It’s official. I think the Roche LightCycler 480 has quite possibly the worst user interface in the world… at least as far as currently available real-time qPCR machines is concerned.

First of all, it reports a Cp value as opposed to a Ct value. I still have yet to find out what the hell that means. I’m sure that it makes sense, but honestly, why not let the user set their own threshold values? Or at least give us an option of a couple of calculation methods.

But the biggest problem is that once you start a run, you can’t stop it. I spent an hour and a half setting up a plate with samples that will be very hard to get more of. Instead of using my existing protocol, I mistakenly hit the “SYBR Green Macro” that someone had programmed… expecting it to setup the default experiment and then I’d be able to adjust things as needed before the run starts.

Yeah… no.

I put my plate in, and hit the button.

It asked me what to name the experiment, and then proceeded to start running immediately. No asking. Just starting. And the protocol doesn’t match my primers. I’m looking furiously for a stop button. Oh look, there’s a bright shiny red X. I’ll hit that. ERROR: “You can’t close this screen unless you abort the run” Great, I think… I’ll just abort the run. How do I do that?

THERE IS NO WAY TO ABORT THE RUN.

The ABORT button is disabled. Since the machine takes the plate in with a nifty little sliding tray, you can’t even manually remove it.

Basically, I’m screwed and I have the previous two hours of my life to replay. Thanks Roche. I’m sure that your machine gives good data, but you have a ton to learn about how to actually use an instrument in the lab.

Needless to say, I’m going to lobby heavily against getting a Roche machine ever again.

PS: I’m stuck using this machine because the Eppendorf realtime machine in my building broke. That interface was so frickin simple my 7 month old could figure it out.

I am one of those sorry souls who bought the original iPhone the day it came out. I didn’t have to stand in line, I just happen to live in a city that had shorter lines and a ton of inventory left just before the stores closed at 10pm.

The lure of push-email was enough to get me to upgrade my phone to the 2.0 firmware (that and super monkey ball, which ironically I never bought). The only problem is that my email habits have been pretty firm over the past 4 years in the form of Gmail. I have multiple email accounts end up in my Gmail inbox. All roads lead to Gmail, as it were. I have really gotten used to the Gmail view of mail… don’t delete anything, just archive and search. I don’t really use labels too much, except for filtering out mailing lists. The only feature that I use consistently was using multiple ‘From’ email addresses. I love being able to instantly switch what email account I’m sending mail from: gmail.com, my personal email account, or my work account. It makes life simple.

Except Gmail and IMAP don’t quite work the same way. When you delete a message with Gmail’s IMAP server, you do Archive the message online, but not the conversation, so it’s not a true sync. Also, Gmail’s IMAP can be pretty slow… very slow… And like a lot of people, I want push email.

Now, since I have a Mac and all that entails, I was not about to subject myself to the hell that is Entourage and Exchange. (If I was running Windows, I’d be all over an Exchange account and this post would never have happened). So, that means I’m trying out MobileMe. But since I want the ability to back out of this and go back to Gmail, the configuration is a bit different.

So far here’s my setup:
I have my work and personal email accounts forward to both Gmail and MobileMe. I then have Gmail forward things sent directly to Gmail to MobileMe. So now I get push email of all my accounts. But what about the two features that I use most: Archiving and Multiple email address sending? Turns out this is a bit harder.

Multiple email address sending is a bit easier to explain. On my Mac, in Mail, I have only my MobileMe account setup. It is set to use the Gmail SMTP servers as opposed to the MobileMe ones. Since MobileMe is just a fancy IMAP server, all send mail goes into the “Sent Messages” folder anyway, and this way Gmail still indexes the messages. Gmail is setup to accept (for sending) mail from my personal, work, and MobileMe accounts, so that is all the same. To get the Mac’s Mail app to support this, all you have to do is add each email address you support in the “Email Address” field in the Account setup screen (comma delimited).

On the iPhone it’s a bit more tricky. To get this to work, you need to setup email accounts for each address you’d like to use. And they have to be “Active”. But you don’t want to check all of those accounts. So once you have it all setup, you can then remove the information about the Incoming servers. This effectively makes the accounts send-only. I’ve gone ahead and made sure that the accounts use Gmail’s SMTP servers again, so Google can index things for me. The only downside is that I’ve lost the ability to access the sent message from my desktop machine’s Mail app, but I could access it from Gmail’s IMAP interface, if I really needed to.

Archiving things is a bit more tricky, and I’ll describe that (and my script that facilitates it - yes, it needs a little help) in a later post.

So I have this nice shiny MacBook pro that I’d like to start doing my programming on.  Prior to this I was using a combination of a Linux server and a Windows laptop for development work.  All of my prior development on my (older) Mac was in Java.  My new machine is a Core 2 Duo MacBook Pro running Leopard (this become important).

