - Brendon Rapp

Your CHILDREN may be at risk! Find out tonight at 11:00.

In the past week, LinkedIn, eHarmony, and were each subject to a serious security breach, resulting in the leakage of many user passwords. Not coincidentally, in the same week, Facebook started pushing a security tips page to all of its users.

The cold, hard truth is that it’s more likely than not that you will have some Internet account that you use end up having its password leaked out at some point in time.

Whether or not that results in a minor temporary inconvenience, or more dramatic identity theft, is up to you.

Unfortunately, there has not been a very good effort to teach everyday computer users how to keep themselves safe. Equally unfortunate, too many everyday computer users ignore advice when they are taught, and fail to recognize their own complicity when they do become victims.

It does not take a great deal of effort to dramatically increase your digital security. A few small habit adjustments and some tools to help are all it takes.

The following is a brief, opinionated guide for “normal, everyday” computer users. People of a higher technical background will likely have their own preferences, and that’s fine, but this is a guide that we consider to be ideal for the average user.

1. Practice Good Password Security

The rules for passwords:

  • No password should ever be used twice
  • Passwords should be long and random
  • Don’t try and memorize your passwords – use a password manager

People often use simple passwords, and use them over and over, because it’s difficult to remember a whole bunch of random passwords. That is why password managers were invented. Instead of remembering passwords yourself, these tools store passwords for you, and help you enter them in when you need them. This allows you to use a long, random password for every service you use. The only password you need to memorize is the one that unlocks your password vault.

LastPass stores your passwords, and fills them in for you, so you can have strong, random passwords without having to type them in yourself.

LastPass is our suggested password vault. It installs on every major operating system (Windows, Mac OS X, Linux), typically as an extension in your browser. It generates strong random passwords for you when you create new website accounts, saves those passwords securely, and then fills them in for you when you go to login somewhere.

If you take only one piece of advice from this post, make sure it’s this one. People will often say, “my Facebook got hacked!”, not realizing that what actually happened is that a different website they use got hacked, and that person used the exact same password on Facebook and dozens of other sites. This is the #1 risky behavior that, if you do, you must curtail immediately. If you use different random passwords for every site, then when one of those sites gets hacked, none of your other accounts are at risk.

The only password you need to memorize is the one that unlocks your password vault. Let the vault do the rest of the work for you.

2. Backup Everything! Use CrashPlan

The next most important topic is backups. If you have data that is not backed up, it is destined to be lost unless you create a backup. Systems will break. Hard drives will fail. Accidental deletions happen all the time.

Our standard backup recommendation for normal users used to be Carbonite, and Carbonite is still a good option. Our current recommendation, however, is CrashPlan.

CrashPlan provides unlimited data backup for $5/mo or $50 a year, with further discounts for longer terms. It supports Windows, Mac, and Linux. Unlike Carbonite, CrashPlan does not limit daily uploads, allowing for the initial backup process to go much faster. On top of that, CrashPlan offers much faster transfer rates (in addition to total amount of data, Carbonite throttles transmission rates – dramatically so in the event of large backups).

CrashPlan offers a great cloud backup solution, but CrashPlan also allows users to store encrypted backups on other systems running CrashPlan. This means that users with multiple PCs can have their computers store a backup of each other’s data (provided there’s enough disk space to go around). Also, if you have a friend that also has CrashPlan installed, you and the friend can store backups of each other’s data. These remotely-stored backups are encrypted with your encryption key, meaning your friend cannot ever look inside of them. Best of all, this sort of share-between-PCs backup feature is free.

CrashPlan has become so good that we are planning to start using CrashPlan Pro for server backups.

3. Use Gmail for its rich security features

For the average person, our suggestion for email is simply: use Gmail.

Gmail is the best thing to happen to the normal computer user’s email. What makes it our email recommendation for normal users are its security measures.

One of the biggest is Gmail’s activity log. You can find it waaaay down at the bottom right corner of your Gmail screen.

Down in the bottom right corner...

Click on Details, and you get the Activity screen:

A table showing the IP addresses and locations of all your Gmail account's recent activity.

There’s a few important pieces to this screen. First, there’s the “Sign out all other sessions” button. That one’s a biggie. In the event that a system of yours is lost or stolen, clicking this button will log out your saved sessions. Or, if someone manages to steal your password, you would change your password and then hit this button to drop their session.

Next is the table showing all of the recent activity on the account. Here you can see exactly what IP addresses are accessing your account and when.

