PCI DSS, the security standard for companies that handle credit cards, defines a number of rules as to how credit cards are handled. One of those rules, 3.3, is defined as follows:
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)
So based on this requirement I assumed that the code to do this would be common and widely available; much to my surprise there are rather few samples that do this, and of those I found they only showed the last four (which when you are handling a lot of credit cards, searching for an account by the last four isn’t all that helpful) and were often rather fragile.
So I whipped this up, hopefully it’ll be useful to others.
public static string MaskCreditCard(string value){ const string PATTERN = @"\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|" + @"6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|" + @"[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\b"; var replace = Regex.Replace(value, PATTERN, new MatchEvaluator(match => { var num = match.ToString(); return num.Substring(0, 6) + new string('*', num.Length - 10) + num.Substring(num.Length - 4); })); return replace;}The regex pattern is from Regular-Expressions.info and should detect most major cards.
I recently had an idea for a small web application, and seeing as I’ve not spent as much time as I’ve wanted to using Rails – I opted to build it the latest version of Rails. A decision that caused far more grief than I expected.
If you are using Dreamhost’s PS offering (a managed VPS for those that don’t know), the seemingly simple task of getting a Rails 3 application up and running is actually quite complex. The root cause of this is that Dreamhost’s OS image is based on Debian etch, which was released in April 2009 and has since been replaced; which means etch has become fairly outdated.
Here’s the process I used, and so far it seems to be working quite well:
Domain Setup:
When adding your domain to the Dreamhost panel, you’ll want to enable Passenger.
Once your application is uploaded to the server, you’ll be greeted with a particularly unhelpful error message (something like “uninitialized constant Bundler“) from Passenger (or perhaps just a 500 error page).
Server Updates:
This is where the work starts, and gets somewhat ugly. As a warning, it’s quite possible that you could damage your configuration doing this; though thankfully you can restore your server to a working state within a few minutes from the Dreamhost panel should something go wrong. You’ll also need to have an “admin user” for this task, as much of what needs to be done has to be done as root.
First step: Get your PS up to date; even after performing a restore on my server, there were a number of updates that are available to be installed. So let’s start off by getting those out of the way.
sudo apt-get update sudo apt-get upgrade sudo apt-get -f install
Once you get past those three commands, the next step is to update SQLite to the latest version, as the version Dreamhost uses is quite old and won’t work with Rails 3.0 (well, to be accurate it won’t work with the latest version of sqlite3-ruby, which is the default database provider for Rails 3).
wget http://www.sqlite.org/sqlite-autoconf-3070400.tar.gz tar zxvf sqlite-autoconf-3070400.tar.gz cd sqlite-autoconf-3070400 sudo ./configure --bindir=/usr/bin --libdir=/usr/lib sudo make sudo make install
If you don’t update SQLite you’ll get an error like this:
sudo gem install sqlite3 Building native extensions. This could take a while... ERROR: Error installing sqlite3: ERROR: Failed to build gem native extension. /usr/bin/ruby1.8 extconf.rb checking for sqlite3.h... yes checking for sqlite3_libversion_number() in -lsqlite3... yes checking for rb_proc_arity()... no checking for sqlite3_initialize()... no sqlite3-ruby only supports sqlite3 versions 3.6.16+, please upgrade! *** extconf.rb failed ***
or if you install the updated version, but don’t force it to /usr/lib you’ll get an error like this:
sudo gem install sqlite3 Building native extensions. This could take a while... ERROR: Error installing sqlite3: ERROR: Failed to build gem native extension. /usr/bin/ruby1.8 extconf.rb checking for sqlite3.h... yes checking for sqlite3_libversion_number() in -lsqlite3... no sqlite3 is missing. Try 'port install sqlite3 +universal' or 'yum install sqlite3-devel' *** extconf.rb failed ***
Once that is taken care of SQLite, the rest is easy.
sudo gem update
At this point if you visit your new Rails site, it should be working!
Notes:
- I’ve not tested this extensively, and I’ve no idea if this breaks anything. All I can say for certain, if that all of my sites still work, but your mileage may vary. <Disclaimer />
- I was a fairly early Dreamhost PS adopter, and part way through this process I reset my server to get it back to a clean state. After resetting, I noticed some differences with the behavior of
apt-get(404s onupdateandupgradeare gone), so for other early adopters it may be necessary to perform a reset to get your servers configuration in-sync with the latest official setup. - I can’t say for a fact that this is completely necessary, though you’ll likely need to selectively update a few packages if you skip this step. Also, for me,
gemwas broken until I ransudo apt-get -f install. - Special thanks to Matt for helping me get this working; troubleshooting the SQLite install was more than a little time consuming.
