It is becoming easy for me to identify phishing emails these days. Kudos to some of these guys, they give their best to get these mails delivered to inbox despite the mail clients constantly updating their spam filtering methods. Now these guys have to be really smart and surpass these filters and also convince the reader to take an action out of the mail. Even though I was able to identify one of the mails that got into my inbox today, as a phishing email, I was quite impressed by the quality of the mail content. It was a typical mail that my paypal account has been restricted and that I have to complete a checklist by clicking a link to activate it again. The highlight of this mail beyond its actual intent is the right side section of the mail that gives tips on protecting my account - probably something copy pasted but a job well done. The only thing that gave away the authenticity of the mail is the from mail id which wasn’t from paypal.com. Below is the image snapshot (Click to view original).

I didn’t leave at that and I wanted to see how well the imitation continues in the rest of the steps. So I clicked on the link in the mail and it took me to an almost similar Paypal site. Look at the below snapshot and compare it with Paypal US website. In the phishing site the only way you can identify it is fraudulent is by looking at two things - one the URL and the second you click on any link like the “About”, “Privacy” etc., it always lands you back to the login page. But just by comparing these two screens you will be surprised at the amount of imitation in terms of fonts, styles, images etc.

Here is the fun part. The phishers can’t really validate if someone is genuinely using their paypal login and password. But their best bet is if someone really gets convinced that it is from paypal they would input their credentials. But what matters to these people are not the credentials, but the details in the subsequent page. So enter any invalid email address and password, you would be taken to the next page. In the next page comes the details that these guys want - the whole credit card section.  Look at the screenshot (click to view original).

Again here the highlight is, to convince the user, they have links like “Help finding your Card Verification Number” and “why is ATM Pin required?”. Clicking on “Why is ATM Pin required?” link shows a popup with the below message.

“By adding VeriSign Payment Services industry-leading tools such as Payflow Link and Payflow Pro to PayPal’s suite of payment solutions, we’re now able to offer online merchants even more choices for their businesses.
Requiring PIN Signatures is the latest security measure against: identity theft, credit card fraud and unauthorized account access. PayPal will verify it with your bank records for your own protection.
If you provide a wrong PIN your account will be suspended for unauthorized account access.“

LOL for the last line there .

But Firefox was quick to mark this as a forgery website, when I tried second time clicking on the link to take screenshot for posting here. What surprises me most is, this is not a mere copy paste job, it involves lot of work to imitate the original site, including some testing. For example the login page does a valid email test. So there should be a team with good knowledge on web application programming (this one was done using php, just looking at the URL gave away that), HTML, CSS etc. If only these guys could use their skills to get into a decent job, not only will they be in for a bad cause but the software industry would have got few more good developers. Do these guys realize that by writing software for someone to steal money from those that succumb to this deceit is as good as being thieves themselves?

For the past few months I have been working on migrating our customer’s applications to Amazon cloud. As part of the migration I was making some environmental changes like switching to light weight web servers. Specifically for Rails applications I moved them from Lighttpd to using mongrel clusters (mongrel_cluster) front-ended by Nginx web server. One of the application had a web and a web service component. The web service component is being used by both the web application as well as by desktop client applications from the internet. I wanted the access from web application to web services go through internal connection than the public URL used by the desktop client application. What I did was configure two virtual hosts in Ngnix, one with the subdomain running on port 80 which will be used by the client applications on the internet and the other virtual host on localhost and a port (8880). Both of these virtual hosts pass the requests through proxy_pass to the mongrel cluster.

The connection from the client applications to the web service worked fine, but the connection from the web application to the web service failed. Inspecting the log file showed the below error.

streamHandler.rb in `send_post’: 301: Moved Permanently (SOAP::HTTPStreamError)

I was originally thinking that this could be a problem with using the web services application behind NGINX and proxying the request. But if that were the case, then even the requests coming from the client applications through the subdomain URL should have failed. So I wanted to dig this inside.

Oh by the way before I proceed, the application was on rails 1.1.6, rubygem 0.9.0 and ruby 1.8.5. I know this combination is quite old, but we never got a chance to port the app to newer versions and without code changes it breaks in the newer versions of ruby/rails.

So, I opened irb and tried to use the SOAP libraries directly to make a request to the web services. Here is the code snippet.

As you can see in the irb output above, once I create a RPC connection to the web services providing the WSDL URL, you can see the URL to the web service API misses the port number! Apparently the service calls are routed to my default redirection configuration in the NGINX server to the web application. Looking at the log in the NGINX web server confirms that the request is redirected with HTTP 301 status, which is what is thrown up as above.

Honestly I don’t know what would be the fix at a code level, but I did solve this problem, by simply changing the virtual host for localhost:8880 to localhost:80. My reasoning here is since I have specific server domain configurations listening to port 80 and one would not be able to access the localhost:80 from the internet.