Finally, there’s the Alert preference. This feature will give you a warning if your account has suspicious activity. When you log into Gmail and there has been unusual activity, you’ll get a warning message like this:

Suspicious activity warning at the top of Gmail

Another important feature is the ability to have Gmail always use HTTPS, making your entire email session run over an encrypted link. In Gmail’s settings, enable the “Always use https” option.

"Always use https" ensures all of your Gmail browsing takes place in a secure, encrypted session.

Many sites use HTTPS only for logging in, while having the rest of the session transmitted “in the clear”. Unfortunately, it is all too easy for an attacker to listen in on unencrypted connections, especially on shared networks like wireless hot spots.

4. Protect yourself from malicious software

Every time you run a piece of software, you are trusting it with your system and your data.

One of the main ways computers end up compromised is from users installing software from sources they should not have trusted. This is especially true of Windows users. The unfortunate reality of using Windows is that there is a rich ecosystem of malicious software targeted at that platform.

The rules for software security:

  • Install your operating system’s updates
  • Keep Flash and Java up to date
  • Install software only from trusted sources
  • (for Windows users): Have anti-virus/anti-malware software running in case you trusted wrong, or in case a hole in security allows bad software to attempt to install without your knowledge

Let the updates for your OS do their job and protect you.

It’s sad to see people run systems that are badly vulnerable because they refuse to allow Windows or other operating systems to install updates. These updates are usually security-related, and often close holes that have been recently discovered. Installing these updates is critical.

Flash and Java are extremely common avenues for compromise. It is very important to keep these pieces of software up-to-date, as it is very common to see big security exploits out in the wild that feast on all the users who don’t update these plug-ins.

Do not install software that you did not specifically seek out to install. A random email attachment that appears to have come from your friend may instead be the result of that person’s email account being compromised and used to send out attacks. Do not install software from “shady” places. This requires some good judgement. Failing that, you can turn to sites like Web of Trust to establish a site’s level of trustworthiness, and ensure that the place you plan to download software from is legitimate.

Finally, Windows users should be running some sort of anti-virus/anti-malware software suite. Microsoft Security Essentials is a very good, free anti-virus, and is easy on system resources and produces very few false positives. For additional protection, MalwareBytes’ Anti-Malware PRO is $25 a year and provides great anti-malware protection. MalwareBytes and Microsoft Security Essentials co-exist nicely together, and some minor setup steps can be taken to ensure they don’t step on each others’ toes.

5. Use Google Chrome, or Mozilla Firefox, for your web browser

Chrome and Firefox have much better track records for security than default browsers like Internet Explorer or Safari. Out of the box, users will be safer running one of these browsers. They can be further secured by running add-ons that block things like ads (a number of security incidents have come from malformed banner ads), tracking cookies, scripting, Flash, Java, etc.

More importantly, these applications aren’t deeply integrated into their operating systems the way Internet Explorer is in Windows, or Safari is on Mac OS X. Security flaws in these browsers are less likely to result in a system-wide security breach.

6. On laptops, use full-disk encryption

One of the leading causes of data theft is stolen laptops. A study in 2008 revealed that around 12,000 laptops are lost in US airports every week. That number is almost certainly higher today. Having your laptop stolen is bad, but what is even worse is having all of that personal data fall into someone else’s hands.

Every major operating system now ships with full-disk encryption. On Mac OS X, it’s called FileVault 2. On Windows, it’s called BitLocker. Modern Linux distributions have LUKS.

Full-disk encryption ensures that your laptop’s entire drive is encrypted, and cannot be read by a thief unless the thief also has your password. Typically, in a stolen PC situation, this information would not be available to the thief (provided you don’t leave your password on a sticky note on the laptop).

7. Enable your operating system’s firewall

All of the major operating systems now come with a built-in firewall.

On modern Windows systems, the firewall is enabled by default. Good job, Microsoft! Unfortunately, the same is not true on Mac OS X.

8. If you want to get a little more serious, use Google Authenticator

Someday, when computer users on the whole become a bit more experienced, and the security issue becomes even bigger, using multi-factor authentication will become normal. Unfortunately, in today’s world, it’s still all too rare.

Multi-factor authentication means having to supply more than one thing in order to login to a service. Right now, you probably only need to enter a password in order to login to a service you use. The problem is, anyone else who wants to log in with your username also only needs to enter your password, too.

Imagine if having your password wasn’t enough. Imagine if a person had to not only figure out what your password is, but also had to steal your cell phone. It’s pretty hard for a hacker in Russia to steal the cell phone out of your pocket, isn’t it?

