Welcome to the lab.

GitHub TOC Service 0.2.0

[Tweet : ADN : nvALT]

I just uploaded the GitHub TOC Service version 0.2.0. Mostly because I needed a break from testing the next version of Marked, but also because it had a few bugs that needed fixing.

This is a Service that scratches an itch for me when working on long README files and other Markdown documents. From the original post:

…a script that works from the command line or as a Service. You can pipe Markdown to it, run it on a file, or select it and change it in place with the Service. You just put a [toc] tag in your document where you want the Table of Contents to go, and then run it. Any headers found after the point where the tag is will be indexed and linked

What’s new/fixed

  • You can use “mmd” in the tag
    • [toc 2 mmd] creates a 2-level-deep header using MultiMarkdown style header ids instead of github-dash-format
  • use mmd or no_mmd on the command line

      github_toc 2 mmd README.md
  • Remembers depth and header style (stored in HTML comment) for repeat runs
    • update an existing Table of Contents without having to specify settings again, just select and run
  • CLI arguments override “recorded” settings (no_mmd will erase mmd in tags)
  • If there’s more than one h1, it recognizes them as sections
  • Fixes for github header id generation formatting
  • Defaults to 2 levels instead of 1 if no depth is specified
  • Fixed outputting to a second file without needing redirection on the command line


The CLI version is updated, and the Service can be downloaded below (double click to install on OS XMountain Lion or higher).

GitHub TOC Service v0.2.0

A Service for generating tables of contents for GitHub readmes (and other Markdown files).

Updated Fri Nov 21 2014.

More info…

As a side note, here’s another take on the process using only curl and awk to pull GitHub READMEs down and parse out a Table of Contents.

The WALTR winners

[Tweet : ADN : nvALT]

Congratulations to the winners of the WALTR giveaway!

  • David
  • Blake Walters
  • Erik Mueller-Harder
  • Dave Hyndman
  • Matt Elliott

If you missed it, you can catch my review here. Don’t forget that it’s only $14.95 for a little longer, then the price is going up to $29.95. If you have videos or audio in any non-iTunes format, grab a free trial and see how simple it is to get them on your iPhone in all the native players.

WALTR: amphetamines for your video collection (+giveaway)

[Tweet : ADN : nvALT]

Softorino, the developers who brought you iBetterCharge (mentioned here a little bit ago), have just released a supercharged tool for putting your video collection on your iOS devices. It’s called WALTR, and if you collect videos in any iTunes-incompatible formats, you’ll love it.

WALTR can upload videos in MKV, AVI, MP4, FLAC, and more formats (the promo claims “any format ever created,” but I don’t have time to test that…) directly to your iPhone or iPad. You get native playback in all of your video apps, with no special software or converters required. You just plug your iOS device into USB and drag videos (or audio, too) onto WALTR’s dropzone. It crunches them and uploads them to your device in one step. You don’t even need to open iTunes.

Honestly, I don’t collect a lot of video files. When I watch movies, they’re usually streaming, or I just download them in iTunes-supported formats. I had to go out of my way to test WALTR, but the results were pretty astounding. Here’s a video from the developers showing an MKV version of Monty Python and The Holy Grail uploading to an iPhone 6 in under 60 seconds. The video is instantly available in Apple’s “Videos” app. Impressive.

You can download WALTR for free and try it out. A lifetime license is going to cost $29.95 US. There’s a special launch price for one week, though, and you can pick it up for $14.95 US right now. I also happen to have five codes to give away, so if this is something you’ve been wanting, enter a name and email below.

The giveaway is open to everyone (the app is non-App Store, so you can use it even in places without MAS access). The Giveaway Robot will draw five random winners on Friday, November 21st, at 12pm Central. That way, if you don’t win, you’ll still have a chance to grab it at the intro price. See? I’m always looking out for you.

Sorry, this giveaway has ended.

That was so many posts in one day. I should get a medal. Or a cookie.

