Adventures in IT

Giving up Facebook was difficult. I had to face up to the fact that I was thinking about it pretty much whenever I was taking a break.  I started to realize that Facebook took up a fair amount of headspace and time.  Since I don't smoke I don't go outside.  Left with the choice of drinking yet another cup of unhealthy coffee or finding a distraction on my PC I found Facebook curiously addictive.

What did I like about Facebook?   Well I analyzed this carefully and thought about the value proposition.   Ultimately I realized that Facebook offered two things - lots of shallow electronic interactions and meaningless flash animation games.  Since I earn enough to buy a decent PC (or console) and really hot games the games on Facebook offer little.  The only game that meant anything to me was Fairyland and that only because it promised to save the rainforest.  PC games are better without Facebook.  As for meaningless social interaction guess how many Facebook "friends" have tried to get in touch with me since I stopped using Facebook?  That's right... zero.

Facebook's product is your personal information.   It's the ability of Facebook to sell information about you to advertisers.  You are no longer a person, you are a product.  You are Facebook's product.  So in exchange for the "free" services that they offer you willingly divulge your interests, contact details, friends, where you live, where you travel, your political and religious beliefs, and everything inbetween.

And even if Facebook isn't going to capitalize on your willingness to slave yourself out they will sell your details to third parties.  Did you notice the agreement between Facebook and Paypal that allows a one-click purchase system?  How convenient... your money linked directly to your Facebook account.  If you're not scared then you're not a hacker or have any clue what possibility you're giving Facebook by linking your accounts.

So my decision to disable my Facebook account was complicated:   firstly it was interfering with my work productivity by invading my thoughts, secondly it was removing my need for real human interaction, thirdly it was threatening my personal privacy, and lastly it was full of lame people talking about their cats.

Statistically if you give a million monkeys a typewriter and enough time you might expect them to randomly produce the works of Shakespeare.  Facebook is the disproof of this theorem - I really found that my time spent reading Facebook nonsense detracted from the time I had available to read news websites and otherwise improve my understanding of world.  Go check out http://www.failbook.com if you think you can educate yourself on Facebook or otherwise receive valuable informative opinion that will improve your life.

So what was it like?  Well firstly I was a little insulted that none of my Facebook "friends" noticed that I cancelled my account.  I thought about this and realized that Facebook offers a great deal of superficial social interactions.  A Facebook "friend" is meaningless and if one of them disappears there are plenty of other shallow interactions to fill the gap.   Test it for yourself... don't login to Facebook for a few days and see who tries to email or phone you.  You'll discover that Facebook "friends" are a poor substitute for real social interaction.

Then I started craving the various games I had started playing on Facebook.  I suppose it was useful that none of my "neighbours" tried to email me.  The social value was ruined for me when I acknowledged that none of these people were really my friends.  The only game I missed was "Fairyland" which promised to donate money to save the rainforests.  I rationalized that by donating to my church I was actually donating a whole lot more to the planet.... and since playing Fairyland took X hours it was cheaper to donate those dollars directly to the church.

Then I missed Facebook's photo gallery.  So I tried out Tumblr which allows me to upload photos.  So does Flickr.  Picasa doesn't because I use Linux as my operating system.  No problems... Tumblr and Flickr are both more private than Facebook or Google and neither has credit card information.  Failing online storage,  an external USB drive is an affordable backup option.  Plus mine is encrypted with the (free) Truecrypt program which is better than giving Facebook my rights to it.

Rights?  Yes - anything you publish on Facebook belongs to Facebook.  If you put a photo, witty comment or statement, social interaction, or anything on Facebook they can whore it out or use it any which way they want to.  What?  Yes it's true - the fact that you're tagged in a photograph can be used to profile you and target you.   Even if you don't agree to it, if your friends naively agree to have their privacy invaded malicious people can find your details.  Having looked at what an uncertified Facebook developer can do I must tell you that your privacy is history if you play games or use applications on Facebook.

Ultimately although my initial decision to stop using Facebook was because it interfered with work and offered no REAL social interaction my ongoing decision not to use it is because I have to acknowledge that I am not a product.  You can't sell me.  Facebook's chief product is access to the personal details of its users.  It already has the credit card information of millions, the Facebook credit is touted to become it's own currency, it knows where you are, what you're interested in, who your friends are, what clothes you wear, your religious beliefs, your sexual orientation, your work history, and so much more.  And it's willing to sell that information to the highest bidder.  You are Facebook's product.  Do you want to be a product?

It is very simple and quick to create a self-signed certificate on your development machine. Of course you would never use this on a production server because self-signed certificates are vulnerable to man in the middle attacks. 

You will need to make sure that you have the ssl-cert and libapache2-mod-gnutls packages installed.

Step One: Use the ssl-cert package to create a self-signed certificate.  This will create the certificate files in /etc/ssl which is where the Ubuntu default Apache configuration expects to find them.

make-ssl-cert generate-default-snakeoil --force-overwrite

Step Two: Active the SSL module and the default SSL site using the convenience wrappers:

a2enmod ssl

a2ensite default-ssl

Step Three: Restart Apache

service apache2 restart

Just another working day in Redmond

Being placed in the dire situation where my project has to go live and is being served by a Windows server that has no administrator I was forced to open up my RDP client and venture back in time to the days of dinosaurs and IIS.