This is what a tool like Google Authenticator facilitates. It is an app for iOS and Android, and it generates a series of codes. When you want to log in to your Google account, you provide both your password, and the current code from this app. Even if your password were stolen, an attacker could not log in as you without being able to produce this code as well.

Google isn’t the only place where you can use Google Authenticator. Other security-minded services (including LastPass) allow you to use Google Authenticator as a second authentication factor.

Some places, like banks, don’t support Google Authenticator, but have their own brand of two-factor authentication. Bank of America, for example, has SafePass, a second authentication factor in the form of a mobile phone app or a smartcard that you keep in your wallet. Other banks have similar offerings.


If you read this far, good for you. At the very least, we hope you take #1 and #2 to heart, as they will greatly protect your online accounts and keep your data safe.

Security is a deep rabbit hole, and this list could go on much longer. For a starting point, however, it’s quite good.

Much of security comes down to user behavior. You have total control of your computer, and there is no one to stop you if you download and run bad pieces of software, or if you are careless with passwords and put your online accounts at risk. Put a little thought into your computer safety, and it will become second nature, much like how you will naturally shy away from handing your car keys or wallet over to just any person.

Moving to Bitbucket

June 12th, 2012 - Brendon Rapp

For as long as we’ve used Git at Jaguar, we have been self-hosting our repositories on one of our servers.

The reason for this wasn’t a distrust of external services, and certainly wasn’t borne of some desire to give me more sysadmin tasks to distract from coding. Rather, it came down to one reason: GitHub’s inflexible pricing model.

GitHub's pricing by repo count instead of actual usage is disappointing.

GitHub uses number of private repositories as the metric to differentiate between low-end and high-end accounts. The line of thinking, no doubt, is that larger companies have more projects, thus require more repositories, and so this can be used as a measure of a customer’s size.

However, this is at odds with the way many groups, including us, use Git. Git is a filesystem, and there are a lot of legitimate use cases that utilize a large number of repositories but still represent a relatively small level of usage, usage that certainly doesn’t warrant $100+ a month for hosting. A widely-read blog post, If Dropbox Used GitHub’s Pricing Plan, points out in humorous fashion that GitHub charging by the repository is as asinine as if Dropbox charged users by the folder, rather than by a metric that represents actual usage (storage space used, in Dropbox’s case).

Of course, while this matters to us greatly, I sincerely doubt that GitHub is shedding any tears at losing the ~$10-25 a month that would be reasonable to charge us. They’re profitable and in charge of their own destiny. Good for them. But our problem remained unsolved.

The next biggest VCS hosting site, Bitbucket, ran an incredibly distant second to GitHub. They were “the GitHub for Mercurial users”, which held no interest with us as we had firmly jumped on the Git bandwagon. They also had the same problem as GitHub: plans were differentiated by private repository count, and they lacked many of GitHub’s nicer features. So, we didn’t think much of them.

Then, they were acquired by Atlassian, and moved all plans to unlimited space & repositories, opting instead to use number of users as the metric for differentiating between account levels.

Pricing per user = excellent!

Then, they started supporting Git. Now, things were getting serious.

Along with the pricing restructure and Git support came a steady improvement in features. Bitbucket has not been shy about taking inspiration from GitHub, and implementing some of GitHub’s better features. What was once written off as a second-rate GitHub clone has become, at very least, a first-rate clone, and with better pricing.

GitHub still remains the place to be for open source code, because of the scale of the open source community that has bought in to developing and sharing on GitHub. I don’t think that’s likely to change, nor does it seem like Bitbucket is angling to try. Instead, Bitbucket is catering to private development, and users of other Atlassian services.


Gitolite, our existing Git hosting solution

When we first started using Git, we used a hosting tool called Gitosis. It was a good tool at the time, but development stalled, and it was eventually replaced by a similar but more capable tool, Gitolite. Both of these tools are scripts that are triggered by SSH connections to a specific user account (usually named “git”) and kick into action when the incoming user’s key matched up with a valid user in the script’s config.

I have nothing but good things to say about Gitolite, which served us extremely well, and is now the underpinnings to the exciting GitLab project, an open source GitHub-style web-based Git self-hosting tool. (I played around with GitLab a bit, but we were ready to get out of the Git self-hosting business.)

Unfortunately, Gitolite’s SSH-key-authentication-only nature meant that we couldn’t use Bitbucket’s nice migration tool. Of course, since this is Git, we could always create a new repository on Bitbucket, add it as a remote on our repos, and push it. But we have a lot of repositories and this seemed too time-intensive.