Java is nice… libraries are all .jar files that are so platform independent you rarely have to worry about Mac/Linux/Windows issues (for the most part).  However, I’ve been trying to expand my programming languages by adding Python to the list.  I’ve been working with Python a decent amount recently and found it to be quite pleasant.

So when it came time to start a new set of data analysis, I thought, ehh, I’ll just do it in Python.

And that was my mistake.

I got MySQL installed pretty easily by downloading the x86_64 Mac binary from mysql.com.  This went off without a hitch.

Next I tried to install MySQL-Python.  First I tried easy_install, and that failed with:

In file included from /usr/local/mysql/include/mysql.h:47,
                from _mysql.c:40:
/usr/include/sys/types.h:92: error: duplicate ‘unsigned’
/usr/include/sys/types.h:92: error: two or more data types in declaration specifiers

error: Setup script exited with error: command ‘gcc’ failed with exit status 1

That doesn’t look good. Lo and behold, there is a bug in the python-mysql library. But wait, isn’t python platform independent? Well… kinda. As it turns out Python is the funky hybrid system where some of the libraries can be compiled C and others pure Python. From the Java perspective, it’s similar to having some JNI native code mixed in… only this particular library doesn’t do it very well (on a Mac).

But, I’m a smart guy… I used to be a C guy in a former life, and I know how to use Google.  Turns out, it’s a very simple fix.  A few commented out lines, and  a s/uint/unsigned integer/g later and I’m in business.  I run:

python setup.py build
python setup.py install 

and hope for the best… but I’d be wrong.  If you try to import MySQLdb in python, you get this error:

Traceback (most recent call last):
  File “<stdin>”, line 1, in <module>
  File “build/bdist.macosx-10.5-i386/egg/MySQLdb/__init__.py”, line 19, in <module>
  File “build/bdist.macosx-10.5-i386/egg/_mysql.py”, line 7, in <module>
  File “build/bdist.macosx-10.5-i386/egg/_mysql.py”, line 6, in __bootstrap__

ImportError: dynamic module does not define init function (init_mysql)

gcc -fno-strict-aliasing -Wno-long-double -no-cpp-precomp -mno-fused-madd -fno-common -dynamic -DNDEBUG -g -Os -Wall -Wstrict-prototypes -DMACOSX -I/usr/include/ffi -DENABLE_DTRACE -pipe -Dversion_info=(1,2,2,'final',0) -D__version__=1.2.2 -I/usr/local/mysql/include -I/System/Library/Frameworks/Python.framework/Versions/2.5/include/python2.5 -c _mysql.c -o build/temp.macosx-10.5-i386-2.5/_mysql.o -Os -arch x86_64 -fno-common

ld warning: in build/temp.macosx-10.5-i386-2.5/_mysql.o, file is not of required architecture
ld warning: in /usrld warning: in build/temp.macosx-10.5-i386-/local/mysql2.5/_mysql.o,/lib/libmysqlclient_r.dylib, file is not of required architecture
file is not of required architecture
ld warning: in /usr/local/mysql/lib/libmysqlclient_r.dylib, file is not of required architecture



$ gcc -fno-strict-aliasing -Wno-long-double -no-cpp-precomp -mno-fused-madd -fno-common -dynamic -DNDEBUG -g -Os -Wall -Wstrict-prototypes -DMACOSX -I/usr/include/ffi -DENABLE_DTRACE -pipe -Dversion_info=”(1,2,2,’final’,0)” -D__version__=1.2.2 -I/usr/local/mysql/include -I/System/Library/Frameworks/Python.framework/Versions/2.5/include/python2.5 -c _mysql.c -o build/temp.macosx-10.5-i386-2.5/_mysql.o -Os -arch x86_64 -fno-commonin

$ python setup.py install



Traceback (most recent call last):
File “”, line 1, in
File “build/bdist.macosx-10.5-i386/egg/MySQLdb/__init__.py”, line 19, in
File “build/bdist.macosx-10.5-i386/egg/_mysql.py”, line 7, in
File “build/bdist.macosx-10.5-i386/egg/_mysql.py”, line 6, in __bootstrap__
ImportError: dlopen(/Users/mbreese/.python-eggs/MySQL_python-1.2.2-py2.5-macosx-10.5-i386.egg-tmp/_mysql.so, 2): no suitable image found. Did find:
/Users/mbreese/.python-eggs/MySQL_python-1.2.2-py2.5-macosx-10.5-i386.egg-tmp/_mysql.so: mach-o, but wrong architecture



$ file /Users/mbreese/.python-eggs/MySQL_python-1.2.2-py2.5-macosx-10.5.egg-tmp/_mysql.so
/Users/mbreese/.python-eggs/MySQL_python-1.2.2-py2.5-macosx-10.5.egg-tmp/_mysql.so: Mach-O 64-bit bundle x86_64



$ file `which python`
/usr/bin/python: Mach-O universal binary with 2 architectures
/usr/bin/python (for architecture ppc7400): Mach-O executable ppc
/usr/bin/python (for architecture i386): Mach-O executable i386


This post was on the front-page of Dzone today: Bullet Proof Cookies. It got like 7 up votes when I saw it.  Did anyone actually read the article? This shows a horrible way to use cookies.  Well, maybe not horrible, but at least it is certainly over-kill.

