Kartones Blog

Be the change you wanna see in this world

Code and style checks for Ruby at Sublime Text

I use lately Sublime Text a lot, both at work and at home, where it's curious that even for languages that I have better tools available and installed (C#/ASP.NET, Powershell...) I usually use Sublime too instead (because is faster and I don't need to compile nor debug). Also, at work my colleages have activated Hound to get GitHub comment floodings coding style violations and, as you get one comment per broken rule, some pull requests become really hard to code review.

So, in order to prevent hound bites (and learn in a more confortable way what rules I should follow), I checked and fought a bit with Sublime plugins to setup the same rules that Hound uses for Ruby code (Rubocop gem) and have them inside my IDE. If you want to have realtime coding style checks inside Sublime 3, you need this:

Just take into account to leave the Rubocop rules file named as .rubocop.yml at the project's base folder, because SublimeLinter-Rubocop doesn't allows to specify another name/path. Also restart the IDE after installing everything.

It is fun that at 2005 we had nice aggregated CI reports that you could also concatenate and send via a single email (or check online at your CI server) but at 2015 receiving literally 50 emails after creating a pull request seems good by a continuous integration tool maker... ¯_(ツ)_/¯

12 game engines recreations for classic PC games I like

Syndicate Wars Port screenshot

Note: All of this engines require the original game data files as they are work based on reverse engineering of the game binaries but all content must be installed by you. You can find most games quite cheap at either Steam or Good Old Games.

I love videogames, but lately I'm noticing that out of the dozens of monthly releases, as much as one title per month is appealing to me. While this is good for my lack of time, it also means that with some exceptions, I'd sometimes rather play an old videogame instead of the latest triple-A. But, as Windows evolves compatibility breaks, and regarding old videogames many times the only available trick is to fallback to DosBox. You setup everything, launch it... and notice that playing Dungeon Keeper at 320x240 was acceptable back then but now feels way too low for a strategy game.

Ohh, nostalgia, always tricking our mind into feeling that old games were superb and awesome, but also forgetting that UIs were more ankward, resolution was pretty low, and games had also bugs (although not so many as today constantly-patching madness) and severe limitations. Thankfully, there is an answer for this wish of "playing old videogames fixing old times annoyances": Fan-made game engine recreations. Crazy developers that rebuild the game internals either as a multiplatform game (Windows/Linux/Mac) or at least compatible with the latest Windows versions (still a great achievement considering that many were made for MS-DOS), but usually also offering higher resolutions, working online multiplayer, tons of bugfixes and usually also some tweaks or improvements over the original.

Here is a small alphabetical list of 12 classic games that I love playing with custom engines because they recreate quite well the experience or when they enhance it, it really is for good.

  • Diablo 1 HD Mod: Diablo had lots of unfinished quests and even some art. The Green Portal (unofficial) and Hellfire (official) expansions added content, but this mod not only joins those but also fixes all known bugs and half-baked quests. It also has a crafting system, adaptative difficulty level, 3D acceleration and visual effects like colored lights, so it "transforms" the original but takes it almost at the level of Diablo 2
  • Dune Legacy: Dune 2 was the game that made me "want to do similar things with computers", to decide to study computer science. Dune Legacy allows not only the full campaign with higher resolution and better UI controls, but also multiplayer and skirmish games
  • FreeCiv: Civilization was one of the first PC games I enjoyed on my 386, so many afternoons spent deciding tactics to conquer the world. This version not only has multiplayer but also supports modding via custom rulesets. Deviates a bit from the original as contains elements from Civ 2
  • FreeSynd: This is the only game of the list that I wasn't unsure to add, because the engine remake is still quite beta and buggy. I ended up playing the GoG version but maybe the situation has improved
  • KeeperFX: Engine for Dungeon Keeper, adding 3D acceleration, higher resolutions, custom maps and working online. Also doesn't modifies any mechanics
  • OpenRA: Command & Conquer, Red Alert and Dune 2000 game engines. If you have the original CDs can install the data and play the campaigns, else you have a free multiplayer or (highly difficult) CPU opponents. Probably one of the best of the list
  • OpenTTD (Open Transport Tycoon Deluxe): Transport Tycoon was one of the best simulators I've ever played (alongside Sim City). Fixes some bugs and has working multiplayer
  • OpenXcom: UFO: Enemy Unknown (XCOM: UFO Defense in the USA) redefined the turn-based strategy games. The original had some nasty bugs and seems to be some customization support (but I just play the original campaign/mode)
  • ScummVM: I couldn't pass without mentioning THE game engine remake, because it allows to run most Lucasarts titles (which include lovely classics like Monkey Island or Maniac Mansion) but also because it is so multi-platform that can be run almost from everywhere you can think about. I used to play it even in a Windows Mobile PDA :_)
  • Syndicate Wars Port: Syndicate Wars was an ambitious follow up, and the software-based 3D engine was really cool back in the day. This engine, while has the multiplayer part broken, allows to play with any recent OS
  • Tenebrae: Quake engine to provide great 3D features but leaving the base game untouched. For a true enhanced experience, try Nehahra Project, which adds crazy stuff like bump mapping and provides also tons of new maps, enemies and even a 4 hours "movie"
  • Zandronum: Multiplayer ZDoom mod for Doom, which means "tons of tweaks and optimizations". Itself allows to play Doom in high-resolution, but if you combine it with Brutal Doom mod you get one of the most insanely fun shooters I've ever played