Unified Communications SSL Certificates are pretty much the only solution I could find to allow a single installation of IIS to share a single certificate that is valid for multiple domains that don't conform to a wildcard.  Whew, what a mouthful.  In other words if you have the domains http://www.ihatemicrosoft.com , http://www.apacheisfree.com, and http://www.graphicalinterfacesareforpansies.com you can use a SSL single certificate to secure them by setting up Subject Alternate Names.

Getting them up and running was a cinch for me made only slightly more complicated by previous failed installation issues which I had to identify and undo.

Firstly if somebody else has tried to install the certificate and failed it's not a bother.  Just get the exact details that were used and rekey it (if the issuer allows this).  GoDaddy allowed me to instantly request a new certificate which I was quickly able to install onto the "master" domain (the one that is not a Subject Alternate Name). Thus I was working from a clean canvas, without incorrect or expired certificates lurking around.

I really don't feel like replicating the bazillions of articles written for Microsoft IIS 6.0 so I'll link to an article that is pretty useful and is on a site full of useful articles - How To Install a Certificate in IIS 6.0 .  I personally had to remove the old (expired) certificate and issue a new CRF but hopefully you won't have to go through all that.

Now that you have it installed for your master the next issue is to set up the SSL bindings, which is the clever bit and the whole point of using Subject Alternate Names.  Basically the issue with using the same IP and port (443) for different sites causes an issue with other sorts of certificates for obvious reasons.  However the Unified Communications SSL certificate is able to validate a number of domains quite happily, we just need to get IIS 6.0 to bind the SSL 443 ports correctly to the host names.

You have probably already noticed that you can't set host headers for SSL in the IIS manager.  That's okay, there is a DOS tool to do this.  For non-Linux people the this might be very very scary, but you need to just drop to a command prompt and do a few things.  Before you do that, however, click on the root node of your domain list to view a list of domains.  Make a note of the long number and host header values that identify the site(s) you want to add as Subject Alternate Names.

Now pop to a DOS prompt and follow the advice given at Digicert which helps you to configure the IIS 6.0 SSL host headers using a VB script.  Basically the important thing is to run the following command from c:\Inetpub\AdminScripts (assuming a default IIS installation):

cscript.exe adsutil.vbs set /w3svc/site identifier/SecureBindings ":443:host header"

If you get an error when browsing that refers to an Invalid Host Header just check that you have correctly matched the site identifier number to the hostheader in the command above and rerun with the correct values to fix it.  You may need to stop and start (why does IIS not have a restart option Steve Ballmer?)  to get everything happy.

Directory traversal attacks occur when your program reads or writes a file where the name is based on some sort of input that can be maliciously tampered with.

At the most simple it could be to include a file like this:

echo $file_get_contents($_GET['sidebar']);

The intention would be for you to be able to call your URL and send a parameter indicating which sidebar content you want to load... like this:  http://foo.bar/myfile.php?sidebar=adverts.html

Which is really terrible practice and would not be done by any experienced developer.

Another common place where directory traversal attacks can occur is in displaying content based on a database call.  Lets say that you have a program

If you are reading from or writing to a file based on some input (like GET, POST, COOKIE, etc) then make sure that you remove characters which could help a malicious user to force your program to access sensitive files using a regular expression to allow only safe characters.

In my case file names would include the ~ symbol so I used this expression:

$string = ereg_replace("[^A-Za-z0-9~]", "", $string);

Failing to do so can help attackers read sensitive files on your system like your database configuration.  They can access any file on the server that the user which webserver runs under can access.

This is still not foolproof, however, as an attacker would still be able to read files in the same directory provided their names matched don't trigger the ereg_replace.

A safer way to do it is to whitelist the files that are allowed to be included.  Whitelisting is safer than blacklisting, so instead of trying to exclude all malicious combinations we will rather allow only a set of safe options to be used.

Consider the following code as an alternative to the above:

$page = $_GET['page'];
$allowedPages = array('adverts','contacts','information');
if ( in_array($page, $allowedPages) ) 
{
    echo file_get_contents($page . '.html');
}

On a system configuration scale it's ideal to have each site running in a chroot jail.  By locking down access to the user that your webserver runs under to a specific directory you can limit the impact of a traversal attack.

http://jenkins-ci.org/

Jenkins is a free and open source solution for monitoring the execution of jobs, including software project builds.

By monitoring the outcome of a build you are able to provide continuous quality control throughout the development period of a project.  The aim is to reduce the effort required in quality control at the end of development by  consistently applying small amounts of effort to quality throughout the development cycle.

Under the continuous integration (CI) model developers should consistently integrate their development efforts into the repository.  There should be time delay between committing code changes and the new build - this allows developers to recognize and correct potential problems immediately.  Of course measures must be in place to flag errors with the build.