What we needed was to make our repositories available over password-protected HTTPS, which the Bitbucket migration tool could work with. This involved two steps. The first step was setting up a webserver to host the repositories. Apache was already running on this box, so it was a simple case of creating a virtual host with its docroot as the folder of repositories, and creating a digest file for HTTP Digest authentication:

<VirtualHost *:80>
  DocumentRoot /path/to/the/repositories

  <Directory /path/to/the/repositories>
    AuthType Digest
    AuthName "Jaguar Design Studio git"
    AuthUserFile /path/to/my/digestfile
    <Limit POST PUT GET>
      Require valid-user

Step two was to prepare the repositories for being hosted over HTTPS. The first thing was that the Apache user (www-data) needed to be able to read the repositories. There were a couple of options here, from making the repositories world readable, to adding the www-data user to the git group (which was the group owning the repos). I opted to make the www-data user part of the git group, as it was easier to undo (remove the www-data user from the git group line in /etc/group, versus changing the file permissions on every repo).

The other part of step two was to run “git update-server-info” on each repository. This, according to the man page, generates an “auxiliary info file to help dumb servers”. This was not needed with Gitolite but it would be required for our “dumb” temporary HTTPS hosting.

Rather than deal with 100+ repos individually, I scripted this:


for file in *
  if [ -d "$file" ]; then
    cd "$file";
    git update-server-info;
    cd ..;

exit 0

Simple enough script, just naively loops through directories and runs “git update-server-info” inside each one.

Bitbucket's import tool was one of many small delights in the Bitbucket move process

Now, we were ready to import.

Importing each repo was a matter of entering the URL and login info for each repo, picking the new name for the repo, and clicking the Import button at the bottom of the screen.

The process was a lot less painful than I had anticipated. Had we realized how easy it was going to be to move, we might not have held out for so long.

The only thing that would have made the process even nicer would have been a bulk importer. As is, though, the process was smooth and  easy.

We’re now up and running on Bitbucket, and on to the task of updating all of our deployment scripts. We’re happy with Bitbucket so far, and our complaints are being registered on the Bitbucket issue tracker. Given the good job Atlassian has done with pushing Bitbucket forward, we’re pretty confident that the service will continue to improve and keep us happy.

Setting Up a Secure Guest Wifi Network

May 10th, 2012 - Brendon Rapp

One of the things we decided that we should add to the Jaguar office was wireless Internet for visitors. We wanted visitors to be able to use wifi to get on the Internet with their laptops and smartphones. At the same time, we wanted this guest network to be separate from our office LAN. We didn’t want users of the guest wifi to have any network access to the internal servers and services we’re running inside the Jaguar office. Based on these requirements, I knew that the answer would lie in the use of routers powered by DD-WRT, the very flexible open-source firmware for wifi routers. I ran into many tutorials how to create a separate VLAN on a DD-WRT router. The issue with these tutorials, for our purposes, is that they assumed that the DD-WRT device was acting as a router. That’s a reasonable assumption for home users, but in our case, our DD-WRT device serves purely as an access point. I did, however, want the guest wifi to behave like a router at the access point level. I did not see a clear way to have our wireless access point still act like an access point for our main wifi network, while acting like a router for the guest VLAN. I imagine there may be a way to bend DD-WRT to make one device be an access point for one VLAN and a full-blown router for another, but that configuration was beyond my level of commitment. My solution to this problem was simply to get a second wireless router, install DD-WRT on it, and make that device power the guest wifi.

Configuration & Restrictions

Even though this is our guest wifi, I still insisted on WPA2 encryption. I’m not at all keen on the idea of broadcasting an open wifi network. It’s not too much to ask of a visitor to type in a simple password.

For maximum compatibility, I set the encryption mode to WPA2 Personal Mixed, which allows older devices with only WPA support to still function. I’m not willing to leave a WEP-encrypted network running 24/7, but in the event that we have someone come in with an old machine that can only do WEP, I can quickly add a virtual interface to the router and enable WEP encryption on that, and shut it down when it’s no longer needed, without interfering with the normal guest wifi setup.

For the WPA2 interface, I set the encryption to TKIP+AES, so devices failing to support AES can fall back to TKIP. And I set the 802.11 mode to Mixed, so B,  G, and N clients can all function. Not the best setup for high performance, but when someone walks in waving around an Orinoco Silver card, it should work.

This was one of my most prized possessions in college.

