SuperHappyDevHouse

After the successful Software Freedom Day hackfest organised by Brenda of SHDHNZ, we're going to be having a mini happy dev house on November 2 at Southern Cross. As always, it'll be a hackfest with a friendly atmosphere, food and beer nearby, and other patrons wondering whether people gathering in public with laptops is illegal.

If you're thinking of coming, head over to the November projects page on shdh.org.nz, and add your name and what you might work on.

Hope to see you there!

June SHDH yesterday. Brenda has a writeup. I must admit, I also noticed the stares, and the people hurriedly looking away when you looked at them. Ah it feels great being misunderstood and feared ;)

In terms of actual work done, I added apache2 proxying support to autovserver - and did that mostly in the last 10 minutes of being there. I keep spending lots of time talking to everyone else there rather than coding, especially Andy, who is as die-hard open-source as they come. We were talking about cil, his little distributed command line bug tracker, and got on to talking about some kind of "Insta-Project"(tm) thing, that would populate a directory with a README, COPYING, basic debian packaging, a gitrepo (if it doesn't have one, which it should!) and a cil tracker so you can turn those little scripts you want to publish into a project with minimal effort. I'd like to see this implemented some day, though I can't see me having the time for a while because work is so hectic :(.

That's one thing I do like about SHDH. It's a chance, once a month, to go somewhere and code on something I want to work on. Not that I don't like working on Mahara - on the contrary, I love it - but it seems I have a million ideas for things I could do and not enough free time to do them. If I quit my job I don't think I'd ever get bored - at least, not until the moneys ran out ;).

Another MHDH in June. Themed "Hello World in strange languages". Should be a blast, and hopefully I'll get a chance to work some more on autovserver.

Meanwhile, my list of stuff to do at work has got amazingly long again. My current project, which is doing some performance benchmarking, is really interesting. A chance to play with some grunty hardware and see what the limits are. It's not often you get a chance to do such work - most of the time you're just causing the performance problems^W^W^W^W coding *ahem*.

Some Mahara work looms on the horizon as well. Yay!

Well the fact that you're reading this means that I've been successful in my SHDH mission - to fix the script that lets me blog! That's why the currymail was so late this week.

I can also upload images via a script too. So adding content to the site is dead easy now, which is the way it should be :)

The SHDH (actually a minihappydevhouse) had quite a few participants, I reckon we had 20 or more, which was a great effort. Good to see so many people hacking, eating or just talking about stuff. Things that happened, in no particular order:

1. Martin Langhoff was late (of course! He's from South America :)
2. Andy showed me cil. Command line bug tracking, git style. He's debian packaging it, so hopefully I can start using it for a few things soon. I think the idea has great promise...
3. I preached to a small crowd about performance of websites, only to be caught out when my site wasn't practising what I was preaching ^_^.
4. Francois and Andy found out about the sneaky requirement for tabs in Getopt::Declare
5. Lots of people found out about the OLPC. I presume some hacking may have been done on it. Ben spent his time playing Sim City on it instead.

There was a lot more, I'm sure.

VERY IMPORTANT INFO: if you've voting in Wellington mayoral election, which uses STV - you don't need to rate *all* the candidates.

If there's someone you never ever ever want to be mayor, don't give them any points at all.

ONE NONE NONE.

Zero points for her.

-->

needs furniture

Still not officially announced by anybody inside Microsoft, but quietly this morning the first preview of ASP.NET MVC 3 appeared on Microsoft Download.

And it’s exactly what everyone was expecting after last month’s announcement of Scott Guthrie of Razor, the new view engine for ASP.NET MVC.

What else does this new version bring to the table?

First of all it takes a dependency on .NET4. It means that you cannot be able to use it unless you migrate you applications to the latest version of the .NET framework (and if the story repeats itself, with the RTM coming out next year, this won’t be a big deal). And it also means that finally the framework can use all the cool features of C#3, like the dynamic keyword and the new features of .NET4 like the new data annotation’s attributes

• Razor: already announced a few weeks ago by ScottGu, it’s a new view engine that tries to make it easier to mix code and HTML
• Dynamic View and ViewModel: now you will be able to use “dynamic” view model and pass them to a view, without using the ugly hashtable approach. At the end of the day it’s still the same thing (no compile-time checking) but at least you don’t see all that ugly “magic strings” around
• Global Filters: in ASP.NET 2, if you need to apply a filter to all your controllers you have to apply it to you own base controller, and have all your controller inherit from it (actually you could also apply the same attribute to all your controllers if you like writing lot of repetitive code). Now you can just register the global filters in the application startup, just like you do now with the modelbinders or view engines and so on
• Dependency Injection support: this is probably the most important feature introduced with this release: the ability to use your favorite IoC Container (using the Common Service Locator) to create controllers, factories, views, filters and so on. Brad Wilson has a great series of posts about that.

