Friday, October 25, 2013

AWS: Cache Me If You Can! Getting Started with Elasticache.

Here are the presentation slides from our monthly Charlotte Cloud Computing Meetup and AWS Charlotte Meetup meeting.

Application cache has the potential to tremendously speed up your response times. Putting a cache infrastructure together on the other hand may not be for the faint of heart. 
In this meetup we will investigate the use of Amazon ElastiCache. Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.

Cheers,
B.

Friday, June 28, 2013

AWS: Amazon CloudSearch -- Find This!

Since we experienced some issues with this month’s meetup I am publishing the presentation slides here.
We may be able to run through this at a different time again.

From our meetup description:

So you have used SOLR and think that is the only way to go for anything search related. But, (isn't there always a but?) you are tired of maintaining infrastructure or attempting to scale this thing. 
Well time to look at alternatives specifically made for the cloud. 
In this meetup we will look at AWS search, which is based on A9 search technology acquired by Amazon. It does all the dirty work for you so you can focus on your facets ;o) 
We will discuss the good and the bad while attempting to use examples and build a search domain.


Cheers,
B.

Thursday, April 4, 2013

CF: Railo: Using VisualVM tool to monitor running Railo servers

I had written a Adobe ColdFusion specific article on how to use the free VisualVM tool to get insight into the workings of the Java Virtual Machine. I have since been asked to provide similar guide for Railo CFML engine.



The good news is that the implementation is very similar and mostly follows the same path. I will demonstrate this using Windows OS example. I assume in this example that you have used the standard Railo installer for windows.


If so, here are some simple steps to use this great tool set working with Railo.

1) download java jdk also referred to as Java SE Development Kit. You can use 1.6.38 or later or 1.7.13 or later.  Again, Important to get the JDK not the JRE.
http://www.oracle.com/technetwork/java/javase/downloads/

2) Download Visual VM:
https://visualvm.dev.java.net/

3) Configure Railo jmx access:
On Windows, best way is to go to Tomcat Service Control, open the Java panel and add the following to the Java Options text box: (you can change the ports etc. this is is my sample):

-Dcom.sun.management.jmxremote.port=8701
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false




You can decide whether to use ssl or not, and also on the port to use. If you want to use jmx authentication I would recommend you read:
http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdenl

You will need to restart your server after you have completed your changes.


4) Configure your Visual vm start up to point to your jdk if you have not set environmental variables:
e.g. on Windows
if you extracted the visualvm files into C:\visualvm135
and
Your JDK is located in C:\Java\jdk1.7.0_13
then you can use the following command line:

C:\Java\visualvm_135\bin\visualvm.exe --jdkhome "C:\Java\jdk1.7.0_13"

You can also add a batch file shortcut for reuse, e.g.


5) Start up the VisualVM tool (it may have to go through calibration first, simply acknowledge), then, and establish a connection a JMX connection by right clicking on the local node and choosing "Add JMX Connection..."


6) Add connection parameters:
If the server is local you can use: localhost:[port] in our case: localhost:8701



Now you should be able to monitor basic statistics of your Railo environment as it runs, and do some nifty things like forcing garbage collection and dump heap files for later analysis.

Cheers,
B.


Monday, February 11, 2013

CF: cfObjective() 2013... talk is cheap (relatively ;o)


I decided to submit my slew of topics to this year's cfObjective conference. I had many things that I wanted to investigate or thought were worth sharing... never can pick really...
Fortunately for me the selection committee picked two of my submissions and, thus, if you time it right and have no better place to be, come join me at cfObjective in Minneapolis to dig into the mobile development realm ...