On BitTorrent Sync security

[Tweet : ADN : nvALT]

Hackito Ergo Sum published a security analysis on Sunday, and it’s highly critical of the overall security of BitTorrent Sync. Hackito included this caveat:

This is not a professional assessment but a community effort to analyze a solution used by the public. This is a quick response to some critics on this Hackito Session results, this is not a commercial report.

I’m a big Sync fan, and part of why I was drawn to it was the peace of mind I found in “owning my cloud.” I contacted Kevin Fu of BitTorrent to get their response. I’m not a security expert by any stretch of the imagination, but the statement from Sync reflected my own reactions to some of the weak spots pointed out in the Hackito analysis.

In short, the scariest parts of the report (to me) focus on the security and exposure of folder hashes. However, these hashes aren’t private keys, they’re essentially just identifiers for a folder. You can’t be granted access without the secret key, and those are securely generated with options for one-time use, time limits, etc.. Looking over Hackitos analysis, it does appear that network addresses are leaked from local ports and through link.getsync.com which would offer attackers a target, but I’ll leave it up to commenters to help me figure out the level of danger there.

Update: I got a note from Sync regarding the network addresses:

The website link.getsync.com does not see, or know about any local IPs / ports. It only sees the public IP of the machine – that’s no different from any other web site on the Internet. The tracker is aware of local IPs and ports, but: (1) taking advantage of that is difficult since these IPs can only be accessed over the local network; and (2) to gain this knowledge, one has to guess a Folder Hash, which is a 160 bit number – it is impossible to do so.

Ultimately, the security of any peer-to-peer sync solution is in the hands of the user. I’ll be the first to admit that I don’t have enough security expertise to assess all of the potential dangers presented. I’m personally satisfied with the response from Sync for now. I’ll worry about my own network security first.

The official statement from BitTorrent Sync:

BitTorrent Sync remains the most secure and private way to to move data between two or more devices; and for good reason - we’ve built it that way. Rigorous third-party security audits have been conducted to verify the product’s security architecture, validated by the attached report.

But we take questions about Sync’s security very seriously. We’ve gone through the claims made by Hackito and after reviewing it in full, we do not feel there is any cause for concern.

To address the main points made in the study’s conclusion:

  • Folder hashes are not the folder key (secret) and are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.

  • Links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link does not contain any folder encryption keys; it only contains the public keys of the machines involved in the exchange. The link itself cannot be used for decrypting the communication. After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. On top of that, a few additional features were implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default).

  • We host a tracker server for peer discovery; the tracker is only there to enable peers to find each other. It is not a part of the folder exchange. As mentioned earlier, the hashes cannot be used to obtain access to a folder.

  • Like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like. Once an attacker has root access or physical access to the machine, it can modify any element of the attacked system. This is not an issue with Sync, but basic security protocol.

  • Sync security is completely dependent on client-side implementation. The public infrastructure is there to enable better connectivity and more user-friendly folder sharing experience. Compromising the public infrastructure cannot impact the security of Sync.

The findings of the security audit mentioned in the statement can be found here.

Solve command line mysteries with ‘type’

[Tweet : ADN : nvALT]

I have dozens of aliases and functions available in any shell in any terminal on any of my machines. If I add Homebrew installs and PATH priorities, it can be a lot to keep track of.

You probably know about the which command. It returns the path to the binary which would be executed by a given command. If that command is an alias or function — or even binaries located outside of a default scope — it won’t return anything. The alternative is the shell builtin type.

When you use type [command], it will tell you whether it’s an alias, a function, a file, or a hashed binary. For functions and aliases, it will also display the actual script or show you what command it’s aliased to. That means that not only will type explain that an alias is overriding a default binary, it will also show you the equivalent of alias [command] at the same time. You can even use the -a option to show every possible destination of that command.

Next time you’re trying to remember what’s aliased to what, what a function does, or why a command is giving unexpected results, turn to type.