The company I work for is hiring several developers which marks my first significant hiring effort since being promoted to management. This had led to a few interesting observations* I would like to share that may benefit both those looking for a new job and those looking for the next star to add to their team.
Immigration Law: I had no idea how complex this area of law gets; it’s a maddening maze of rules and policies that are more effective at confusing those involved than providing a reasonable solution to a problem. If you run into this (and you will), you need somebody that has dealt with this and knows what to do. Getting both parties into legal hot water is far too easy.
Resumes: I’ve seen great resumes that made it clear that I needed to hire this person and resumes so cluttered and complex it took an hour just to get through it. Here’s a few things that stuck out to me:
- DRY is good for code, and for a resume. Clean and concise is always better; if you find yourself hitting Ctrl+C even once while working on a resume, you’re probably doing something wrong.
- Length is important, but shorter isn’t always better. Unlike many other fields where a single page resume is considered optimal, technical resumes need at least a second page. Going too short on a resume is a great way to blend into the crowd; a resume should stand out, and that takes space.
- How long is too long? Unless you’ve been doing this for a very long time, more than three pages is probably excessive. This isn’t always true, but think it through before using more than two pages.
- Use whitespace carefully. Don’t leave a page half empty or pack everything in so that it looks cluttered. As with any type of design, whitespace is a powerful tool that should be used wisely and never be left to chance.
- Use color sparingly. Many corporate printers are black and white only, so if you use color make sure it looks right when printed without it.
- Use bold even more sparingly. It’s sometimes useful to point out items of interest, but it quickly degrades the readability of a resume.
Many people seem to have a hard time with this, but a resume is a textual representation of yourself. It represents you as a person and your accomplishments as a professional. Any errors or signs of haste or carelessness say much about you as a person; if you are careless with such a significant representation of yourself what does it say about your attention to detail or work ethic?
Experience: For a person that has recently graduated, experience in the field is the single largest hindrance both when it comes to securing a position and to receiving a salary they are happy with. The best advice I can find for people in this position is to look to the open source community for help. There are many projects that are desperate for developers and it’s a great way to get familiar with working in a team, coordinating with people over a distributed area, and releasing code for public consumption. In lieu of paid work experience, open source is a great way to fill in a resume (and it can be quite profitable for some, if you play your cards right).
Salary: In some companies pay is a minor issue thanks to clearly structured systems such as that proposed by Joel Spolsky; for others is can be a source of pain, envy, and jealousy. This is a topic that I truly hate; it’s uncomfortable at best and quite painful at worst. While I can’t offer much advice, here are a few things to think about:
- Money is not an effective motivator. In an ideal environment it should just stay out-of-the-way and allow developers to live a comfortable life; in reality the role it plays is a bit different. More often than not, it’s a distraction that gets in the way and outweighs the factors that do motivate people.
- Companies follow a few different pay systems, and once set moving to different system is nearly impossible. Here are a few I’ve seen:
- Clearly Structured: This system places developers on a scale, and developers at a given level receive the same salary (see Fog Creek).
- Structured + Negotiated: This is the most common system I’ve seen; it mixes a structured level system with negotiated modifications that can apply a certain percentage increase from the normal base salary for that level or other benefits (extended vacation, etc).
- Negotiated: Pay is based on negotiation skills and need; this can lead to odd situations such as where a junior developer can make more than a senior developer due to the need to fill a position quickly. This system requires strict secrecy when it comes to salary information to avoid nasty surprises, unlike the clearly structured system where salary information can be openly shared.
- Are large salary increases possible? Some companies have no issue with large increases in salary for a promotion (20%+) while in others exceeding 5% for any reason is a major challenge. If a developer is coming in on the low-end of the scale (i.e. due to lack of experience, such as a recent graduate), is there a real possibility of moving up? In my experience, people stay near the end they start at – those that start at the bottom will stay there until they move to a different company.
Interview Questions: If you are conducing an interview, make a list of questions and write them down. It’s quite embarrassing to suddenly realize that you are out of questions just a few minutes in (Need inspiration? Try this or this). Many people have said much about this, but the most important thing I can point out is just don’t wing it. Plan carefully, make sure you know what you’re going to do and when before the candidate shows up.
Interview Dress Code: I’ve been amazed at what I’ve seen people wear, everything from high-end suits to jeans. What’s appropriate? It really depends on the environment; a large corporation will expect an Armani suit where a startup is happier seeing jeans and an American Apparel t-shirt. When in doubt, I would go with a suit personally – but depending on the company that could cost you the job just as quickly as showing up in jeans.
Interviews Go Both Ways: An interview shouldn’t be a one-way affair; the candidate should be interviewing the company as much as you are interviewing them. They should be asking questions about the environment, expectations, tools and resources provided as much as you are asking them about prior experience and knowledge. If a candidate doesn’t seem to care about the company or what the working conditions are like – think carefully before hiring them.