The advantage to developers and project managers to having a stable repository to which commits are made and tested are multiple.  I don't need to replicate the Wikipedia list here but suffice to say that I've found although development is slowed slightly by needing to correct bugs (lol!) the overall quality of code is improved.  A drawback that is mentioned on Wikipedia and actually made itself very apparent to me immediately is the need for a good test suite.  You should expect to either assign a developer to coding unit tests or to allocate time for developers to code these as part of their development cycle.
If you're running Ubuntu installing Jenkins is very easy - a version is included in the repositories and so can be installed with apt-get.  There is an excellent resource at that guides you through the installation of Jenkins at rdegges.com that will help you get started.  I personally found the Jenkins site itself slightly lacking in documentation aimed at first time users, but there is a large community base of users for support. There is a good tutorial for setting up PHP projects here.

Just by the way, the JAVA_HOME variable should be set to /usr/lib/jvm/default-java on Debian distro's.  This is a symbolic link to the currently installed JVM.

Installing PHPUnit
In case you struggle to install PHPUnit you should have a look at this bug comment on Launchpad which will help to solve the known "coverage" bug in Ubuntu installs.  The following steps are given (and work) to install phpunit on Ubuntu:
sudo apt-get remove phpunit
sudo pear channel-discover pear.phpunit.de
sudo pear channel-discover pear.symfony-project.com
sudo pear channel-discover components.ez.no
sudo pear update-channels
sudo pear upgrade-all
sudo pear install --alldeps phpunit/PHPUnit
Note that I have omitted the last step of the process given on the web which installs phpunit again with apt-get.  This breaks the installation because the new version of PHPUnit is incompatible with the CodeCoverage filter and you will get this error: PHP Fatal error:  Call to undefined method PHP_CodeCoverage_Filter::getInstance() in /usr/bin/phpunit on line 39


If you follow the steps given above and install phpunit with pear you should be okay :-)

It's very simple to set up a name based virtual host in Apache 2.2 using the default Ubuntu package.

I'm assuming that you have installed Apache already and that you have edited /etc/apache2/sites-enabled/000-default to change the AllowOverride None to something like this:

<Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

If you have not already used this command

sudo a2enmod rewrite

then do so in order to enable mod_rewrite.

Now edit your /etc/hosts file and add an entry that points to the server where you are setting up the virtual host.

The line should look something like this:

192.168.0.100  mysite.local

Where the IP address points to the server where you are setting up the host and mysite.local is a nickname for the site. Remember to add the .local :)

Now create a file in /etc/apache2/sites-available and name it something that relates to the sitename (for future maintainability). I would suggest naming it the same as the sitename. Edit it and copy this basic skeleton structure into it:

<VirtualHost *:80>
        ServerAdmin webmaster@example.com
        ServerName  mysite.local
        ServerAlias mysite

        # Indexes + Directory Root.
        DirectoryIndex index.php
        DocumentRoot /var/www/mysite/
</VirtualHost>

It is important that the ServerName matches the entry you made in your /etc/hosts file.

Now run the command a2ensite mysite.local which is a Debian convenience command which creates the symbolic link from the file you created to the /etc/apache2/sites-enabled/ directory.

You will need to restart Apache (service apache2 restart). If all is well you will be able to navigate to http://mysite.local on your local machine and view the site present on the server at /var/www/mysite

Microsoft Just Clowning Around Again

If you're impatient here is the link that this article leads to

SOAP is generally understood to be a simple method for systems to exchange data in a standard manner. This allows for remote systems to make calls on a server application. This sounds like a Good Idea.

Microsoft, however, does not appear to fully understand the concept of SOAP when it comes to providing a SOAP server based on "datasets".

Apparently the use of these datasets make it much easier for programmers using Microsoft languages to consume web services. 
Unfortunately it makes it inconvenient for everybody else.

So we have a standard way of doing things, but Microsoft decides to "improve" it and thereby forces everybody else to manually parse their XML responses. What is the point of having a standard method of accessing server methods if Microsoft then makes their implementation inoperable to Java, PHP, Ruby, Python, developers? 

Isn't the whole idea of SOAP to allow remote access?  So why make things difficult for everybody except the people who choose Microsoft as their vendor for Server, Desktop, Development IDE, Programming Language, Email, and Security?  What about somebody who wants to use a vendor other than Microsoft for one of these software services?  Is it technically better?  Is it better for a client to be locked into a vendor?  Or does Microsoft make more money by trying to force you to make them your vendor for all software?

Well in any case, if you are trying to consume a Microsoft dataset SOAP packet you will end up needing to write your own helper classes to decipher their code.  That's the bad news.  Trust me, I asked on Stackoverflow, Googled extensively (I didn't use Bing to search though, maybe I should have), and otherwise checked and rechecked why I was not able to handle the SOAP packets being returned by the Microsoft server.

PHP developers can use this code (http://www.bin-co.com/php/scripts/xml2array/) as a start to developing their class.  The code given there will help shortcut the process of reading the Microsoft dataset SOAP response.  If anybody has similar solutions for other languages please feel free to forward them to me.