The author recommends encrypting your cookie data, digitally signing it, and sending that to the browser. The idea is that by encrypting the data, the client won’t be able to know what it is or modify it. This is a nice way to go, but why go through the trouble when you don’t need to store data in cookies to begin with?

Specifically, my rule of thumb is that if you don’t want a client to know the data, don’t send it to them.

The most common feature to use cookies to store information is the “remember-me” feature of most web sites. Once a user successfully logs in, you want to allow them to be auto-logged in. The author of the above article suggests that you send them their userid, but since you don’t want them modifying the cookie, you encrypt it. Well, that’s one way to do it (the hard way).

There are two other methods that are easier (and still secure):

• Send hashed data
• Send a randomly generated ID that links to data on the server

Secure

I’ve not looked at the internals of WordPress, but based upon the cookies that I have on my system from wordpress.com, it looks like they implement the remember-me function by sending a string that looks like something this: username%hexadecimalsalt%hex-sha1?-salted-hashed-password. (I could be wrong about what WordPress does, but since this is how *nix /etc/passwd files work, it’s pretty secure anyway)

In this case, you don’t see the password, but you have the hash of the password. If you change the username, it won’t work. If you change the rest of the string, it won’t work. The only downside, is that if an attacker has enough time, they _could_ figure out what your password is using a brute-force approach. This technique is useful in situations where you are checking two values, and unsecured one, and a secured one (the username and the password). On the server side, you can use the browser’s cookie value to lookup the username, and compare the sent hash with a calculated one. But what should you do if you don’t have a unsecured data to perform a lookup? The answer is: use a randomly generated id.

More secure

I personally never store data in a cookie, but rather store a randomly generated identifier that maps to the data on the server-side. This is very similar to the way that sessions are implemented (PHP,Java, ASPX,etc). Let’s say you have a user that wants to be auto-logged in (remembered) with they visit your site the next time. What I do is to add a new field to my database’s user table named “rememberme”. Then I’ll generate a new, random string (UUID, SHA1 hash of some random value, etc…). I’ll then store that value in the database user user.rememberme, and send that value to the user as a cookie. This avoids storing data on the browser that could be exploited, and lets the user still have their remember-me functionality.

A bit more secure

Now, this approach is no more or less secure than standard cookie based sessions. That is to say, it can be easily hijacked if someone obtains the value of the cookie. One way to generate some sort of signature of the user’s browser using the User-agent, IP address, etc… This could be as simple as using only the IP address, or concatenating the User-agent string, IP address, the “Accept-*” headers, etc, and hashing the concatenated string. You could then store this browser signature along with the randomly generated id above. This would give you a little more data to use to authenticate your user and be more confident that it isn’t a man in the middle attack.

Paranoid level of security

Now, if you must store data in a cookie that the user isn’t supposed to know, or that you don’t want to store in plaintext (passwords), then yes, encrypting and signing the data will make it more secure.  But you’ll be adding a ton of overhead to your HTTP request, so be sure to restrict the domain of the cookie.  Also you’ll still not be able to verify that the client is who you think they are. To do this, you’ll need to combine one of the above methods with SSL-only cookies and the secure bit. And if you’re need this level of security, you probably shouldn’t be using HTTP anyway, you should be using HTTPS. (Actually, if you need this level of security, you already know all of this and shouldn’t be reading this!).

I hope this helps, and gives you a few more tools to use in your secure cookie arsenal without needing full-blown encryption.

Well, I know that this has the effect of breaking links… and this sucks. So, I’m leaving up the old site at: fourspaces.com/blog for a while until I can figure out what I’m going to do to make sure that existing links redirect. This is mainly to protect the links to the FeatherDB information. Perhaps I’ll split that out as a main project in the future (Embeddable Document DB for Java?) Maybe we’ll rename it “Eddy” :)

Perhaps now I’ll start writing more often about what is happening. This was also precipitated by the lack of spam-fighting ability in my custom written blog engine that I was running. I’m also starting to get tired of using Java for web-apps in general, so I feel less of a need to dogfood my own frameworks.

So, we’ll see how it goes.