"Hey Bilal, come to the point", you say. "What are you going to yak about, since I am biZy! With a capital Z".
Well,  ok, here are the things I am going to talk about:

Design MVC Mobile App Visually In Hours


HTML5 / CSS3 / JavaScript Mobile Apps are becoming more popular. Unfortunately, the tools that we use to design them have not changed much. This talk is centered on using more advanced design tool such as Sencha Architect 2 to visually create front-end MVC mobile prototypes quickly in WYSIWYG fashion. We will step through the elements and create our own app and discuss native deployment options as well.
We will learn how to navigate the common UI of Sencha Architect, how to start and structure an Architect project, how to create a common mobile app with navigation pattern , how to link components, how to bind data, how to deploy generated code in your project, the difference in prototyping levels and the fit of rapid prototyping tools such as Architect, and we are going to have fun creating a real working mobile app.

Mobile but Secure


HTML5 CSS3 applications are becoming increasingly popular for mobile platforms. An assortment of applications makes use of the mobile devices to run, but when it comes to mobile security it is a wild west, the next frontier. What can you do to create mobile or web apps with a more solid security stance and prevent your mobile software from becoming another way to hack into your servers, your customers’ data? If you don't want to be in the news as the next mobile app whose weakness a hacker group used to get sensitive data you should familiarize yourself with the mobile security tips and tricks.
We will take a look at the mobile security top ten and discuss the juiciest elements such as   Insecure Data Storage, Weak Server Side Controls, Insufficient Transport Layer Protection, Client Side Injection, Poor Authorization and Authentication and ways and how to mediate them effectively.

So there you have it.
Hope to see you at the Mall of America in May !

Cheers,
B.

Saturday, January 5, 2013

CF: Scheduled Task Security venerability in Adobe CF

Getting hit by a security vulnerability is no fun. This new one using CFIDE scheduling (http://www.adobe.com/support/security/advisories/apsa13-01.html) seems to have impacted quite a few users.
This all happened around Christmas and went downhill from there most likely automatic network scanning of availability of a certain URL path followed by automated attack.


Charlie Arehart has several blog post on this topic so I am not going to expand too much:


The old adage to lock down your server still holds but is no solace to the people that got hit since it would impact a fully patched server.
The short of this is to disable access to certain CFIDE paths. This may be the practice that you already follow, then kudos!, more importantly, get the word out to other users. Let your friends know so they don't fly blind.

Overall I am surprised by this vulnerability since it seems to originate from a vector that, in my mind, should require authentication or at least some sort of access control. Seemingly the scheduling of tasks is vulnerable and wide open by default. Initial thought on this: Crap!
Maybe, as a community, we should vet more closely the out of the box CFML code that is being deployed. The secure stance always has been to not deploy any example and docs on production, however, this is part of the system would be required to administer it.

Couple of things that I would like to delve deeper into:

a) Detecting Code Compromise:
In the last talk that I had presented around application security I had shown an example that can be easily implemented and allows users to detect any code change on the machine.
The idea is to generate an application signature that, then, can be verified to see whether the application is still consistent with what you published.
This is a simple version, you may expand and adjust. This will help you detect whether you have been compromised.
You can do this against the CFIDE, Customtag, and/or any other directory you store code in. You can create separate signatures (i.e. modules) or combined ones.

The goal is to quickly be able to tell whether you were hit by a zero-day vulnerability or anything else made its way onto your server that you did not expect.

It involves two general steps:

First run a recursive cfdirectory on your website/app and, second, create a hash from it.
Something like this:

<cfdirectory action="LIST" directory="c:\inetpub\wwwroot" 
  name="myAppFiles" filter="*.cf*" recurse="Yes">

<!--- build md5 hash  --->
<cfset myAppSig = Hash(SerializeJSON(myAppFiles),"MD5","us-ascii")>


Then compare the generated application signature against a last known good one. This can be done on App start, or a scheduled basis, even add hock if you app is small.

Here is the similar sample that stops application execution if compromised if you include it in your OnApplicationStart function:

<cffunction name="OnApplicationStart">
 <!---
 This assumes that you have a database with a
 table named "appcheck" that has at least two fields
 id =    auto number/indexed
 value = text (20)
 
 The first time the app starts, the valid
 application signature will be determined.
 There after the application will abort if 
 the signature does not match.
 
