$ rbenv install 1.8.7-p357 rbenv: 1.9.3-p194
Downloading http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p357.tar.gz...
Installing ruby-1.8.7-p357...

BUILD FAILED

Inspect or clean up the working tree at /tmp/ruby-build.20120508145707.21228
Results logged to /tmp/ruby-build.20120508145707.21228.log

Last 10 log lines:
callback.func:79:24: error: ‘proc’ undeclared here (not in a function)
callback.func:79:39: error: ‘argc’ undeclared here (not in a function)
callback.func:79:45: error: ‘argv’ undeclared here (not in a function)
callback.func:82:1: error: expected identifier or ‘(’ before ‘}’ token
dl.c:106:1: error: expected ‘;’, ‘,’ or ‘)’ before ‘static’
cp ../.././ext/dl/lib/dl/import.rb ../../.ext/common/dl
make[1]: *** [dl.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/tmp/ruby-build.20120508145707.21228/ruby-1.8.7-p357/ext/dl'
make: *** [all] Error 1

The issue isn’t specific to ruby-build or rbenv, but rather is an issue with building Ruby after upgrading glibc to 2.14:

This is caused by the fact that the generated file callback.func is corrupt. The corruption is triggered by a recent glibc change:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.13-161-gfcabc0f

which was to fix a POSIX compatibility issue:

http://sourceware.org/bugzilla/show_bug.cgi?id=12724

Patches are provided to manually patch the Ruby source before building, but what if you’re using something like rbenv and ruby-install, instead of building Ruby manually?

This Gist, from GitHub user kungfoo, provides a ruby-build definition for building Ruby 1.8.7-p358 with the required patch for building on a system with the updated glibc.

To date, I had only used rbenv and ruby-build to build Rubies from ruby-build’s included definitions. Turns out, it’s quite easy to use this definition, once I realized that that’s what this was.

Simply do the following:

$ vim /tmp/1.8.7-p358-with-rogue-stdout-patch
... paste contents of Gist into file, save and exit ...
$ rbenv install /tmp/1.8.7-p358-with-rogue-stdout-patch

Note, the filename will be the name that rbenv uses to identify this Ruby, so if you don’t want the name to be “1.8.7-p358-with-rogue-stdout-patch”, name the file to match the name you prefer.

I tracked down the issue as being related to the Lightning calendaring extension. Lightning has an option for caching calendar entries for remote calendars. This seems like it would be a feature that improves performance, but as it turned out, it caused a lot of app-stalling IO. Each remote calendar has a Cache checkbox in its settings. Unchecking this immediately put an end to the pausing issues.

What clued me in was this bug report, which is almost 2 years old and still “unconfirmed”.

However, I have not been making use of Vim’s auto-completion features, due to a serious performance issue when used with Ruby files. Completion was painfully slow. It was annoying when triggering completion manually, but it was a complete show-stopper when used with an automatic completion plugin like NeoComplCache.

Finally, I got a clue from this StackOverflow response:

Had a very similar problem since upgrading to Vim 7.3 (from 7.2): I was using the (excellent) ACP plugin and in longer source files (C-files, 1700 LOC), the popup took ages to jump through the suggestions when I was editing near the bottom of the file.

Using the PerformanceValidator (from Softwareverify), I found out that some fold methods were called again and again and lead to very high processor load and slow completion.

My workaround was to set the foldmethod (fdm) to manual. And this solved it…

Now, I was having issues with fairly short Ruby files, as opposed to the large C files that this responder was editing. However, it clued me in to the fact that foldmethod was getting called a lot during auto-completion, and led me to experiment.

Finally, I found the issue:

foldmethod=syntax is dog-ass slow when editing Ruby syntax files.

As soon as I switch to any other foldmethod, Ruby auto-completion becomes instant. I’ve been using foldmethod=indent, which creates folds based on code indent levels. This seems to work as well for me as syntax-aware folding did.

Hopefully that tip helps out anyone else who found Vim auto-completion strangely non-performant while working with Ruby files.

Yes, I know I’m in a Conquest checkpoint’s capture radius! The little map in the corner that’s got a big box next to me kind of gave that fact away.

Now will you please get the mother-fudge out of the way? I am trying to look at things where you’ve got your big obnoxious indicator.

When I spied the router, high up on the wall, I soon discovered why.

Pointless trivia: This image, nicely depicting the concept of two-factor authentication, was taken from the Hong Kong central bank's website

What is Two-Factor Authentication?

Normally, when you log onto a computer-based service, you enter a username to tell the system who you are, and a password to authenticate (prove that you are who you say you are) with the system.

That is one-factor authentication: you are providing only one thing to prove your identity.