Given that this was to be our “guest” wifi, there were certain restrictions I wanted enforced:

  • The guest wifi was to be on its own subnet
  • The office network subnet was to be unreachable from the guest wifi
  • A certain level of content filtering was to be enforced
  • Some traffic controls to restrict overly taxing our Internet pipe

First Up, Secure the Device Itself

A router’s only as secure as its admin panel. If someone can get into the admin panel, any security settings administered there are rendered moot. My quick checklist for setting up DD-WRT:

  • Define a strong password for the admin panel
  • Change the admin panel username (which is usually “root” by default) to something else
  • Disable remote administration (usually disabled by default)
  • Disable telnet, enable SSH instead
  • Disable passworded SSH access, use public key authentication instead
  • Ensure SPI firewall is enabled (should be by default)
  • Disable unneeded services
  • Disable unused VPN firewall passthroughs

One thing I’ve learned from using DD-WRT is to not forget to set up SSH access. It comes in handy when something goes wrong with the web panel, especially if you’re maintaining the device from two time zones away, like me. I don’t have SSH set up to accept remote connections, however – instead, I get to it by connecting to the VPN and making myself a local LAN node.

(Important note for SSH access: even if you’ve changed the web panel username from “root” to something else, when connecting by SSH, you will still use “root” for the user). All unneeded services are disabled.

Separate Subnet for Guest Wifi

With a traditional home wifi setup, users plug their cable/DSL/etc modem into the router’s WAN port. For us, our office LAN is the guest wifi’s WAN, so we plug a cable from the wall to the guest router’s WAN port. The router gets a “WAN IP” that is an address on our office LAN. In the router’s DHCP server setup, we define a different subnet for the router’s own network. For the sake of this article, we’ll define 10.10.10.x as our office subnet, and 10.10.20.x as the guest wifi subnet.

Blocking Access to Office LAN

In order to restrict guest wifi clients from being able to reach the office LAN, I defined firewall rules for the guest router that will drop any outbound traffic intended for the office LAN’s subnet.

# Block outbound traffic intended for office LAN
iptables -I FORWARD -d -J logdrop

With this rule, the router won’t forward any traffic from client machines to the office LAN. It will, however, still route traffic destined to the Internet through the office LAN’s gateway, which is good, because that’s the way to the Internet.

Coming at the same problem from the other direction, I also added firewall rules to certain internal LAN services to block any traffic coming from the guest wifi subnet. The guest router’s own firewall rule should be sufficient on its own, but it never hurts to add another layer of safety.

Content Filtering

We don’t want our guest wifi becoming Porn & Bittorrent Central. Granted, since it’s an encryption-secured access point, there isn’t a great deal of risk of that, but at the same time, we don’t intend on being overly stingy with the WPA2 key. It seems appropriate to perform a bit of filtering. My solution for this need was to use OpenDNS on the guest wifi, and put the OpenDNS service’s content filtering features to use. In addition to filtering out unwanted content, OpenDNS can also filter out things that are security risks. In the DHCP server settings, I set the three Static DNS entries to OpenDNS servers. In order to prevent users bypassing the OpenDNS filtering by trying to set their own DNS servers, I took a hint from the DD-WRT wiki’s OpenDNS page and enabled a couple of firewall rules that intercept attempts to resolve DNS via different servers:

# Intercept DNS queries to external servers, re-route to local DNS

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

Don’t Hog Our Pipe

One of the reasons P2P services like Bittorrent can be such a network strain is the sheer number of connections they open. In order to help guard against this on our guest wifi, I’ve added a couple of connection limiting rules to the firewall script:

iptables -I FORWARD -p tcp -s -m connlimit --connlimit-above 50 -j DROP 

iptables -I FORWARD -p ! tcp -s -m connlimit --connlimit-above 25 -j DROP

These rules drop any additional TCP connections a client tries to make above 50, or 25 for non-TCP connections. Those numbers should be high enough to not as to interfere with any non-P2P use, but will prevent a single P2P peer from flooding the device with open connections.

There is much more that can be done to restrict excessive wifi usage, but that is a deep, dark rabbit hole, and well beyond the needs of our own use case.

Up and Running

One could easily take things even further. There are numerous pieces of software for setting up public wifi points. Some are even open source and included in DD-WRT, like Chillispot. DD-WRT also provides features like remote logging and limiting access to certain times of day, which I left for possible future exploration. For now, though, I’m happy with the above setup. DD-WRT’s capability of letting users define iptables rules is a very powerful feature, and a big reason why I insist on using wireless access point that are well-supported by DD-WRT.