I probably have missed some others, but I think with all excepting FreeSynd I have finished the full campaign/history at least once so they indeed work.

Stopping Windows 10 privacy bleeding

There's been quite some talk about how Windows 10 upon install by default sends lots of mostly private stuff to Microsoft. Sure, it can turned on "just not using express settings", but we all now many people are lazy and install without reading, so this was done on purpose (else everything would be opt-in).

After the initial install, people realized the operating system kept bleeding data to the outside, so I did a quick test. I opened Task Manager, the Performance tab and there it was having a high activity peak when I wasn't doing anything. To avoid a false positive I ordered processes by network %... and I had the Search "app" sending 2.3MB of data... when I had disabled everything I could at setup (plus later on the Privacy settings).

Checking the App History tab I got this nice two "rogue leakers", two applications I hadn't even launched once in my few weeks using the new OS:

Examples of personal Windows 10 data leaks

Somebody please tell me why the Store has to grab so much data when I haven't even setup a Microsoft account (I use a local one), or why if I have never searched anything it was sending/receiving MBs. Searching for a more complete list of Windows 10 privacy fixes I found this nice guide, but as I never use Bing and similar MS-only services, I did some network sniffing to see what other places my PC is still "calling".

This are the domains I've ended up blocking (redirecting to from the hosts file is the best stopper) based on articles read and my own Wiresharking experience:

  • any.edge.bing.com
  • bing.com
  • msn.com
  • live.com

I also disabled ssw.live.com but then I had issues updating Windows Defender so I guess it either controls WD definition files or the whole Windows Update and I unblocked it.

I really like Windows 10 after suffering Windows 8 and using Windows 8.1 (although I'm sticking to Windows 7 for the gaming PC), but sadly it seems the privacy invasion era has jumped from mobile phone operating systems to desktop ones. It's still a better battleground to fight from (Firewalls, hosts file, 3rd party apps/tweaks...) but still another war to fight at.

PS: I've read as much as possible to take away FUD from reality, and while some options have been explained, not all questions have been answered.

PS 2: If I come with additional things to disable or domains to block I'll update the post to reflect it.

Taking care of my body when working remotely

Reading a Dilbert's book I found this really funny comic strip about remote work and personal well-being:

Dilbert on remote working

Until half a year ago I didn't do much remote working, mostly because previous jobs didn't allowed me to and I wasn't so eager to try it. But past months things have changed and now I really appreciate it as a way to improve concentration and squeeze more from time the day for other tasks (mostly as I save on commuting). But, there is one thing where at meast I have to be careful now: ergonomic and proper sitting position.

Ergonomic seating basics

I sometimes tend to cross my legs, other times to curve my back, and sometimes I get wrist pain (not strong, but enough to annoy)... so I've been improving my home working area as now I work an average of two days per week from home. This is the setup I currently have:

An old, grey and white IKEA Fredrik work table with up to two optional shelves above it, plus cable cord "rail" and a keyboard handle. It is wide and big enough for my laptop, monitor, a study area (for books, writing...) and even a PS3. The cable holder rail is so nice to avoid having tons of cables laying under the desk. It is also high, so with a small box below (with drawers to store things inside) I have the monitor at the correct height to always look upfront and not lower the head.

IKEA Fredrik

A decent (but not expensive) chair, with a net-like back so that my body can "breathe", and of course armrests, to keep the arms in proper angle. I modified the keyboard handle of the table to be at the proper height so my arms form a proper 90º angle. A SteelCase or similar brand might be awesome, but they are so expensive that while I can find cheaper alternatives I'll stick to them.

Ergonomic chair similar to mine

A 24" 1920x1200 monitor. People go a bit crazy IMO and maybe for a designer 27" or 30" are nice, but at least I don't need so many inches. I have a 30" monitor but after some daily use I moved it permanently to being my gaming PC screen and instead use something smaller but good enough display for my daily tasks. I'd love to have one that rotates to portait mode (so nice for coding, I had one like that at a previous job) but while this one works I won't change it. 2 Monitors might also be interesting but I'd need a dell docking base and my table is not huge, plus I'm so used to alt-tabbing that I don't need them.