Two-factor authentication is a setup where you have to provide more than one thing to authenticate yourself. In most cases, this means your password in addition with some physical device, a hardware-based token. (It is possible to create authentication systems that require even more than two factors. Systems that require two or more factors are more generally called multi-factor authentication).

The YubiKey is an inexpensive ($25) device that provides this sort of additional authentication factor.

How does it work?

The YubiKey is a simple device that plugs into any USB port on your computer. The device has a single button, which, when you press it, spits out a One Time Password (OTP). In the eyes of the computer, the YubiKey is literally just a USB keyboard, and when you press the button, it enters text as if a person is typing (very fast) on that keyboard. Most operating systems support USB keyboards without any additional software, which means that at least on Windows, Mac OS X, and Linux, you can stick the YubiKey into the computer and press the button without having to install any additional software. Needless to say, this makes it incredibly convenient.

So, when you log into a service that supports YubiKey authentication, you’ll enter your username and password as usual, but you’ll also be presented with a text box for the YubiKey itself to “type” into. You’ll click in the text box as if you’re going to type in it yourself, but instead, you’ll press the YubiKey’s button and it will “type in” a very long password. Then you’ll click to log in like normal, and assuming both your password and YubiKey are valid, you’ll log in.

What makes this more secure?

I book flight for Sergei to come take key

The idea behind a one-time password is that, as the name states, the password can only be used once. Even if someone is sniffing your network traffic and grabs a copy of the OTP you just used, he can’t turn around and re-use the password itself, as it’s been used and is no longer valid.

The idea being multi-factor authentication is that anyone who wishes to login to services as you has to be able to provide all factors. Stealing your password or stealing your YubiKey isn’t enough – they’d need to have both. That requirement of getting ahold of something that’s physically in your possession dramatically reduces the number of people with opportunity to take your digital identity. A hacker in Russia might be able to set up a website to trick me into giving up my password, but it’s a long flight for him to come get my YubiKey too.

How do I make services “use” my YubiKey?

First of all, to use the YubiKey, the service itself has to support YubiKey authentication. This won’t be common with your average website, but it will be more common with more security-minded services, like LastPass or PassPack.

Secondly, before you can use your YubiKey to authenticate with a service, you have to associate your YubiKey with your account on that service. How this is done depends entirely on how that service has that feature set up. Here, for example, is LastPass’s instruction page for associating YubiKeys with your account on their service.

What about services that don’t support YubiKey?

If a service doesn’t support the YubiKey directly, but does support OpenID authentication, you can use your YubiKey for two-factor authentication by using an OpenID service which supports the YubiKey itself.

Clavid.com is such a service. With a properly set-up Clavid.com OpenID identity, you can have two-factor authentication for any service that does OpenID.

However, outside of those options, there’s nothing you can do to add YubiKey support to a service that doesn’t have it, besides emailing them and bugging them to add it.

What if those services get hacked? Is my YubiKey compromised?

When you register your YubiKey with a service like LastPass, that service does not have your Yubico encrypted identity. All they store is the 12-character Yubico ID. When you tap your YubiKey’s button and send a One-Time Password to that service, they don’t have the means of processing the password and verifying your identity. Instead, they send that password (which contains your 12-character ID) to the Yubico servers, which responds back with a “yes” or “no” to that service. Yubico acts as an authentication gateway for that factor.

So, only Yubico has the information necessary to process the passwords that your YubiKey creates. So, that leads to the question: what if Yubico is hacked? That is the scenario where your YubiKey’s identity may be compromised. Indeed, this happened with another token authentication system recently, RSA’s SecurID. However, as long as you are using YubiKeys for multi-factor authentication, and not as a replacement for passwords, then the result of this would be that your accounts are still protected by your passwords. In other words, you’d be in the exact same place as if you weren’t using YubiKeys to begin with.

The YubiKey website says this thing supports a bunch of different authentication systems. What’s the story there?

The YubiKey is quite a flexible little device, and can indeed be used with a number of different authentication systems.

The most common of these, the thing that people are generally referring to when talking about YubiKey authentication, is Yubico’s YubiKey OTP authentication service. This is what standard YubiKeys come ready to work with right out-of-the-box, and this is what services like LastPass are referring to when stating that they support YubiKey.

However, you can program YubiKeys to support different systems. One thing you can do is program the YubiKey to store a single static password. You press the button, and the YubiKey types in this password. This is a way to be able to create a and use a long, complex password that you can’t possibly memorize. And because it’s just a plain password, you can use it with any password-based system. This isn’t multi-factor authentication (since you’re back to using just a password, not something in addition to a password), but it can be very useful in certain circumstances. Yubico mentions an ideal use case: long passwords for encrypting TrueCrypt vaults.