It was just a very quick recap: I’ll follow-up with a more detailed post in the next days.

Now, run and download the preview and play with it.

Tags: aspnetmvc,aspnetmvc3,razor,IoC

warning, make sure your bike has 2 wheels, originally uploaded by Br3nda.

-->

Coming soon to TVNZ 7, InternetNZ - and a dedicated page here on Geekzone. If you plan to tweet about this please use the tag #TVNZ7:


Broadcaster TVNZ 7 and online policy leader InternetNZ (Internet New Zealand Inc) are proud to announce the TVNZ 7 Internet Debate on Wednesday 11 August at 9.10pm, LIVE from Avalon Studios in Wellington and hosted by experienced journalist Damian Christie.

The TVNZ 7 Internet Debate will be broadcast on TVNZ 7, streamed online and will incorporate online chat and polling to debate one of the most contentious topics surrounding the Internet today – “Who is responsible for safety and privacy online?”

The Debate will investigate three contentious areas of the Internet age – the safety of children, government intervention such as Internet filtering, and the industry’s responsibility to keep our data private as use of social media grows.

The public can watch on TVNZ 7 (available on Freeview/TiVo channel 7 or SKY/Telstra channel 97, www.internetnz.net.nz/tvnz7debate, or www.geekzone.co.nz. Online conversation leading up to and on the night will be established on Twitter, Geekzone and Facebook.

An expert range of panelists has been assembled including NetSafe Executive Director Martin Cocker, InternetNZ CE Vikram Kumar, Family First National Director Bob McCroskie, Telecommunications Industry Group CEO Rob Spray, Watchdog International founder Peter Mancer and Taylor Shaw lawyer Kathryn Dalziel.

The show is part of TVNZ 7’s Spotlight on Science and Technology month and is produced by Wellington production company Top Shelf.

TVNZ 7 Channel Manager Philippa Mossman says “TVNZ 7 is all about discovering, discussing and debating and we’re pleased to be working with InternetNZ to bring this thought-provoking debate on a topic that affects each of us in a far-reaching way. It’s a logical fit with our focus on science and technology in August, but it’s as much a debate about contemporary society and culture as it is about technology.”

InternetNZ CEO Vikram Kumar says the online world has become an inextricable part of most New Zealanders daily lives.

“As more New Zealanders connect and the Internet continues to grow, issues of online safety and security, use and abuse of social media, government filtering and censorship are coming under the microscope.

“The TVNZ 7 Internet Debate focuses a lens on these issues, asking who is responsible for online safety and privacy in the context of parents & children, individuals vs. government and individuals vs. the internet industry.”

On the day of the TVNZ 7 Internet Debate a series of public workshops will be hosted by InternetNZ in Wellington and NetSafe in Auckland.
For more information see:

facebook.com/TVNZ7
internetnz.net.nz/tvnz7debate

It seems my previous posts on the iPad 3G coverage in New Zealand have hit something - a lot of people thought I was supporting one network operator or another. Not at all - it's just to let people know where they would get more from their new mobile device and why.

I urge people to read the first post in the series "Where can you get 3G coverage for your new Apple iPad in New Zealand" for a complete picture of 3G coverage and to understand what's at play here.

Now the good news: if you have plans to buy an iPhone 4 when it hits the local market this Friday, then you will have 3G almost everywhere, regardless of which mobile operator you decide to go with.

That's because the iPhone 4 works in all 3G frequencies currently available in New Zealand: 850MHz (Telecom XT), 900 MHz (Vodafone 3G Extended) and 2100 MHz (Vodafone 3G).

As per my previous posts, Telecom XT runs a single 850 MHz network.

Vodafone runs two 3G networks, complementing each other. Combined, Vodafone 3G (2100MHz) and Vodafone 3G Extended (900MHz).

Bot operators claim to cover 97% of the New Zealand population (or as they say "where people live, work, play").

Here is a comparison of 3G coverage you will get when using the Telecom XT (left) and Vodafone 3G/3G Extended networks (right):

Click the map for a bigger version. Make sure you visit both Telecom New Zealand 3G coverage map and Vodafone New Zealand 3G coverage map to see for yourself. When looking the Vodafone New Zealand map remember to check the 3G and 3G extended boxes to get the complete view.

In a previous blog post I explained where you can get 3G coverage for your new iPad in New Zealand.

Because the images I sourced had different resolutions I had to post one map for Telecom New Zealand and multiple maps for Vodafone New Zealand.

