Web Admin Blog

Have you ever had a problem that you used a search engine to try to find the solution?  Did that search bring you results from a site that then forced you to register in order to see the content?  This happened to me all of the time before I found two simple ways to display that content without me having to register at all.

Let me begin by explaining the why before I tell you the how.  In order for a search engine to index a site’s content, it needs to be able to see that content.  The webmasters of that site are eager to let the search engine see the content as they know it will drive additional visitors to their site.  The end result is that they have to find a way for the search engine to see the content, while at the same time obscuring it from the view of the average user.  Most of the time they do this by keying off of the browser’s USER AGENT.  This creates a loophole for us to exploit since if Google is able to see the search engine results, then so can we.  Here’s my two tricks to see the restricted content:

[Read the rest of this entry…]

I’ve been focusing a lot of my time lately on our PCI initiatives.  One sub-topic that I’ve spent a particularly large amount of time on has been Requirement 11.2 which says that you need to have internal and external network vulnerability scans performed by a scan vendor qualified by PCI.  We already employ one such tool, but I’ve been working to evaluate several other vulnerability scanning tools to see where our current tool is at in comparison.  I’ll post my evaluations of each of these tools in time, but for now I’ll start with my evaluation of Rapid7 NeXpose.

[Read the rest of this entry…]

The industry is abuzz with people who are freaked out about the outages that Amazon and other cloud vendors have had.  “Amazon S3 Crash Raises Doubts Among Cloud Customers,” says InformationWeek!

This is because people are going into cloud computing with retardedly high expectations.  This year at Velocity, Interop, etc. I’ve seen people just totally in love with cloud computing – Amazon’s specifically but in general as well.  And it’s a good concept for certain applications.  However, it is a computing system just like every other computing system devised previously by man.  And it has, and will have, problems.

Whether you are using in house systems, or a SaaS vendor, or building “in the cloud,” you have the same general concerns.  Am I monitoring my systems?  What is my SLA?  What is my recourse if my system is not hitting it?  What’s my DR plan?

Cloud computing is also being called “PaaS,” or Platform as a Service.  It’s a special case of SaaS.  And if you’re a company relying on it, when you contract with a SaaS vendor you get SLAs established and figure out what the remedy is if they breach it.  If you are going into a relationship where you are just paying money for a cloud VM, storage, etc. and there is no enforceable SLA in the relationship, then you need to build the risk of likely and unremediable outages into your business plan.

I hate to break it to you, but the IT people working at Amazon, Google, etc. are not all that smarter than the IT people working with you.  So an unjustified faith in a SaaS or cloud vendor – “Oh, it’s Amazon, I’m sure they’ll never have an outage of any sort – their entire system or localized to my part – and if they do I’m sure the $100/month I’m paying them will cause them to give a damn about me” – is unreasonable on its face.

Clouds and cloud vendors are a good innovation.  But they’re like every other computing innovation and vendor selling it to you.  They’ll have bugs and failures.  But treating them differently is a failure on your part, not theirs.

McAfee released the results of a survey last week after sampling 500 IT decision-makers from companies with 1,000 to 2,000 employees.  The results are pretty astounding.  Forty-four percent think that cybercrime is only an issue for larger organizations and believe it does not affect them.  Fifty-two percent believe that because they are not well known, cybercriminals will not specifically target them.  Forty-five percent do not think that they are a valuable target for cybercriminals.  Lastly, forty-six percent do not think they can be a source of profit for cybercriminals.  [Read the rest of this entry…]

If you are responsible for developing or maintaining a website and haven’t checked out Ratproxy yet, you’re missing out. Before I start spouting off about just how cool and useful this tool is, I suppose I should first tell you what a proxy is. In a nutshell, a proxy is an application that runs local on your computer and intercepts requests and responses between your web browser and the web server. In almost all cases, the proxy has the ability to manipulate the conversation going on between the two. Things like modifying your cookies, changing POST and GET parameters, and finding hidden fields are made uber-easy with the assistance of a proxy.

[Read the rest of this entry…]

There’s a lot of promise in the new SaaS (software as a service; what used to be called ASPs, or Application Service providers, till Microsoft crapped all over that acronym) and newer PaaS (platform as a service) spaces (and look for a steady stream of new “aaS”es to come).  However, there are a lot of gotchas in signing on with a SaaS vendor.  You’d like to be able to believe that they have decent performance, uptime, security, etc., especially after the tell you “Oh, all kinds of big companies use us; Dell, IBM…”  This is exacerbated by SaaS often being an “end run” around IT in the enterprise, so naive users can get sold a bill of goods without proper technical oversight.  SaaS is a big buzzword now, and there are a lot of startups springing up that do not necessarily have experience running large scale sites.  Think about how many MMORPG games still get scuttled due to poor operational performance.  SaaS is the same.