Devise emails using incorrect From: address in Rails 3

March 28th, 2012 - Brendon Rapp

We encountered an issue recently with Devise’s password reset emails. The sender address on the emails appeared as “sender@debian” rather than “”, despite the fact that we had configured Devise to use a specific address:

# config/initializers/devise.rb
Devise.setup do |config|
  config.mailer_sender = "Sender Name <>"

Interestingly, we did not have this issue with any other emails sent by the application, only the ones generated by Devise.

The server running this app is a Debian 6 (“squeeze”) box, running Sendmail.

The problem was a setting at the bottom of the Sendmail configuration file (/etc/mail/

The final lines of this file, before modification, were:

dnl # Masquerading options

This is the source of the “@debian” domain that was being used instead of the one we set in the application. For a simple fix, we just changed the MASQUERADE_AS setting to match the domain we wished to send from:

dnl # Masquerading options

With that, the Devise mails finally matched our application’s domain.

The Basics of iPhone Security

January 5th, 2012 - Brendon Rapp

The iPhone is the most popular smartphone in the Jaguar office. For me, the bandwagon-jumping point was the iPhone 4, with the 300+ dpi screen and the A4 CPU that made for one of the first smartphones that was sufficiently powerful (IMO) to actually run its OS and apps well.

With many of us relying more on our iPhones for Serious Business, the question of security arises. Apple has implemented some security measures into the iPhone, and continue to make small but steady improvements, as the iPhone sneaks further and further into Corporate America. While the iPhone isn’t quite at BlackBerry level of security yet, there are some important features that everyone should be taking advantage of.

The Bare Minimum Basics

1. Enable Auto-Lock and Passcode Lock
The one step you absolutely, positively must take with your iPhone is enabling the auto-lock and passcode lock functions.

Auto-Lock locks your phone (the same action as pressing the “sleep” button on the top of the phone) after X minutes of inactivity.

Passcode Lock requires users to enter a passcode in order to unlock a locked phone.

The point of these features is to try and ensure that if your phone is lost or stolen, the device will be in a locked and password-protected state by whomever took or found it. This is essential in order to protect your data.

2. Enable Find My iPhone
Find My iPhone gives you the ability to track a lost phone from a computer or from another iOS device. It can help greatly in the recovery of a stolen device.

This used to be a feature one would have to buy from Apple as part of the MobileMe service, but it is now part of the free iCloud service that replaced MobileMe.

Find My iPhone gives you the ability to remotely lock your phone, or even wipe its data. It provides a way to make the iPhone play a sound (even if it’s set to silent) in order to help you locate it when you’re close to the GPS position. And, in the event that the phone is found by an honest person, you can make a message display on the phone to tell the person how they can return the phone to you.

Tracking down a stolen phone using Find My iPhone has been known to make people feel like Batman.

3. Keep iOS Up to Date
iOS is the phone’s operating system. As a complex piece of software, it is often updated in order to fix security issues. It is important to make sure your phone’s software stays up-to-date, so any newly-discovered security holes are closed.

iOS 5 update notification badge

If your phone is running iOS 5.0 or newer, you can do these updates directly from the phone via Wifi. When a new update is available, you’ll see a number badge on the Settings app. Enter the Settings app and go to General > Software Update, and you’ll be able to update.

If you’re on a version of iOS older than 5.0, updates have to be performed by plugging the phone into a computer with iTunes. I highly recommend updating such a phone right away, in order to get current with iOS 5, if for no other reason than to make future security updates easier to install.

4. Backup Your Phone
One of the most important features of the iPhone is the ability to generate backups of the phone’s data, which can be used at a later time to restore the phone.

Some of the security features here involve wiping the phone’s data to prevent data theft in the event of a lost or stolen phone. If you recover the phone, however, how do you get the data back?

The answer is in backups. Before iOS 5, backups were performed entirely by connecting the phone over USB to a computer, and creating the backup via iTunes. Now, users have the option of backing up their phones to iCloud for free, removing the need to tether the phone to a computer. This is a great feature for the large percentage of iPhone users that never plug their phone into their computers.

iCloud provides an easy way to backup iOS devices

iCloud gives you 5GB of free backup space. If this isn’t enough for your phone, you can either buy more space, or selectively exclude applications from your backup (the important stuff – your accounts, settings, etc, are always included, and take up a rather trivial amount of space themselves).

