Jim's Depository

Under Mac OS X there is a program named “security” which lets you manipulate the keychain. Its error messages are a bit useless though.

If you find yourself trying to validate a certificate and getting  Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE as a result, it could be because the certificate has entries in the subjectAltName encoded in something other than ASN.1 IA5String. In particular, PrintableString is accepted by openssl and firefox, but not by OS X. 

When seen from Safari, these certificates will bump the browser back to the previous page, and if you look in the debug console will show: The certificate for this server is invalid. You might be connecting to a server that is pretending to be YOURHOSTNAME

There. Hopefully this bit of text and some googling will save someone else an afternoon.

Until recently, you got a single identity per credit card with your Amazon Web Services (AWS) account. It you wanted to grant limited access to your S3 storage to a program or server you were pretty much out of luck.

Now, Amazon is slowly rolling out subordinate accounts, with something they call AWS Identity and Access Management (IAM). Unfortunately for you, as of March 2011 they haven’t gotten around to making the web based management interface, so you are going to get to tour a bunch of command line programs written in Java.

1. Go to IAM Getting Started Guide and start following steps to install Java and Amazon’s tools, then set a half dozen environment variables. (Go back and install sun-java6-jre if you are a Debian user, make sure non-free is in your apt source lists. Other Java implementations might work, I don’t know. And the right answer for JAVA_HOME is /usr in Debian)
2. If you get a bunch of “Unable to execute HTTP request: Network is unreachable” errors, it probably means you have a partially functional IPv6 address. You can turn your IPv6 off with  echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 ip addr del ::¹⁄₁₂₈ dev lo
3. You don’t need to mess with groups if you don’t want to. Just use… iam-usercreate -u YOURNEWUSERNAME -k -v
4. Copy down the first two lines, that is the AWSAccessKeyId and AWSSecretKey for the new account.
5. Copy down the third line, this is the “arn” you will use to set your access.
6. Now it gets strangely painful. As near as I can tell, there is no way to reference your newly created User account in the “Grantee” section of the S3 management console, so you are going to have to delve into writing policies. You can use the policy generator to make an S3 Bucket policy. Use the “arn” you saved from line 3 as the “Principal”, set the privs you like, and for the “Resource” you can include a partial key with a “*” as a wildcard. Mine came out like this:
   { “Version”: “2008-10-17”, “Id”: “Policy1299041893976”, “Statement”: [ { “Sid”: “Stmt1299041882010”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::711941626500:user/MyUserName” }, “Action”: [ “s3:DeleteObject”, “s3:PutObject” ], “Resource”: “arn:aws:s3:::MyBucket/*” }, { “Sid”: “Stmt1299041882010”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::711941626500:user/MyUserName” }, “Action”: [ “s3:ListBucket” ], “Resource”: “arn:aws:s3::: MyBucket” } ] }   The first half gets me PUT and DELETE on objects. The second half gets me GET on the bucket. I don’t really need that, but boto needs it when I create the bucket object to then do my put.
7. Apparently Amazon engineering hates developers.
8. There is an orthogonal mechanism where you make IAM policies that grant permissions to your users. That might have made more sense, but absent a web console to view them I thought I’d go with the bucket policies.

So, there you have it. Restricted roles in your S3 account.

If you use Orbitz, they will sometimes tack on unwanted travel insurance. You will know this happened when you get an email from Access America with your policy. Orbitz will then pretend they can not remove it and direct you to a dysfunctional voice menu system at Access America, I suppose to try to wear you down. (There are no appropriate options, and I never could get to a human. It appears to always have “higher than expected volume”.)

Don’t let them win.

• http://www.accessamerica.com/
• Find the Modify/View Policy link
• Your policy and departure date are in the email
• They will thank you and maybe in 30 days give your money back.

Update: Refund arrived.

An January 20th iFixit published Apple’s Diabolical Plan to Screw Your iPhone about Apple’s evil pentalobular screws and their $10 kit to live with them.

As viral nerd stories go, it has everything. There is a powerful evil villain, an underdog hero, an articulate, attractive nerd (if you found the video), educational material, and a happy ending.

Let’s see how it turned out for them…

Alexa measures internet traffic with some system of taps and spies unknown to me. But you can ask it about a web site and see how their traffic fairs over time:

Google Trends will tell you how search term frequency is changing with time:

I think we can safely say that article tripled iFixit’s web traffic. It’s too soon to know the long term effects, but presumably some of those eyeballs were connected to memories that will come back when they need help repairing their devices.

Another key life skill in place. The video at YouTube - Scientific Tuesdays - How to Breathe Fire Safely with Corn! covers it in both more and less detail than is required.

Most important hint: Exhale!

Second most important hint: have potable water on hand.

My hairline must have seen this coming, it has been getting out of the way for years.

I’ve spent all morning working on the next feature to be added to a piece of software I haven’t told you about. I finally added it by typing a string of 14 characters in one line of a source file.

I’m coding at about 30 minutes per keystroke.

Before one spends a good deal of time converting the RFCs into a well formatted EPUB with modern, legible typography… one should read RFC COPYRIGHTS & IPR.

I learned a new language (the actual purpose of the exercise), and had a grand time with fuzzy algorithms for deriving the intent behind the sequence of bytes, but ultimately, I can share it with no one and will not finish it. (Sorry Mechanical Turk, you will not get to labor away on my edge cases.)

Long story short on the RFCs: It doesn’t appear that anyone thought out the copyright issues for many years and now it is too hard to resolve it. 

Probably the best solution would be to find the 10% of RFCs that matter and build replacements with proper rights assignment and move on, or just live with them as is.

I’ve published tinycamd version 0.3.

tinycamd is a webcam program for Linux which makes Video4Linux2 devices available for http access. It is mind bogglingly efficient when using cameras with JPEG or MJPEG hardware compression. When using UVC (USB Video Class) cameras it includes a handy HTML 5 based page for adjusting the camera controls.

You can find the code at Google Code: tinycamd. You can read the attached man page.

I’ve written jpegapp which can be used to remove, insert, and extract the application specific segments of a JPEG file. I used it to embed transparency information in JPEGs, but you can use it however you like, some things that come to mind:

• Remove EXIF or other strange camera information from JPEGs that you publish.
• Attach source annotations to images when your create them automatically.
• Yank out some application’s data to analyze.

A PDF of the man page is attached to this article.

You can find the source code over at google code jpegapp. BSD licensed. Enjoy.

I have written a program and some javascript to add alpha channels to JPEG images and render them correctly in modern browsers. 

The exposition requires some Javascript which femtoblogger does not allow, so I have documented the techniques on their own page: On adding alpha channels to JPEG images.

The code isn’t pretty yet, but it works.

I apologize for not testing on IE. The canvas based method should work with FlashCanvas per http://blog.jackadam.net/2010/alpha-jpegs/, but I don’t have the licenses to run the IE test images. (Wine will unpack the self extracting .EXE they insist on using as a shipping container, but VirtualBox has different emulated hardware from what the images expect and that leads to no network which cascades into avalanches of dialogs asking to download network drivers over the network that doesn’t exist and demands to register over the network with does not exist.)