My question now and something that I have to dig is, is there a way to tell the soap api explicitly, always use the host and port when calling the web services. Please post any comments/answers if you are aware of. Thanks.

Happy weekend

A common ignorance with new developers (sometimes even the experienced developers) is the ignorance towards how the developed code would perform in a production environment. There are several architectural as well as implementation specific parameters that needs to be kept in mind while developing an application. What might look like a perfect system while testing on a local servers could actually fail miserably on a production environment. Obviously these are not function errors rather non functional, for example slow response time, bad user experience etc. Many of such things could be avoided if some of the non functional requirements are kept in mind during development as well as testing. One such key area that developers often miss is the parameters around network. On one hand is the ignorance about it but on the other hand is knowing them wrong or having misconception about network and the effects of it. The eight fallacies (mistaken belief’s) of network are,

1. Reliable Network - Even though one would be choosing a data center to host the application, it is very important to understand what the data center offers in terms of the network reliability and availability. The availability the data center promises becomes your application’s default availability. So assuming that once the application is hosted in a data center, doesn’t mean that there will be reliable network connection 24×7x365
2. Zero Latency - Your application’s response time includes time for information to travel back and forth between the client and the server. There is no teleporting happening. The more the information has to travel, there would be more back and forth communication because the entire information doesn’t travel in one packet. So it is important to keep in mind what you send and receive and if it is optimized.
3. Infinite Bandwidth - The network bandwidth determines the capacity of a system to transfer information over a network connection. Too many connections beyond the bandwidth can support could also lead to slow response and connection time outs. Like how your intranet setup environment will not allow you to connect beyond certain number of connections, so would there be a limit on your production environment. Get to know the bandwidth the data center guarantees for your system and calculate approximately the number of connections the system can handle given the bandwidth.
4. Secure network - While this can be enabled based on what protocol you use (HTTPS for example) this is not default. The data center could provide protection to who enters the servers, but not necessarily the information carried over the network.
5. Unchanged topology - Topology is arrangement of node elements and the links between them. When your application is clustered and/or you share the network with other systems in the data center, understand the topology and how the nodes are connected. Also for better inter connectivity the topology need not be the same always.
6. One administrator - Unless you have setup your own production environment and you are all in all everything, understand that it will not be one administrator managing all your network. There could be many who would be involved in managing the network and ensuring the network is most reliable and available. Ensure that there is good support team that can manage network in the data center round the clock. If your application has a global presence, then all the more you will need your application available throughout a day.
7. Zero transport cost - Network utilization is not a fixed cost usually. Your data center puts a restriction on usage for a fixed cost and then usage beyond that would be charged. This possibly would help you to realize that the bandwidth you had originally opted for is no more enough. Also your data center gives little flexibility by not cutting down connections exactly when the connections to your system cross the bandwidth limit.
8. Homogeneous network - The network may not be dedicated in entire to your application. There could be several other applications or tools that could be consuming or think about the interoperability with other systems from your application.

Keep all of the fallacies above in mind ensures that you plan your network capacity properly for the application and ensure that your application doesn’t get affected because of it.

I was trying to find a McDonalds restaurant in India using their restaurant locator link. Once I clicked on the link I got the below page. Click on the image to view it in original.

Well things could go wrong, no site is perfect. But dealing with exceptions and errors and displaying an user friendly message should be taken care of and not everything might come out as requirement. The exception trace in the above page obviously points out the problem connecting to the database. Is it a developer’s fault or a tester’s fault or both? Something for you to ponder about

YSlow is an extension to the Firebug extension for Firefox. As you might be aware the Firebug extension is a very useful tool for developers to analyze a web page in terms of different components, structure and their construction. YSlow helps one analyze the performance of the website in terms of response times and the difference components within a page that is the result of the overall response time. Web page performance is a combination of implications starting from the page layout to database queries. YSlow helps in analyzing what is visible to the outside world. YSlow is from Yahoo! and they have shared the best practices for improving the performance of the web sites. A good add on Firfeox extension for the developers to keep a tab on the performance right from the beginning.

I was looking for a script to start and stop JBoss server on the Linux environment, but didn’t find anything that useful. I did find one for starting and stopping lighttpd server for our Rails applications and have been using it effectively. Even though I am not a shell script expert, I thought I will modify the script a bit and make use of it for JBoss. The main change that I had to make was to make the script wait until the server starts or stops. To make sure the server has successfully started, I had to tail the log file for one line until the last line contained the text “JBoss (MX MicroKernel) …….. Started”. To make sure the server stopped successfully I had to ensure the process was terminated completely. If you are in need of such a script, here it is.

Download JBoss start/stop Script

Some items you have to change in the script to work for your environment.