Short of that, one can still connect to their personal computer and iTunes to perform backups. Since iOS 5.0, these backups can be performed over Wifi instead of USB, making it much more convenient.

At any rate, backups are essential, whether it’s through iCloud or your computer’s iTunes installation.

A Step Further

1. Disable “Simple Passcode” on Passcode Lock
By default, Passcode Lock enables the “Simple Passcode” feature, which makes passcodes a 4-digit PIN-number style code.

By disabling this, you can use the full iOS keyboard to define a true password. This is much more secure than a 4-digit code.

2. Set Auto-Lock and Passcode Lock’s “Require Passcode” Times As Short As You Can Stand
It’s important that a would-be thief never get their hands on your phone in an unlocked state. By having the phone auto-lock and require a passcode, you can help ensure that anyone besides you who gets your phone will find it in a locked and passcode-protected state.

However, there is a trade-off between security and usability here. Many people don’t want to have to enter their passcode again when they were just using their phone 30 seconds earlier. At the same time, having the phone wait an hour before requiring a password is too large of a window for someone to steal and begin using the phone.

One thing to understand is how the two timers work. Auto Lock’s timer begins from the moment you stop using your phone. Passcode Lock’s timer begins from the moment the phone locks. So, if your Auto Lock is set to 3 minutes, and Passcode Lock’s “Require Password” timer is set to 5 minutes, it will take a total of 8 minutes from the moment you stop using your phone for the phone to be in a locked & passcode protected state.

As of iOS 5, Auto Lock’s timers options are each minute from 1 to 5 minutes, while Passcode Lock’s are immediate, 1 minute, 5 minutes, 15 minutes, and 1 hour. In the past, there were much longer timers available, but Apple is nudging users towards more secure options.

In my opinion, it should take less than 10 minutes of inactivity for your phone to be passcode locked. So, combining a 5 minute Passcode Lock timer with anywhere from a 1-5 minute timer for Auto Lock will get you there. For the more security conscious, Passcode Lock can be set to 1 minute or Immediately, along with a sufficiently short Auto Lock time.

3. Disable Siri on Lock Screen
This only applies to phones with Siri (as of this writing, the iPhone 4S only, but undoubtably all iPhones to follow). If your phone has Siri, by default it can be used even if the phone is locked. This is a convenience, but it allows a thief to make use of the phone even while it’s locked.

To disable this, flip Siri to “Off” in the Passcode Lock menu:

This will prevent anyone from being able to use Siri without unlocking the phone.

4. Get a Smudge-Resistent Screen Protector
Security researchers have noticed that one can often deduce a lot about a phone’s most recent use based on the finger smudges left behind on screens (see paper: Smudge Attacks on Smartphone Touch Screens).

This is particularly true with simple passcode unlocks (another reason to disable “Simple Passcode” and use a keyboard-types password instead). But in general, smudges are information left behind that an attacker could use to aid in an attack on the phone’s security.

Certain screen protectors are smudge resistent, reducing the information left behind by finger smudges.

OtterBox Defender. Your iPhone won't break even if you bean someone in the head with it.

5. Get a Protective Case
Buying a good protective case is an important safety measure for keeping your iPhone intact. In a situation where you are trying to track down a lost or stolen phone, it also is a benefit in that the relative uniqueness of your case would make the phone more instantly recognizable from all the bare naked iPhones out there.

A thief could always remove the phone from the case, but in the event that the case is left intact, it makes for an easier positive ID. And certain cases, like the OtterBox Defender, take some effort to get off, if you’ve never dealt with them before.

Hardcore Security

1. Enable “Erase My Data” to Wipe Phone After Too Many Failed Login Attempts
A Passcode Lock will help keep thieves from being able to get into a stolen phone, but given sufficient time, a passcode (especially a Simple Passcode) can be broken. The “Erase My Data” feature defends against this, by automatically wiping the phone’s data after 10 failed passcode attempts.

It’s important to note that one cannot make 10 failed attempts all at once. After a few failed attempts, the phone will lock you out from making another attempt for a set “cool-down” period of time. This cool-down period increases in length as you get closer and closer to 10 attempts. So, it is not the case that a prankster can just grab your phone, bang out 10 wrong passcodes, and make it wipe. The only way anyone is getting to 10 failed attempts is if you lose control of your phone for hours.

As mentioned above in the “Backup Your Phone” section, if your phone is wiped clean, you can restore your data from a backup, provided you’ve set up backups either through iCloud or with your computer’s iTunes installation.