 To publish new code.
 Clear the appcheck table or insert 
 the new valid signature as last row. 
 --->
 
 <cfquery name="selCheck">
  SELECT value
  FROM appcheck
  WHERE id = (SELECT Max(ID) FROM AppCheck) OR id=0
 </cfquery>
 
 <!--- determine app check crossum --->
 <cfdirectory name="selAppFiles" action="list" filter="*.cf*" 
  directory="#getComponentPath()#" recurse="Yes">
 <cfset strJson = SerializeJSOn(selAppFiles)>
 <cfset md5Hash = Hash(strJson,"MD5","us-ascii")>
 
 <cfif selCheck.RecordCount>
  <!--- application compromise check. 
        We could email someone automatically, 
        raise alarms, call the cops --->
  <cfif md5Hash neq selCheck.value>
   Application compromised.<br/>
   <cfoutput>
   #md5Hash# -- #selCheck.value#
   </cfoutput>
   <cfabort>
  </cfif>
 </cfif>

 <cfquery name="insCheck">
  INSERT INTO AppCheck 
  (VALUE) VALUES ('#md5Hash#')
 </cfquery>  
</cffunction>



b) Preventing people from using the vulnerability:
Charlie and other have done a good job of summarizing the source and ways you can prevent the exploit. It all seems to boil down to not let users hit certain CFIDE paths:


  • /CFIDE/administrator
  • /CFIDE/adminapi
  • /CFIDE/componentutils


The bad thing is that using IIS/Apache facilities to lock out call URLs may not be good enough. There is the question of virtual paths and ColdFusion built in webservers that can bypass your effort. In addition, the normal Adobe CF connection between IIS and CF is using a wildcard based handling of all request. That means all requests to your website are first routed to CF/connector, even, if you ask for an image. If you know me you know I am biased, but obviously this blows big time, since it causes unnecessary processing on IIS and CF. Try to pause or stop CF and call a static HTML page on IIS or Apache, you will wait for a while. Enough of the ranting! In short, please test your lockout configs after you make changes to make sure that everything is locked out as it should be.

If you are using ColdFusion 10 on IIS you also have the option to deploy my BonCode connector. It does not block static page access, or hinder non CF processing. Since its first version it had the ability to block access to administration pages; you will not be able to bypass this even if you have the built in CF webserver running (yes, you can still hit the built in webserver if you bypass IIS altogether but that would require deliberate foolishness where you have opened the non-standard port on your Windows OS and firewalls everywhere).

Here is a blog post on how this feature is used to secure Railo administration pages. This method also works for OpenBD, and Adobe CF10.
The installation for CF10 is not out of the box, if there is interest in this I will provide it in later versions. Also this is not officially supported by Adobe, though given the system instability issues and problems that have occurred with the supplied connector you may want to consider testing anyway.

Cheers,
B.

Sunday, November 25, 2012

Reminiscing the difficulties of predicting the future or how the iPhone 5 made it all come true

A few year back, at the height of the iPod boom, I predicted its swift demise.
I might have titled this said blog post something like Why the iPod must die!

So back then I was predicting the death of single purpose devices such as MP3 players in general and the iPod in particular. Well... I was wrong, but not all the way. The iPod is still around, but sales are declining. As a matter of fact they have been declining every year since my prediction was made in 2008:



Why do I want to warm up old toast you ask? Good question. Another thing I mentioned towards the end of the aforementioned blog post was about, how I believed, Apple could make boatloads of money, not with the iPod itself, but with the control over the connection mechanism, the 30-pin dock.