Here’s the documentation for additional options:

With no options, indicate how each name would be interpreted if
used as a command name.

If the -t option is used, type prints a string which is one of
alias, keyword, function, builtin, or file if name is an alias,
shell reserved word, function, builtin, or disk file,
respectively. If the name is not found, then nothing is printed,
and an exit status of false is returned.

If the -p option is used, type either returns the name of the disk
file that would be executed if name were specified as a command
name, or nothing if ``type -t name'' would not return file.

The -P option forces a PATH search for each name, even if ``type
-t name'' would not return file. If a command is hashed, -p and -P
print the hashed value, not necessarily the file that appears
first in PATH.

If the -a option is used, type prints all of the places that
contain an executable named name. This includes aliases and
functions, if and only if the -p option is not also used. The
table of hashed commands is not consulted when using -a.

The -f option suppresses shell function lookup, as with the
command builtin. type returns true if any of the arguments are
found, false if none are found.

Web Excursions for November 17, 2014

[Tweet : ADN : nvALT]

Choose to Start Doing, aka, Tracking Your Work Time
Well, that’s pretty cool. It uses choose with doing to provide a graphical interface of sorts…

Crumbles are kinda like reaction GIFs with a way bigger vocabulary… and all you have to do to make one is type.

Happy Cyborg
A bot that learns your personality and auto-responds to tweets. Could be useful for tech support accounts, at least…
Sketch to App Store - Generate App Store images for all iPhone sizes from Sketch
A handy tool for App Store developers who use Sketch.
Flashlight — Spotlight’s missing plugin system
Holy cow. A plugin system for Yosemite Spotlight that adds all kinds of Alfred-esque capabilities.

Invoking PopClip on an existing selection

[Tweet : ADN : nvALT]

I love PopClip, and have done quite a bit of hacking around with it. Once you get used to it and come to expect it popping up, the only annoyance is that all your handy tools aren’t there when you make a keyboard selection, or when you accidentally dismiss the popup before you choose the extension to run. Easily fixed, fortunately.

PopClip provides a simple AppleScript command, appear, so you can script the popup with a single-line script:

tell application "PopClip" to appear

(Or, for giggles, Application('com.pilotmoon.popclip').appear(); in JavaScript on Yosemite.)

Then all you need is an easy way to trigger that command. I use BetterTouchTool to expand all kinds of functionality on my Mac, so it’s my natural choice. I simply save the command as an AppleScript file (.scpt), and then use the Open Application / File... action. I have it triggered by a 2-finger swipe down from the top of my trackpad. You could also easily bind it to a keyboard shortcut in BetterTouchTool1.

With this, any time I have text selected by any means, I can just swipe down on my trackpad with two fingers, starting with my fingers above the top edge, and get the PopClip menu for the current selection. The sequence below shows me selecting a paragraph using one of my KeyBindings, and then invoking PopClip with the two finger swipe.

  1. You can also use FastScripts with a keyboard shortcut. I haven’t had much luck making it work with launchers (LaunchBar, Alfred, etc.), but I’m sure there are ways.

Safer command line paste in iTerm 2

[Tweet : ADN : nvALT]

If you’ve ever copied a shell command from somewhere and accidentally included a trailing newline, you know that hitting paste in your terminal can run the command before you have a chance to edit it. There are a few ways around this, but here’s a quick tip for iTerm 2 users.

In Preferences -> Keys -> Global Shortcut Keys, add a new shortcut assigned to Control-Command-V (or Command-Option-V, or whatever makes sense and doesn’t override existing shortcuts…). Set the action to “Run Coprocess” and enter pbpaste | tr -d "\n" as the command. When you trigger this, it will take whatever is in the clipboard and remove all the newlines from it, ensuring that it won’t execute when pasted.

Now, when you want to paste something directly to the command prompt, use this new shortcut instead of ⌘V for extra peace of mind.