Yeah, I lied.

I have had to do some work on a shopping cart that was originally written in ASP and it has reminded me why I enjoy not writing ASP. Last time I wrote ASP was in early 2003, but at least my code was well organized. I had includes in a central location, I was using VB ActiveX components to handle some of the site features and I was well to put it bluntly not so full of myself that I didn’t do research on improving my code.

The programmer who wrote this, I know of through a friend, and while I have not talked to him more than a few times I know through my friend that people have been very unhappy with his code. The last company I know of that experienced this he had some deal with, and cashed out of the deal because even he admitted the application bogged down the servers horribly. The server it was running on has 6gb of RAM and isn’t some old junker. It is also running Windows 2003 x64, and SQL Server 2005, which should help performance. The company that paid him to originally write the code has since hired another company to rewrite it so that the client is getting what they pay for when they resell the product.

Anyway, this cart was originally another ASP shopping cart and was stripped of a lot of the identifying details, which he then made into what was supposed to be some sort of “template” setup. I can really say though that it has been one of the more aggravating edits I have had to do, things are just all over the place in the code. Normally a template system allows you to make some visual changes without having to do a huge amount of editing. Take Wordpress for example, you know what pages to edit and what tags to add and you put them where you want the information to be displayed. Shopping carts are of course more complicated, but osCommerce uses templates and from what I’ve seen it is much easier. Templates are also used so the designers can stay out of the logic as much as possible since that is not what they do, with this setup there is logic all over the place. A number of files only have a line or two in them and the only one that means anything is the include line referencing a file with the exact same name in another directory.

I am really not big on putting down other programmers because I know for a fact there is code I have written that has not been worthy of any praise, but I also don’t regard myself as a top notch programmer like he does. When someone speaks about them self like they are top dog, they are just asking for it. There is also a difference between selling yourself and going overboard. It is just part of sales to make yourself sound like you are the only one for the job and if they decide not to go with you then it is their loss, in some cases you are and in some cases you aren’t. When I received the job for the FTA I was told from the start that it was in Joomla and I immediately looked at the code. Knowing I couldn’t fake knowing Joomla I said flat out that I had never worked with Joomla, but I have experience writing readable and well thought out code. Now the designer who did the template told them that he had worked with Joomla and la di da, but when I received his template he had hard coded things in that should have been dynamic, which of course would keep the end client from being able to edit them.

This post is getting a little bitchy now, but it is surprising just how many people go around making themselves into something they aren’t and making a lot of money doing it. This of course is nothing new as I am sure a lot of you have seen the posts discussing the tests that companies are giving during interviews and finding out that the programmers cannot solve basic problems. If you haven’t read the article do a Google search for FizzBuzz.

Tomorrow is weeCamp, a beCamp/barCamp style conference covering web application security. I am REALLY excited about this conference, there was a chance I was not going to be able to go, but I will be there. The talk I think I will be most interested in hearing is RoR security. I have been learning RoR a bit the past week and while there is a learning curve I am really enjoying it. I have a large project that I am going to be tackling in the Rails framework and I hope that my needs to not exceed my limited experience with RoR. Worst case I have to write it in PHP by scratch or use CakePHP.

Very early Friday morning I was updating my BIOS and it appears that the utility killed off a dependency for my UPS utility, which then made the application think that the connection was lost. This resulted in my UPS rebooting and killing the power to my machine in the middle of the update. I was unable to do a BIOS recovery so I had to order a new motherboard since MSI does not have advanced replacement. If I RMA that board it will take 7-10 business days for them to fix it after they receive it. Combine that with shipping and I am looking at probably a month, considering that is my primary system and migrating everything to another system is just out of the question I felt the $150 was worth it.

Its been a difficult few days even outside my techie life, so I am really hoping this conference will boost my spirits.

For a while I have been keeping my eye on certifications I would like to obtain in the next few years. Being honest with myself it really is just a goal because it would be very costly and time consuming to obtain all of them, not impossible, just difficult. What is a life without goals? however difficult they might be. After speaking with some security professionals on [H] I have added enough certifications to keep me busy for many many years. There are a number of certifications that you really cannot pass without real world experience, one I have heard of is the CISSP, which requires four years of experience (5 years effective Oct. 2007), however two years may be waived. One of my goals is to have the credentials that would land me contracts as a white hat so getting real world security experience is a priority anyway.