2. Disable SMS Preview
By default, the partial text of SMS messages appear in previews on a locked phone. This would allow a thief to read your incoming text messages even if he is unable to unlock the phone.

In iOS 5, this can be disabled in Settings > Notifications > Messages > Show Preview.

If you want to go a step further, and even prevent the message notification (which includes the sender’s name) from appearing entirely, you can turn off “View in Lock Screen” in that same menu.

3. Jailbreak Your Phone for Additional Security Measures
Jailbreaking (the act of modifying your phone’s software to run software other than what has been authorized by Apple) is often spoken of as a security risk. To an extent, this is true, as users who jailbreak give up the safety of having the iPhone refuse to run any unsigned code (programs which have not been approved and digitally signed by Apple).

The flip side of this, however, is that jailbreaking allows users to take advantage of security features that don’t exist for non-jailbroken phones.

The first example of this is exploit fixes. When a new security hole is discovered in iOS, it often takes some time before Apple releases an iOS update that fixes the problem. Often, the jailbreak community fixes the hole themselves, releasing a patch for all jailbreak users to take advantage of much more immediately.

The other big “win” for jailbreakers is the ability to run security applications that aren’t allowed in the traditional iPhone app model. There’s RecognizeMe, which adds facial recognition to the standard Passcode Lock. There are apps like Firewall iP, which add a software firewall, and Lockdown Pro, which allows users to define passwords required to open certain applications, and iProtect, which will lock your SIM card and notify you if a new SIM card is inserted into that phone. Jailbreaking also adds the ability to use VPNs, such as OpenVPN, that aren’t among the standard VPNs supported by iOS natively.

There are a lot of security features that are only possible by breaking out of Apple’s “walled garden” model. Jailbreaking is not for everyone – it’s definitely for the diligent and the technically inclined – but for those of the right mindset, there are some clear security benefits to doing so.

Things NOT To Do

1. DON’T Buy An iPhone “Anti-Virus” Application
Anti-virus applications for smartphones are ineffective at best, outright scams at worst. Although there have been instances of phone-based malware, and there will be more in the future, anti-virus apps have so far proven to be fairly useless at defending against them.

2. DON’T Use A Weak Passcode
If using a Simple Passcode, your passcode shouldn’t be your birth year, or “0000”, or anything overly obvious like that.

Common advice is to use four different digits for your code. However, it may be the case where using 3 digits, with 1 repeat, actually produces a stronger passcode.

3. DON’T Sell or Give Away Your iPhone Without Wiping Your Data First
Too many people get rid of their devices without thinking about what’s left on them. The iPhone provides an easy way to wipe all of your settings and data, so that you can safely sell or give the phone to a new owner.

The menu is in Settings > General > Reset, then “Erase All Content and Settings”

It will ask you if you’re REALLY sure. If you’re no longer keeping the phone, you are.


By taking the steps above, you can significantly improve your iPhone security. Keep your eyes peeled for new security features with each iOS update, as Apple is being pushed for stronger security, thanks in no small part to ever-growing corporate and government use. Personally, I have my fingers crossed for GPG support in Mail, and native OpenVPN support.

Cool Hack: Dyslexic-friendly Font on Kindle

December 12th, 2011 - Brendon Rapp

Amazon’s Kindle devices come with two fonts – one serif and one sans-serif.

For people suffering from dyslexia, however, the precise symmetry of typical computer fonts only exacerbates the reader’s struggles with transposition and character confusion.

Over on Reddit, an intrepid Kindle user has hacked a Kindle and replaced the default font set with a dyslexic-friendly typeface, in order to provide his dyslexic wife with a better reading experience.

His Reddit thread is here: “This is how I made a Dyslexic friendly Kindle for my awesome Dyslexic wife”

According to him, the hack worked exceptionally well. For the hack, he used the font Gill Dyslexic, which reduces symmetry and makes similar-looking characters appear more distinct. In the past, many dyslexics have used the much-maligned Comic Sans font for reading, but the new breed of dyslexic fonts (including Gill Dyslexic and Dyslexie) are now stepping in to serve that need.

A picture of the Kindle displaying text in Gill Dyslexic

Accessibility is a big deal, and too many software and hardware developers are doing a poor job of meeting the needs of users suffering from disabilities and other challenges. This is one reason we strongly support both Free/Open Source Software (FOSS) as well as unlocked, user-modifiable hardware devices. Most of the time, when users want to “hack” one of their devices, it isn’t to steal content – it’s to make their device work for them, in a way the hardware designer failed to provide.