A reader sent me in a single large image showing side by side the Telecom XT and Vodafone 3G coverage. You can click the map to get a large version:

Everyone heard about the Hell Pizza database leak, but what is only now showing up in the media is a story that seems to be developing for more than twelve months. Back in August 2009 some Geekzone users reported receiving spam on email addresses used only with Hell Pizza's online ordering system.

At the time someone posted in our forums on behalf of Hell Pizza saying "we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed."

Fast forward thirteen months to this week and blog Risky.Biz published "I know what you ate last summer" where it reveals that "multiple intruders have compromised Hell Pizza's 400mb (sic) database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries."

It continues "When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

The New Zealand media found the story, and the NBR published "Hell Pizza: customer database could have been hacked". Chris Keall contacted Hell Pizza director Warren Powell who said "Everybody gets hacked into, even the Pentagon." He also added "The potentially stolen data was "of no value to anyone."

That's the problem. The data is valuable to spammers and for anyone who would like to try any of those 230,000 passwords in other sites - it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business.

According to a story on Stuff "Hell's director Warren Powell told NZPA he is unaware of any breach in security, and IT staff have so far found nothing proving information has been stolen."

Now comes the interesting part... Mr Warren Powel said to Stuff "If there is breach of security it will appear, data would have been removed and therefore it would appear as a download. We'll be able to find out the day and the computer it was downloaded to and we'll be able to prosecute this person if they exist."

They won't find anything. If Risky.Biz is correct, the old Hell Pizza ordering system was developed with poor attention to security, and the application running on the user's browser was communicating directly with the database.

This means any connection to the database would be considered valid, therefore those "dedicated, monitored firewall" wouldn't do any good.

It also means anyone could issue commands to the database and receive a response with that data - in which case it wouldn't appear as a download at all, but as a normal web request in the web server logs.

I tried contacting Hell Pizza via email but received no reply.

People on Geekzone noticed the Hell Pizza Ireland website could still be running the old, apparently vulnerable version of the ordering system. Currently both Hell Pizza Australia and Hell Pizza UK are returning server errors, with messages that lead us to believe they too were running the apparently vulnerable site version until recently - perhaps taken down to prevent further access to data?

I was alerted by one of the Geekzone users of further evidence that there was a vulnerability on the old Hell Pizza ordering system, and a Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:

In an email sent to customers this week, Stu McMullin, Hell Pizza Director says "Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint.  Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website."

Juha Saarinen reminded us, via Twitter, of the Privacy Commisioner's Privacy Breach Guidelines.

How long since Hell Pizza had knowledge of this security breach? Or did they only realise something was happening after Risky.Biz contaced them? If they did have knowledge, why wasn't it disclosed before? Will we see other New Zealand companies working to improve their IT security practices after seeing this happening?

IMG_2422.JPG, originally uploaded by reedwade.

-->

A few days ago, Darren Rowse from ProBlogger stated a blogging challenge: The 7 Link Challenge. Basically it’s about picking 7 posts that fit into 7 different “themes”. Without further ado, here they are. Sometimes I’ll break the rule and will link to 2 posts per category, but, after all, rules are made to be broken, aren’t they?

• My first Post – I wrote my first post in October 2006. It was titled Subtext Halloween. Actually this is a post I previously posted in my Italian blog, together a few others before launching the “new” blog in the proper way.
• The post I enjoyed writing the most - “My ASP.NET MVC stack and why I chose it” – After a lot of time doing kind-of team management and maintaining of old applications, last October I finally had the chance to work a green-field application with ASP.NET MVC, jQuery, IoC and applying all the best practices I had been talking and writing for so long.
• A post which had a great discussion – “Why SketchFlow is not a mockup software” and “ASP.NET MVC brings FUN back inside web development, on .NET”. The first because it had many people I respect and the “owners” of the products being discussed commenting on the post, with great insights on the reasons behind why things are in certain way. And the second because it was nice to read different opinions on the first versions of  ASP.NET MVC, when people were still thinking the new framework was too much work compared to WebForms. Actually also the post “Do you wanna be the Picasso of programming? First learn the rules, and only after break them” had a great discussion about when and how to be strict applying the best practices for good design.
  If I take into account the number of comments only, probably the post with the most comments is “So Long Avanade, and Thanks for All the Fish”, where I announced my new job and my relocation to a new country. But they are mostly “congratulations”, so don’t qualify for a “great discussion” . Part of the reasons I don’t get 200-300 comments on posts is because I decided to auto-closing comments 2 months after a post is published. Probably I’ll change this policy in the future.
• A post  on someone else’s blog that you wish you’d written - “Think before you bind” and the follow-up “Easy And Safe Model Binding In ASP.NET MVC” by Justin Etheredge. That topic is still relevant even with the latest version of ASP.NET MVC, and the two post show that you always have to think carefully about the consequences of what happens when you use the “auto-magical” features of a framework: in this case, you could be easily hacked.
• A post with a title I am proud of - “How to make a Gmail-like loading indicator with ASP.NET Ajax” – It was still in the pre-twitter era, but I guess this is the kind of title that would get attention. And not so surprisingly, it’s my second most popular post.
• A post that you wish more people had read - “13 ASP.NET MVC extensibility points you have to know” – I think that the extensibility story is one of the best feature of ASP.NET MVC. I think this is a must read for everyone that is working with it. Go and read it NOW!
• My most helpful/visited post - “How to refresh an UpdatePanel from JavaScript” - This post written June 2007 is about something that should have been trivial, but it wasn’t. And surprisingly still generates 7-8% of my visits. Which shows 2 things: there are still a lot of people that are using UpdatePanel, and that abstractions are fine as long as you don’t need to do something they were not planned for.