Below the list of certifications I have an additional list which outlines the certifications for the DoD directive 8570.1. This directive applies to individuals administering DoD machines. Of course the major problem with certifications is maintaining them, the more certifications you have the more difficult it can be since you have to recertify every so often. The list below is a broad list of certifications I am interested in, and while I would like to have them all the list will be narrowed over time. Lets say I get my RHCT, but when looking into Solaris more, I don’t have interest in working with Solaris or the other way around, ultimately reducing the list over time.

Now for the main list of certifications:

• Certified Ethical Hacker
• Zend Certified Engineer
• CompTIA Linux+
• CompTIA Server+
• CCNA, Cisco Certified Network Associate
• Linux Professional Institute Certification (LPIC-1), Junior Level Administration
• Linux Professional Institute Certification (LPIC-2), Advanced Level Administration
• Linux Professional Institute Certification (LPIC-3), Senior Level Administration
• Sun Certified System Administrator (SCSA)
• Sun Certified Network Administrator (SCNA)
• Sun Certified Security Administrator (SCSECA)

Since Red Hat has recieved its EAL4 certification with Labeled Security Protection Profile (LSPP) I added some of the Red Hat certifications to the list

• Red Hat Certified Technician (RHCT)
• Red Hat Certified Engineer (RHCE)
• Red Hat Certified Security Specialist (RHCSS)

DoD Directive 8570.1 Technical I

• A+
• Network+
• TICSA, TruSecure Certified Security Associate
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical II

• GSEC, GIAC Security Essentials Certification
• Security+
• SCNP, Security Certified Network Professional
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical III

• CISSP, Certified Information Systems Security Professional
• SCNA, Security Certified Network Architect
• CISA, Certified Information System Auditor
• GSE, GIAC Security Expert

There are also a number of certifications under the SANS Global Information Assurance Certification that look very interesting. These certifications also seem to be more specific, an example being “GIAC Securing Oracle Certification” or the “GIAC Secure Internet Presence”.

One of the posters from [H] had this in his signature.

CCNA, CCNP, CCIE, CCAI, MCT, MCSE, CNE, CNI, A+, Net+, Security+, SSCP

Showing that it is very possible to obtain a grip of certifications

When I colocated everything I realized that I was pulling the CSS and ICO from a local trac environment. I have updated the post Automated Project Creation with the new link to download the template and CSS.

I have mentioned before that I am working with Joomla and Docman for this FTA site and I recently found a bit of a scaling issue I thought I would mention. I don’t know how many of you use the query log option that MySQL offers, but I highly recommend you do.

I browsed to the resources section and viewed a page with 124 documents on it. You would think that wouldn’t be so bad, but in actuality it is ridiculous. That one page view generated 1611 SQL queries. The reason is that it grabs the list of documents, and then for each one it would check to see if the user had access to that category and there was another check that has slipped my mind. Just the category access check was for some reason causing 10 SQL queries per document and what makes it worse is that every document was in the same category so really only one access check needed to be done. Since all Docman categories are 100% open to the public I had no problem removing the SQL query and having it return TRUE for every document. This change dropped the queries from 1200 down to 155. The reason it is 1200 and not 1600 is because the other check that I still can’t remember was also removed and that eliminated roughly 300 queries.

Personally I think that the component could have handled grabbing the information better than it was; joins being the biggest improvement.

These are very simple, there is no check to see if it is running and no error handling. This is my first chkconfig script and I am not bash brilliant.

*Note: The syntax highligher is replacing the double dashes (–) in the solr.stop script so please click the “Show Plain Code” when copying. I will find the bug in the script to avoid having to do that.

In /etc/init.d/solr

#!/bin/bash
#
# chkconfig: - 80 45
# description: Starts and stops Solr

start() {
        echo -n "Starting Solr... "
        nohup /opt/directory/solr.start
        echo "OK"
        return 0
}

stop() {
        echo -n "Stopping Solr... "
        /opt/directory/solr.stop
        echo "OK"
        return 0
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        stop
        start
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart}"
        exit 1
esac

exit $?