• PIDFILE - File containing the process id. Change it to a location where you want to have this file.
• STARTJBOSS - Command to start JBoss. Scan through this command in entire and make sure you have added the parameters necessary for your environment, set the minimum and maximum JVM heap, and also the server you want to start. You can get this information from the server log when you run JBoss using the run.sh script. The script assumes you have Java executable in the path.
• LOGFILE - The server’s log file. Change it to a location where you want to have this file.

Additionally you might want to change line 32 to the right version of JBoss you are using. Make sure this line reflects exactly what you see in the server log at the end when JBoss completes starting the server. If it doesn’t match, this script will go in infinite loop.

An additional benefit I got after writing this script was to have our automated build scripts using Ant to deploy the applications on any box using the SSHExec tasks. Really cool and time saving.

Disclaimer - The script herein provided to you is “AS IS” without any warranties of any kind. The script has not been thoroughly tested under all conditions. I, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.

One of our projects uses Flex 2 for our presentation layer. We were using Flex builder as the IDE to build the flex components, packaged it with the rest of the J2EE application as war and deployed it. As a practice with rest of the projects we wanted a build automation done in place for continuous integration, as well as saving time building and deploying it to different environments. We could get the ant scripts ready within no time for the J2EE piece of it as it was straightforward and we have done it numerous times. As far as flex goes even though flex ant tasks are available with documentation it wasn’t that easy for us to get things built as flex builder would do it. Sure the ant tasks built the swf files but when we deployed the application on the server we always got this error “RSL Error 1 of 1″ and nothing beyond that. Searching this error resulted in different reasons but nothing concrete in nature.

To be more exact, our application consisted of a Flex model folder containing action scripts common across the other Flex modules. So this had to be set as a run time shared library (RSL) rather than packaging it along with other modules. Packaging with other modules would make it work, but it becomes bulky and performance degrades because the model classes are loaded for each Flex package. To make it a RSL while building the flex components, the model has to be referred as RSL using the attribute in the task. We did this but only got the error mentioned above “RSL Error 1 of 1″. We were clueless at this point and tried out combination of attributes while compiling using mxmlc.

Our only hope remained in identifying what makes the build done by the flex builder make it work and the difference between the parameters it uses and what we use. We knew this because the size of SWF generated out of a Flex builder build was very different from the size that came out of our ant build. Because the build properties are GUI based, how to get what configuration flex builder uses and how it translates to the appropriate compiler options? After exploring the available compilation parameters with mxmlc, we found out the parameter -dump-config would dump the configuration used in a file. We added this parameter to the compiler parameters in the Flex compiler options as shown below in the screen.

We compared the configuration that flex builder used versus what we had been using in the mxmlc task, only to find out there wasn’t much difference except for few of the compile time properties which was also present in the flex.config file we were using. The same RSL attribute was present making the model package as reference. We were back to square one wondering what could be the difference and what we are missing. After two days of struggle, a careful re-examination of the configuration in Flex builder when referring the model package in other packages revealed something. Take a look at the snapshot below.

The “Auto extract swf: true” was something that we could not find a translation when using the compc ant task and we could not find any documentation mentioning this in the flex ant tasks documentation. We were able to confirm that something is happening here again because of the size difference between what Flex builder generated versus what our ant build generated. There must be a way to produce the package exploded rather than having it packaged as one SWF, just like an exploded war file. Fortunately there was option to do this with the compc task when the directory attribute is set to true and the output attribute holds a directory value. When we were able to do this everything got revealed. Here is a snapshot of the directory structure.

A look at the files that got generated told us that the SWF that contained the model was having a name of “library.swf”, and when this directory was packaged and added as RSL, there is a mismatch in the reference. The flex runtime binary is looking for MyModel.swf while the only file present is library.swf. That should be the reason for the RSL Error. Also the size when Flex builder built the package was exactly equivalent to the size of the library.swf file present above. So that answers what “Auto extract swf: true” configuration does.

So our ant script was ready, we used one compc task to generate an exploded model directory. Picked the library.swf and copied it to the war with “MyModel.swf”. Another compc task to generate the model packaged so that we can refer it only for compilation for other flex models. Once we did this, everything worked perfectly. So here is the sample ant code (right click and save as, then open in an editor) that made the trick.

Hope this is useful for someone struggling with similar situation and it saves the head cracking time. If someone has found out an easier approach to this please pass that on, we would be happy to learn.

A typical problem that developers face is handling an event of same type, when the elements are nested and both of them implement the same event. Suppose you have an element (say element 2) inside another element (say element 1). Let’s say both element 1 and element 2 implement the onclick event. When the user clicks on element 2, since it is nested, should the onclick event of element 1 get triggered first and then of element 2 or vice versa? Since the elements are nested and using the same event both the element’s event handler methods are called. The question is which one first.

Here is a link to a blog article “Event Order” which explains the problem, and the solution to it. Thanks to my friend and colleague, Narayanan who sent me this link when we faced the problem handling such a situation while developing Jiffle.