I’m not going to nominate someone else to do the same, but it would be fun to see other .NET bloggers joining that “challenge”.

Tags: posts,problogger,7links,aspnetmvc

The Apple iPad was launched today and I've seen some comments on Twitter about 3G coverage. First thing to understand where you will get 3G coverage is to know which "type" of 3G the iPad can "see".

The Apple iPad (first generation) works on 850 MHz and 2100 MHz WCDMA bands. We have two mobile operators offering 3G in New Zealand, with a third one coming very soon.

Telecom New Zealand operates a 3G network in the 850 MHz band. Telecom does not operate a 2G network - wherever you get coverage it will be 3G.

Vodafone New Zealand operates a mix of 2G and 3G networks. It also operates a 3G network in two different bands, that is 900 MHz and 2100 MHz. Vodafone deployed 2100 MHz 3G in the main centres and larger towns, covering 70% of the population. The 900 MHz 3G band is available elsewhere.

This means that if you have an iPad and use Telecom New Zealand then you will have 3G access wherever you have Telecom XT coverage, because Telecom operates a 850MHz which is compatible with the iPad 850MHz 3G.

If you insert a Vodafone New Zealand SIM on the same iPad you will have 3G coverage only in its 2100 MHz 3G network. It means that where Vodafone offers the 900MHz 3G flavour you will be out of luck. Depending on coverage the iPad may operate in the much slower 2G (GPRS) network. How much slower? Think dial-up speeds, with much higher latency.

The maps below tell the story:

Telecom New Zealand 3G coverage page:



Vodafone New Zealand 3G coverage page (remember to check only 3G, not 3G extended):









Obviously coverage changes over time, so make sure you visit their coverage pages to check the current status.

If you are using Orcon Mobile, your 3G coverage will be similar to Vodafone New Zealand, because Orcon uses Vodafone for their network.

When 2degrees Mobile launch their 3G service, total coverage will be similar to that of Vodafone New Zealand, because while 2degrees has their own network in Auckland, Christchurch, Queenstown and Wellington, the rest of the country will be serviced by a roaming agreement with Vodafone New Zealand.

UPDATE: you can see both 3G coverage in a larger image here.

keeping the tree warm in winter, originally uploaded by Br3nda.

-->

Our Geekzone forums have been very busy this week with reports of 2degrees making their new 3G network available for public use throughout New Zealand the last week or so. 2degrees is New Zealand's third mobile operator, with its own mobile network in the main centres and elsewhere using Vodafone New Zealand's network.

Today I met with 2degrees and was briefed in what's happening. This is the summary:

3G network is lit in most places, for testing. Their own technicians have been around the country doing their tests but they wanted more accurate usage patterns to start - so they have it running.

For example Wellington CBD was lit yesterday and they noticed 13% of the connections automatically switching to 3G. This is interesting because they currently don't sell 3G handsets.

The sad part is... 2degrees will be locking it down from end of next week. And we don't have a date for when the service goes live.

Their 3G network is paired with their current 2G network (meaning where you have a 2G site there will be a 3G site). Obviously different loads will make coverage different.

The 3G network is available in Auckland, Wellington, Christchurch and Queenstown, covering 48% of the population. Other areas, as we know is going to be covered by a roaming agreement with Vodafone.

There are plans in progress for additional network coverage, with Hamilton and Tauranga town planning in progress. Due to resource consent times and 3G release this won't happen until next year though.

No commercial details are available - plans, packs, national roaming.

New 3G handsets will come out (surprise) and Android devices. Micro SIM will be available "soon".

I was given a Huawei USB modem with a SIM card to test, but it will stop working when the network is locked again next week.

And that's all I have to say - nothing else was disclosed.