This is the /opt/directory/solr.start file

#!/bin/bash
cd /opt/directory/
/usr/java/jdk1.6.0_01/bin/java -DSTOP.PORT=8079 -DSTOP.KEY=ftasolrstop -jar start.jar &

This is the /opt/directory/solr.stop file

#!/bin/bash
cd /opt/directory/
/usr/java/jdk1.6.0_01/bin/java -DSTOP.PORT=8079 -DSTOP.KEY=ftasolrstop -jar start.jar --stop

I have mentioned a few times about how different my health is from what it used to be and I have started working on it, but I can’t go full on because I am not in the gym. On the first I started keeping records and worked on eating healthier and it looks like my mass has not gone down, which I am thankful for. I am using the DoD bodyfat calculation to determine these numbers, which is close, but not exact. While it is not as exact as the BodPod or underwater methods it is what I have been using for years so it gives me a great comparison to what I have been in the past. Right now I am sitting at 165-170lbs lean mass, and that is because it is based on measurements and sometimes you can measure different. I have no doubt that when I get back in the gym I can gain another 10 in muscle, if I do that and drop to 200lbs I will be 10% bodyfat and 180lbs lean mass. I was big before, but people could tell I had bulked, right now I think people just think I’m fat because I have a lot more of it.

Yesterday I got a quick run down of just how out of shape I am. I spent a couple hours moving things to storage and cleaning out the shed. I also went to bed at 6pm and woke up at 9:30am this morning. To give you an idea of what I used to do. I would get up at 5am eat a banana and drink a bottle of water, leave at 5:15 and drive 35min to the gym. I would usually begin working out around 6:00 and finish at 7:10. Shower and then leave around 7:30 after taking my supplements. Arrive at work at 20 of 8, eat my breakfast then I would work from 8 to 5 outside in the hot sun on equipment or doing some stuff by hand, but prior to that 1 or 2 days a week I shoveled horse crap from stalls. Think of working out in the gym * 4 then multiply that by 8 hours, it is literally the hardest work I have ever done and I have done a lot of stuff in life. You are basically removing 1ft+ deep shavings + crap from a 8×8 stall, not your standard family farm daily cleaning. Anyway after that I would go home eat and get 8 hours of sleep before starting it all over again. When you compare that to what I do now, you might understand how I could become out of shape. Not really the job for the type of person that can program in a number of languages, but I loved the job. I hated the smell of horse shit and being dirty as hell everyday, but I worked with friends, I was in shape and when I got home I knew I had done something that day. I didn’t come home with a lot of money in my pocket, but that was ok because I know that I earned every single penny I did bring home and I had the sore muscles to prove it.

I remember in California when I was working with mortgages they would say, you work hard don’t cut your fees just so a loan will go through. I thought to myself, well thats California for ya. I have actually worked hard and made a lot less. You call someone, get their information, email it to some brokers, work up deals, pitch it, and do more paperwork. It’s a joke, you make 2k+ per loan and have a lot of stress when you don’t have clients, but it isn’t hard work, just time consuming at times.

I switched my DNS for another domain over to Google Apps last night. This domain, tworaised.com, is going to be my project domain where I will actually store the code for all my public projects. It will have trac and svn environments for people to interact with and probably a blog plugin integrated into trac, but we will see I would almost like to have one blog to cover all projects. I have considered not using the domain because of the name. Tech people will get the 2^ part because everything is 2^x, but I’m sure others will think two raised as in two middle ,,|,, fingers ,,|,, but what can ya do.

I will be detailing my experiences with Solaris in my next post, along with my experience with the user community surrounding it.

On this blog I use a plugin called SyntHihol, which uses GeShi for the actual highlighting. I found a project on Google code called SyntaxHighlighter that uses Javascript and does a very nice job. I don’t know that I will be moving to it, but it would be a nice addition to have and definitely a great tool for offline documentation.

I was patching the SOLR source with the patch provided by Eric Pugh that will parse PDF, DOC, XLS documents and index the data into SOLR. I will details that either later today or tomorrow, but this patch was created so that the community can do process these document types much like we did in a recent contract.