Other Thoughts: I’ll not go into what I look for when it comes to personality or other personal traits as that would require far more than a blog post to cover. I’m also going to avoid things such as hobbies and the like; while they can tell you much about a person they can also lead to other complications. Any question in an interview can quickly lead to a land-mine and in the legal quagmire that is HR law and policies, trouble is easy to find. When in doubt, just don’t ask.
* This is based on my experience over the years; not necessarily the experiences in this round of hiring or the opinions or policies of my employer. In general, nothing in this refers to policies, preferences, or procedures of my employer. <Standard Disclaimer />
While performing some testing on a Windows 7 Professional workstation running a VL build from MSDN found that a feature I needed was missing – the new Multi-Monitor RDP support. After a little research I found that only the Ultimate and Enterprise editions support this feature; which thanks to Windows 7′s Anytime Upgrade feature I assumed this would be no issue.
But, it was an issue.
It turns out that the build of Windows 7 I was using was missing WindowsAnytimeUpgradeUI.exe and the other related files needed to make the Anytime Upgrade work – and copying the files from another box doesn’t work. It seems this build simply can’t be upgraded in this fashion. So I tried a few other tricks, hoping to find something that would work:
- Reactivate Windows with an Ultimate key; fails with an error indicating that a Professional key is required.
- Run Ultimate edition installer from Windows; fails with this error indicating that you can’t perform edition upgrades.
So being stubborn and determined not to re-install Windows to make this feature work, I started looking for other options. Thanks to a hack for upgrading the RC builds to Final, I found what I needed.
I edited the EditionID and ProductName to reflect Ultimate instead of Professional, rebooted, and then ran the Ultimate installer from within Windows. This time the installer ran without issue and after an hour and a couple reboots it was done. This in-place upgrade/repair procedure allows you to jump to a different edition with fairly little pain. A couple of Windows settings needed to be corrected (primarily display related) and Visual Studio 2010 had to be re-installed, though otherwise everything worked just as it did before.
This is the only method for upgrading these Windows 7 builds that I’ve found, the only other option is to re-install Windows from scratch.
Setting up the Android SDK on Windows 7 64bit, with a 64bit JDK / JRE is a bit less straightforward than one would expect, thankfully though the solution is quite simple. There are two settings that need to be adjusted to make this work – otherwise you’ll get an error indicating that Java can’t be found.
Step 1: Modify your PATH to include the bin folder of the JRE. Mine looks like this:
C:\Program Files\Java\jre6\bin
Step 2: Set the ANDROID_SWT variable (you’ll probably need to add it) to the \tools\lib\x86_64 folder of the Android SDK. Mine looks like this:
C:\Android\SDK\tools\lib\x86_64
With these two changes, everything seems to work as expected. Why this is required on 64bit but not 32bit I’m not sure, but this does seem to solve the problem.
While trying to renew a few domain names recently, I found that cancelling the Privacy service that GoDaddy offers (via Domains By Proxy) is much more difficult than I had expected. The $8.99/year service conceals your name, address, and phone number from the public WHOIS listing.
Being concerned about privacy as most people are (or at least should be) it seemed a reasonable option but when multiplied by quite a few domains, it gets rather expensive. So during this last round of renewals I decided to cancel the service; figuring it would be no harder than removing the item from the shopping cart. To my surprise, it wasn’t nearly so easy.
Turns out that you have to sign into the DomainsByProxy web site with a Customer ID and password to cancel the service; so I tried the obvious and used my GoDaddy ID and password, though no such luck. I searched my email archives and didn’t find a single email from DomainsByProxy, at this point I was pretty sure whatever email address they had on file wasn’t valid, which is bad news for me. While there is an option to recover your customer ID, if their records aren’t accurate then it’s of no real use.
But there is hope.
It took a fair bit of reading and testing, but I finally found a method to get to your account IDs, and it’s fairly simple:
- Go to the Private Registration Page on GoDaddy’s site (make sure you’re logged in to your GoDaddy account)
- Type in some random characters into the search box
- On the results page, click “Continue to Registration”
- Click “No Thanks” on the ad page
- Scroll down to the section labeled “3. Select Your Domains By Proxy® Account“
You should now see your customer IDs for the DomainsByProxy web site. The web site only shows the first four account IDs, if you have more than that you can contact DomainsByProxy and have them merge the account IDs you know. Just continue the process until you have all of your accounts merged into one.
Unless you’ve changed your password on the DomainsByProxy web site, your GoDaddy password should work. From there, you can update your information – or like me, cancel the service completely. Now you are free to renew the domain without paying the extra annual fee or transfer to another registrar.