Most "i" devices Apple introduced up to iPhone 4S have this connection mechanism. A whole supporting universe of accessory makers has emerged that use that 30-pin standard to connect anything from stereo systems to zebra pattern 3d printers (I made this one up, don't Google needlessly!).
However, Apple, like Sun, when it missed the JVM for the trees, missed to monetize the 30-pin connector handsomely. While normally very astute in locking in consumers and partners alike, this was a big miss, indeed, for Apple. Also contributing to this was the ease with which people could reverse engineer the connector.

But fret no more, under the guise of improving user experience, Apple introduced the new "lightning connector" and closed this loophole with the iPhone 5. Though I have not heard any of my friends or co-workers ever state that they had trouble or needed a new way to connect, it is now a fact of live that we will have to buy many adapters or replace existing gadgets.

Now, the life of the 3rd party accessory maker has changed drastically as well. No longer can they use simple analog techniques to reverse engineer this. There is an encryption chip specific to the connector that needs to be dealt with. Why would you need an encryption chip in the docking connector? To control its use of course. IMHO this thing is so complicated that it delayed the launch of the promised lightning to Apple dock adapter.
Thus, for manufacturers the only viable alternative is to check with Apple to see what the terms of licensing lightning technology would be. This, in turn, translates into revenue in the future for Apple, and my prediction made many years ago, finally comes true !

Cheers,
B.

Tuesday, November 20, 2012

CF: ColdFusion with Amazon Load Balancer (ELB) and mysterious line breaks causing "unterminated string literal" exceptions

This seems like a complicated scenario at first until I started thinking about it again.
You use ColdFusion in the Cloud, specifically in the Amazon cloud, you then add a load balancer in front of your servers, then you notice your JavaScript starting to error out in some browsers. You cannot explain it.
Then, you spent countless hours going nuts.

Here is a sample JavaScript and ColdFusion block that would break. The simple block retrieved a name from a ColdFusion function and passed it to JavaScript:


<cfoutput>
  <script type="text/javascript">
    var myName = '#fCallForName()#';
  </script>
</cfoutput>


The above returned this in browser lets say the name was "John" :



  <script type="text/javascript">
    var myName = '
John';
  </script>


This, in turn, throws a "unterminated string literal" exception in JavaScript because of the line break right before the name. Of course, you say, silly you, you probably doing something in CF to return a Newline character combination. Good thought! So I changed the CF side to be as simple as possible. Here is the CF code that returns an empty string; guaranteed!



<cffunction name="fCallForName" returntype="string">
<cfreturn "">
</cffunction>




So nope, empty string still produced new line in the JavaScript output. So a few brain cycles go by and
I get to thinking to check to hit servers directly (bypassing amazon ELB altogether) and see what is returned. The return this time is enlightening, there is a blank string rather than the expected empty string, but no newline.



  <script type="text/javascript">
    var myName = ' ';
  </script>



Yeah, progress, maybe? This is different, which again it should not be. Thus, the only thing this establishes is that the Amazon load balancer (ELB) is changing the output stream somehow. Then, I also remembered an earlier blog post of mine where I outlined that CF inserts an empty space character when the function output is used directly in place in HTML context:  http://boncode.blogspot.com/2009/03/cf-coldfusion-functions-and-case-of.html
... and the fog began to lift.

I immediately reassigned the function output to a variable like so:

<cfset userName = fCallForName()>

Then, used the variable to output the content of the function:



<cfset userName = fCallForName()>
<cfoutput>
  <script type="text/javascript">
    var myName = '#userName#';
  </script>
</cfoutput>



...and bingo, everything started to work again. No more JavaScript errors. However the conclusions here are more scary then the error:

a) ColdFusion does introduce more than just a space character when function output is used in place
b) Amazon elastic load balancer makes modifications (corrections?) to the network stream and changes the output. For each in place output of function call it adds a line break.

Both a) and b) should not happen, but they do ;o(
At least now my pain could be your gain. Cloud pittfals, I guess...simple assumptions like surely the load balancer will not modify my data could throw you off .

Cheers,
B.