When applying the patch I wanted to commit the source to our repository so we know what revisions we were working with and had the code handy. I decided later it would be better not to do it that way, but TortoiseSVN did not give me a way to see what revision I was on. If you run the command `svn info` you will get the following output (obviously the details will be different):

F:\\Workspace\\Java\\SOLR>svn info

Path: .
URL: http://svn.apache.org/repos/asf/lucene/solr
Repository Root: http://svn.apache.org/repos/asf
Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 552673
Node Kind: directory
Schedule: normal
Last Changed Author: ryan
Last Changed Rev: 552521
Last Changed Date: 2007-07-02 11:57:03 -0400 (Mon, 02 Jul 2007)

Here is the script I mentioned the other day. For the most part this is my first Ruby script. I have done a few little tests to see how some things work but nothing more than 5 lines. For that reason please don’t be too harsh if I did something incorrect, but I would like some input.

Basically if you have this script named ‘project.rb’ you would enter:

project testproject "Test Project" htdigest

What that is doing is creating a repository called ‘testproject’ and a trac environment called ‘testproject’ in the directory you specify at the top of the script. It will set the Trac project name to ‘Test Project’ and if the htdigest argument is present it will add the users in the script to the HTDigest file you are using for trac. This script will add the users you specify to the trac environment along with the permissions you think they should have. It will also add those users to your repository passwd file and alter your svnserve.conf file.

One thing it is not doing is altering the trac.ini file. I debate implementing it, and I will need to look into the ways you process INI files in Ruby before I do.

I must also note that with this configuration I am using one virtual host and location for trac environments in Apache. Since this is my local stuff I don’t have a lot of users to be accessing and they will not be changing much from project to project. Below is a screenshot of how my project list looks using the index.tmpl you can download here. You can also download the RB file for this script from here. Also for some reason the highlighting is all funky, but it is still readable.

#!/usr/bin/env ruby
#
# Usage
#
# script 
 
#
# Example:
# —————————
# script test "Test Project" htdigest
#
#	- This will create a directory named test in both
#	  your repository and trac directories.  The htdigest
#	  parameter tells it to write to your htdigest file.
#

require ‘digest/md5′
user = Hash.new
perm = Hash.new

#
# Changes these locations to fit your environment
#
repo_loc = ‘C:/DEV/repo/’                   # Directory for the SVN Repo
trac_loc = ‘C:/DEV/trac/’                   # Directory for the Trac Project
svn_loc = ‘E:/Subversion/bin/’              # Subversion Bin Directory
py_loc = ‘C:/Programs/Python24/’            # Python Directory
htd_loc = ‘D:/DEV/trac/htdigest’            # HTDigest File Location
tmpl_loc = py_loc + ’share/trac/templates’  # Template Directory

#
# Repository Configuration
#
conf = < project.log’)
    tracb = system(trac_x + ‘ > project.log’)
    if svnb && tracb
        puts "Repository Created"
        puts "Trac Environment Created"
        user.each_pair do |k1, v1|
            system(x_py + x_trac + tracspath + ‘ permission add ‘ + k1 + ‘ ‘ + perm[k1].to_s)
            htdigest += k1 + ‘:’ + realm + ‘:’ + Digest::MD5.new.hexdigest(k1 + ‘:’ + realm + ‘:’ + v1) + "\\n"
            passwd += k1 + ‘ = ‘ + v1
        end
        if (ARGV[2] && ARGV[2] == ‘htdigest’)
            open(htd_loc, "a") { |f| f.puts htdigest }
        end
        open(repospath+’/conf/passwd’, "w") { |f| f.puts passwd }
        open(repospath+’/conf/svnserve.conf’, "w") { |f| f.puts conf }
    else
        puts "An Error Occurred"
    end
end

Here is my apache config for Trac

  SetHandler mod_python
  PythonHandler trac.web.modpython_frontend
  PythonOption TracEnvParentDir D:/DEV/trac/
  PythonOption TracUriRoot /
	PythonOption TracEnvIndexTemplate D:/DEV/trac/index.tmpl
	ServerName trac.myserver.com
	ErrorLog D:/DEV/logs/apache.trac.errors.log
	CustomLog D:/DEV/logs/apache.trac.referer.log referer
	CustomLog D:/DEV/logs/apache.trac.agent.log agent
	CustomLog D:/DEV/logs/apache.trac.access.log combinedio
	CustomLog D:/DEV/logs/apache.trac.deflate.log deflate
	
	  AllowOverride All
	  AuthType Digest
	  AuthName "trac"
	  AuthDigestFile "D:/DEV/trac/htdigest"
	  Require valid-user