YubiKeys can be programmed to work with Open Authentication (OATH). Now, read that closely. That is OATH, a system developed by VeriSign, and not OAuth, a system developed by Twitter. It took me a while before I noticed this, as I had only ever heard of OAuth before. Here’s a post from a VeriSign blogger describing the difference between these two unfortunately similarly-named projects. OATH is used in (formerly VeriSign’s, now Symantec’s) VIP authentication system, which we’ll talk about later. Yubico does not run any OATH services themselves.

YubiKeys can also be programmed to work with SAML authentication systems. SAML is used by Google Apps’ Single Sign On feature, and Yubico provides a SAML server which can be used to set up SAML-based Single Sign On for your Google Apps domain. Here are Yubico’s step by step instructions for doing that.

In general, these other non-Yubico systems are things you would use with a specific purpose in mind, not for generally-available web services.

Can you use all these services on the same YubiKey?

Originally, YubiKeys supported only one “identity”, meaning you had to pick and choose only one of these authentication systems to use your YubiKey with.

Newer YubiKeys support two identities, so you make one YubiKey work with two different authentication systems. Naturally, most users will have a Yubico identity as one of their two. By default, the second identity is blank, so setting a key up to work with another authentication system requires using one of the free personalization software tools to program the second identity. It can be a little tricky if you haven’t done it before, so be patient and find good instructions (I may write some of my own in another post).

The way that you use a YubiKey with two different services is pretty clever. If you press the YubiKey button for 0 to 1.5 seconds, it outputs the results for the programmed identity in the first slot. Hold the button longer – 2.5 to 5 seconds – and it does the output for the second identity instead. There is a “dead zone” gap in the (approximately) 1.5-2.5 second range so that you can’t accidentally end up at the “border” between the two. Any tap at all is sufficient for triggering slot 1, so you’ll tap for slot 1 and hold the button down for slot 2, and you’ll get nothing at all if you try to let go in no man’s land.

What about the Symantec VIP service?

The "V" still stands for VeriSign

Symantec’s VIP service uses OATH. However, there is a catch. While you can create an OATH-compatible identity, end users like us have no way of getting that identity into the VIP service. They do not provide a means of uploading your own created identity, as Yubico does with their service.

As such, Yubico has created the Symantec VIP YubiKey. It’s a normal YubiKey, except with slot 1 pre-programmed with a Symantec VIP identity, which was entered in to the VIP service at the time of manufacturing, per Symantec’s rules, as explained by the YubiKey YouTube user in this YouTube comment reply:

The [Symantec VIP] YubiKey is the same standard YubiKey – it already supported OATH. The problem is loading secrets and Symantec’s rules are that they can only be loaded at the time of manufacture. Hence the need for a new SKU.

So, if you wish to use a YubiKey with the VIP service, you need to buy the “VIP”-specific model. Note that this model does not come pre-programmed with a Yubico identity, but you are of course free to create one on own for slot 2. Also, the VIP credential is hard-coded into slot 1 and can’t be removed, so you only want to get the VIP model if you do intend on using VIP.

And what if you lose it, or it breaks?

The smoke monster took it

One big issue with multi-factor authentication is, what happens if you lose or damage one of the factors?

Many services have a recovery process for this, where you have to jump through hoops to prove that you’re who you claim to be. It’s also possible to order an identical replacement YubiKey that contains the same identity as the one you lost. Again, here you have to jump through hoops to prove your identity.

But there is a better, more forward-thinking way of protecting yourself from losing or damaging YubiKeys – more YubiKeys! Every YubiKey-compatible service I’ve run into so far allows you to associate multiple YubiKeys to your account, allowing you to authenticate using any one of them.

Thus, I own three YubiKeys:
… one on my keyring,
… one locked up somewhere safe in my house,
… and one locked up in my bank safe deposit box.

Should I lose or break the one on my keyring, I have backups available.

It does mean, however, that for every new YubiKey-compatible service I start using, I need to round up all my keys to associate each of them with the new account. But in practice, this is exceedingly rare – I only have a few things I use YubiKeys with, but they’re important things.

“Would you like to know more?”

I’ll be writing some more posts as I go dig deeper into what you can do with the YubiKey. LastPass and OpenID are certainly cool and sufficient for picking up some YubiKeys, but I think the ability to integrate it with your own services is more interesting.

There is a PAM module for YubiKey authentication, allowing it to be used with things like SSH and VPN. There are also plugins for web-based CMSs like WordPress. I’m going to dig around and I’ll share what I find.

If you have any questions, please ask them and I’ll try to answer them, maybe in my next post. Also, if anything in this post is incorrect, please let me know and I will correct it. I am simply a consumer and do not work for Yubico or have any stake in their product other than the ~$75 I’ve invested in the three keys I own.

UNIX logo and terminal picture from Apple.com site

A lot of people – myself included – like OS X in part because of this fact. I am primarily a Linux user, but for my personal laptop, it’s nice to have a system with all the friendly-out-of-the-box UI trappings of a general consumer product, while still having UNIX at my fingertips.