Dell 24 inches monitor

I use an ergonomic keyboard for everything except gaming. I have two Microsoft Natural Keyboard 4000, one at home and one at work, but recently I switched (at home) to the newer and smaller Microsoft Sculpt Ergonomic, because I get more free space from the (separate) numeric keyboard segment and it is great, with soft keypresses and definetly a good improvement. Ah, it is in english, I'd rather learn where are the ñ and accents when I need to write in Spanish but enjoy the quicker code writing of a UK layout (I've never used a US layout but as anyway would be harder to get from Spain, I directly don't care).

Microsoft Sculpt Ergonomic for Business

I recently tried and now use a footrest platform. I bought a Kensington Solemate Plus because is cheap but allows to adjust the inclination and height, plus the feet don't slip.

Kensington Solemate Plus

As I play videogames, ages ago when I bought my gaming PC I did it with a good laser gaming mouse, a Razer Diamondback. After serving me for around 4 years, I decided to buy another one for the gaming rig and I've been using this one for coding for around anoher 4 years. It is very precise and my hand doesn't gets tired of using it, so I'll probably keep it until breaks. Probably any ergonomic mouse will do, but I'd go for a mid-high gaming one as usually are the best ones.

Razer Diamondback

For a distant future, I'd have to test a standing desk, but I don't see where I could setup one at home so for the time being is on hold.

Add to the list a good illumination, quiet environment and now that I have air conditioning nice temperature even in the summer, and the truth is I feel really comfortable working from home. Any additional suggestions, ideas or elements you'd add?

Making Rails CookieStore more secure and sessions expirable

As lately is happening to me a lot, Ruby ecosystem has lots of tutorials and guides that range from beginner to intermediate, but lacks more advanced topics. Recently I had to implement a security feature that surprisingly wasn't present at Rails: Session invalidation when you change your password.

Many sites, CartoDB included, use Rails CookieStore, which is just cookie based session handling: You securely serialize and deserialize session data (usually the user identifier) and avoid storing sessions serverside. Really cool in theory but has a flaw: If there is no serverside session management, how do I signal a password change so the other cookies with my session for example at other browsers become invalid?

Reading the official Ruby on Rails Security Guide I hoped to find the answer, but no, instead it lists lots of security hardening points, but just recommends to make your session expire, use a general secret_key (but changing it would invalidate all sessions, not just a given user ones) and in the end to go for database-based session handling for proper security. Well, I agree it is better, but sometimes you cannot adopt some changes as easy as they seem, so... what about improving CookieStore?

First I went deep, checking CookieStore and its "mixin parent" AbstractStore source codes. They just wrap actual session handling on storing at a cookie, but the parent had an interesting method, generate_sid (session Id). Maybe if I could change the generation of the session would be enough... so I also checked Rack::Session::Abstract::ID, the parent of all stores. I did some tests inheriting from CookieStore (as I don't fancy monkey patching even if Rack's code suggests it) but quickly I found that when you are generating a sid, really you don't have context of "users".. and you shouldn't, because this is really inside. This is for people desiring to modify the session id generation algorithm, or the actual storage of session data.

So, I went up, because over Rails we use Warden to ease all authentication (we have user/pass, API key, OAuth...). Digging into its wiki I found that you can have more session data than just the user id that you deserialize into a full User object upon retrieving an existing session. But that example wasn't enough, as it only worked playing with default session scopes. We use scope-based sessions because our usernames are unique and cannot be repeated, so for example I can have a session cookie with the scope "kartones" and another with the scope "test" (or different roles, or other ideas you might have).

Cheking more about Warden, I found some interesting callbacks, but again the examples were silly and not too useful, so as usually happens with Ruby, it is better to again check the source code to see the internals. And inside hooks.rb I found the answer, in the documentation block of after_set_user. There, I could filter to handling authentications and store additional session data at Warden initializer file... something that if your password changes changes too, e.g.:

Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
auth.session(opts[:scope])[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)

Now, editing the traditional Rails base ApplicationController I can add some methods to handle this additiona data:

def update_session_security_token(user)
warden.session(user.username)[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)

def session_security_token_valid?(user)
warden.session(user.username).key?(:sec_token) &&
warden.session(user.username)[:sec_token] == Digest::SHA1.hexdigest(user.crypted_password)

def validate_session(user = current_user, reset_session_on_error = true)
if session_security_token_valid?(user)
reset_session if reset_session_on_error

And then just add the new logic to the authentication endpoints, for example:

def login_required
is_auth = authenticated?(CartoDB.extract_subdomain(request))
is_auth ? validate_session(current_user) : not_authorized

Now it would only remain to call update_session_security_token upon a password change, and all other cookie sessions will become invalid.

Why this is not an option either at Rails or Warden, I don't know, but I couldn't find a single tutorial, post or message detailing all this info, so let's hope this post helps fix that.

Previous entries