Here’s some things to keep in mind when selecting a SaaS vendor, laced with real life horror stories from our experiences.

1.  Performance/Availability.  Set a hard performance/availability SLA in the contract.  Many vendors won’t even have an SLA clause, or they’ll have one that says “99.9% uptime!” without any remedy clause for what if they don’t hit that.  You want a clear SLA with a clear measurement method and clear “money back” if they don’t hit it.  We use a 2 second global performance SLA as measured by a Keynote Global 35 monitor.  But the SLA isn’t the whole story – you are counting on these people to accomplish your goals.

[Read the rest of this entry…]

Dave Artz has put together a simple Webcast tutorial on how to use webpagetest.org to measure and fix up your Web site.  If all this talk about Web performance is a bit overwhelming, it’s a great novice tutorial.  He walks through the entire process visually and explains each metric.  Great job Dave!

We use Oracle Application Server as our Java app server at NI. Yeah, yeah, I’ll wait till you stop laughing.

Why not JBoss or WebLogic or WebSphere? Well, a couple reasons. We made the decision five years ago, and JBoss wasn’t solid then, and we needed J2EE support so plain Tomcat wasn’t enough. And we’re a huge Oracle shop and figured that if we were using the same app server on the Web and our ERP tiers there’d be leverage in terms of developer knowledge etc.  Would we make that same decision today? I’m not sure about that (I can hear my team members shouting “hell no” over the cube walls).  Although since we’ve also gone with Oracle’s SOA suite for ESB and BPEL it would be harder to switch. But still tempting – Oracle has done a horrible job in getting their app server supported by other vendors. Every time we buy something and look at the supported app server section of their support matrix, and we ask “What about Oracle’s OAS?” we get expressions of mixed horror and pity from the supplier. (I liked it when the Chinese technical guy from one eComm vendor we had in responded to this question with, “You know, the Tomcat is good, and free! Maybe you use that!”)

Anyway, Oracle bought BEA a while back, which got keen interest from us. Stay with Oracle *and* use a good app server that other people support?  Tempting!  But Oracle’s been farting around for six months without coming out with a statement on what this will mean for the products. Oracle’s finally done a Webcast describing their strategy. Well, it’s half marketing and a celebration of how many million dollars they have. But there’s also a lot of product strategy in there. I’ll sum it up for you because the damn webcast is nearly two hours long, and I don’t want other people to have to waste that much time on it. Unless you like to hear someone go on about “strategic clarity” and “customer profiles,” in which case this is two hours of bliss for you and you should watch it.  Although I also had the stream break a bunch of times while watching.  Who the heck uses RealPlayer any more?  Anyway, here’s a list of the interesting product facts from the Webcast.  Some are marked with their timestamp if you want to fast forward to them and see more.

[Read the rest of this entry…]

Well, I’m finally home with a spare minute to write. I and the two guys who went to the conference with me (Peco and Robert) got a lot out of it. I apologize for the brevity of style of the conference writeups, but they were notes taken on a precariously balanced laptop, under bad network and power conditions, while I was also trying to get around and participate meaningfully in a very fast-paced event. I’ve gone back and tried to soften them a little bit, but there’s no rest for the wicked. You can access many of the slides for the sessions here.

The conference was quite a success. Everyone we spoke to was enthusiastic about the people and information there. O’Reilly is happy because attendance was above their expectations, and it looks like it’s been expanded to 3 days next year, which is good – it was *so* session packed and fast paced I didn’t get to talk to all the suppliers I wanted in the dealer room and at times it felt like the Bataan death march. The first day we barely had time to grab a fast food dinner, and we often found ourselves hungry and hurrying. We enjoyed talking with the people there, but it seemed less conversational than other conventions – maybe because of the pace, maybe because half the people there were from the area and thus needed to scamper off to work/home and were therefore not into small talk.

[Read the rest of this entry…]

Since Michael Howard moved from Redmond to Austin, I’ve had the privilege to see him present several times now. This is the guy who literally wrote the book on writing secure code and the secure development lifecycle. He is a fantastic speaker and I’d highly recommend checking him out if you every get the opportunity. Yesterday, I heard that he was speaking on securing your code at the San Antonio OWASP meeting so I decided it was worth making the drive down to see his presentation. So, I give to you Michael Howard’s Top 10 Strategies to Secure Your Code straight out of one of his Microsoft TechNet presentations.

Michael began by giving us the definition of a secure system. He said “A secure system does what it’s supposed to do and no more.” It’s such a simple concept, but in practice such a hard thing to achieve. Here are his suggestions on how to accomplish that:

[Read the rest of this entry…]