As a UNIX system, though, Mac OS X has some limiting factors. One of the big ones is that the base system (the set of core tools that make up the OS, named Darwin on the Mac) is not really updatable. Updates come from Apple packaged as part of general operating system updates, but even when Apple does push out updates, it usually not all that up-to-date.

What’s more, the base system doesn’t necessarily come with everything you might want. You can always compile from source, but this is 2011 and package management is a good thing.

There are three main community projects which bring package management for UNIX programs to Mac OS X. They are Fink, MacPorts, and Homebrew.

Of these, my favorite is Homebrew. Homebrew is very light and lean, and ideal for people who just want to install some select packages to augment the Darwin base system.

Both Fink and MacPorts work around Darwin by existing in their own little ecosystems. When installing something that depends on another tool that already exists in Darwin, these package managers tend to install their own copies of those tools instead of using the one already on the system. There are some compatibility advantages to this, but at the same time, there is some confusion when there are multiple copies of libraries and binaries on the same system.

Homebrew takes the other approach, relying on what is provided in the Darwin base system instead of replicating everything itself. It augments Darwin instead of treating it as unreliable and building its own little world.

Homebrew in general “feels” nicer than Fink or MacPorts. In the words of HackerNews commenter dschobel: “There is so much less friction than using macports or fink that I dropped them immediately.” That’s a good way of putting it. Homebrew is just less noisy and less intrusive.

There are other advantages to Homebrew. The scripts (or “formula” in Homebrew nomenclature) for building and installing packages are simple Ruby scripts. Combine the ease of creating formula with the ease of submitting them to the project – as it lives on Github and anyone can contribute with a simple fork and a pull request – and you’ve got an environment for rapid crowdsourced updates.

And update it has. Originally I ran Homebrew with MacPorts as a backup for things that weren’t yet in Homebrew, but the number of such packages has decreased dramatically. The 1587 formulas (as of this writing) in Homebrew is still much less than the 8100 packages in MacPorts or the 12000 packages in Fink, but the important stuff is well represented (and part of the difference is due to Homebrew intentionally excluding things already in Darwin). Still, it is perfectly fine to run more than one package manager to get the package coverage you need.

Homebrew is very easy to use – I won’t bother replicating the explanation of basic commands here, as the home page and the instructions on the wiki cover them nicely. But I will share one little BASH alias that I use. There is no single Homebrew command for upgrading all of your installed Homebrew packages to their latest versions, the way you might in a Debian-based OS with an “apt-get upgrade”. But a handy little BASH alias takes care of that:

# Homebrew - upgrade all installed packages
alias brew-upgrade='brew update && brew list | xargs brew install'

Error: Failed executing: make install
Please report this bug: https://github.com/mxcl/homebrew/wiki/new-issue
These existing issues may help you:
https://github.com/mxcl/homebrew/issues/#issue/4236

The Github page linked does have the answer, but I missed it for a while because I didn’t scroll down to the money post. The answer is to paste the following into your terminal:

for dep in $(brew deps gnutls); do brew remove –force $dep; done
brew install gnutls

Thank you, jabley.

But frankly, none of that speaks to the quality of the notebook. And as I nearly fill my first one with a year’s worth of work notes, I must say that mine has been a durable, reliable tool.

I’ve never been completely happy with computer-based note-taking solutions (though I have come closer with Evernote on the iPad and iPhone). And like many geek brains – constantly preoccupied with the last technical problem it was trying to solve – mine is a forgetful one.

So, a year ago, I invested in my first Moleskine notebook. I had, of course, heard all of the praise from the true believers. I decided to give them a shot myself.

My writing needs are not like those of, say, actual writers. But I needed a good, compact notebook that I could take everywhere, and one that would be able to hold its own on the inside of a laptop bag, being smashed up against larger and heavier objects.

The Moleskine is beautifully and simply designed. The importance of the little strap that holds the book closed cannot be easily overstated. Unlike every other paper-based thing that is subjected to the interior of my laptop bag, the Moleskine pages stay intact and unmolested, locked away behind an impenetrable shell held closed by that handy little strap.

As much as I like the idea of going completely paperless (as I am with magazines and books), the “best tool for the job” mindset wins out. I will continue to use Evernote for certain things, but for my daily work notes, I will keep reaching for my Moleskine.

“Bloat” is spending 5% of your CPU cycles and RAM to have a nice-looking user interface. “Bloat” is having the nerve to  create a desktop environment that might not run well on a computer that’s 15 years old.

BLOAT is a PDF reader that is a 70 MB download, and (according to the installer) takes up 418 MB of space in total once extracted.

If Adobe software were people, they’d be dead from DIABEETUS.