Side Effects of Rails Security Fix

Posted on April 23, 2011 by Mack Earnhardt

Protection against Cross Site Request Forgery (CSRF) is an important Rails security feature. Triggered by calling the protect_from_forgery method within ApplicationController, this module helps avoid attacks from tricksy web page that generate forged requests to your application. I won’t describe the details here, but the typical vector is an unwitting user who is authenticated to your app, but is currently viewing a malicious page.

For some time, Rails has protected against this sort of attack using a hidden input field named authenticity_token in every form. A form post with an invalid or missing authenticity_token was rejected by raising an ActionController::InvalidAuthenticityToken exception. As part of a security patch released with Rails 3.0.4, the default behavior is now reset_session. The unfortunate side effect of this security patch is to expose applications using the Clearance or Authlogic gems to CSRF attacks.

The logic in the Rails change is valid: If the credentials are destroyed, a tokenless request can do no harm since its authorization is restricted to that of an un-authenticated user. However, the gems I mention store login credentials in dedicated cookies that live outside the Rails session mechanism, and are unaffected by reset_session. Suddenly the tokenless request proceeds with the user authentication intact, with potentially harmful results. I’m not casting blame for any coding choices here; it’s simply a coordination problem.

The Rails change creates the new controller method:

def handle_unverified_request
  reset_session
end

If your authentication credentials don’t live in the Rails session, the simplest fix is to override this method in ApplicationController. There are several options:

Raise the exception used as Rails < 3.0.4. Note this exception may be removed at some future time.

def handle_unverified_request
  raise ActionController::InvalidAuthenticityToken
end

Or block the effects of your authentication cookie.

def handle_unverified_request
  super
  self.current_user = nil
  cookies.delete(:your_custom_cookie)
end

Fortunately the Clearance gem has already been updated to use the latter option. Projects using Rails >= 3.0.4 should update to Clearance 0.10.5 or later immediately.

The Authlogic gem was last updated in August 2010, so I recommend overriding handle_unverified_request similar to one of the examples above.

Update: Jason Weathered has a good writeup on this issue as well.

Posted in Ruby on Rails | Tagged , , , | Leave a comment

When Cloud Computing Rains it Pours

Posted on April 21, 2011 by Mack Earnhardt

As I write this Amazon Web Services (AWS) is working to resolve a major disruption in their Virginia data center that began about 12 hours ago. Many many web companies rely on this data center for signification portions of their infrastructure, so the fallout is widespread. In fact, the most notable point is the lengthy list of companies who rely on AWS. Already some tech analysts are painting the outage as a cautionary tale on the reliability of cloud computing, and as AWS is a cloud computing poster child their criticism is worth considering.

Bear with me while I relate a story. And I promise this is the short version…

In 1995 I was responsible for a server in my employer’s satellite office in Silicon Valley. Our disaster recovery plan wasn’t sophisticated. It consisted solely of nightly tape backup and a safe. One Monday morning I received a phone call from a co-worker having trouble accessing the server. After ruling out a few simple things I asked him to check the server itself for errors on the screen. When he entered the server room the problem was obvious. The server simply wasn’t there! It had been stolen over the weekend.

I left HQ with an airline reservation and a purchase order. On arrival in San Jose I visited a computer store and purchased the components to build a server. Assembly and operating system installation took until 3am or so, after which I slept for a few hours before the next stage. Only those who’ve done bare metal recovery from a Tower of Hanoi rotation backup can truly appreciate what came next. Let’s just say getting the data back took about 14 hours (8am-6pm). I caught an evening flight home, and was very pleased with myself.

Fast forward to today. Several of our software clients are experiencing system outages, but I predict in a few more hours the problem will be entirely resolved with no loss of data or additional expense. The typical small or medium business NOT using cloud computing would risk data loss and added expense is a certainty. The soundbites from analysts are mid-directed, or at least mis-understood. Any deployment plan must balance the cost of downtime vs the cost of preventing downtime, and any cost-conscious solution has a potential for downtime. This is complex and situational, and one size does NOT fit all.

For many businesses, cloud computing options are less expensive and more reliable than any other possibility. Although our clients are suffering, the alternatives are worse. And I’m at my desk writing a blog post instead of scrambling for components and wondering if last night’s backup finished. All I can think as I watch is how much better we have it today than in 1995. And thank heavens the thief didn’t take the safe!

Update 4/24: After 3 days of significant disruption, nearly everything is back online now, including all my clients’ apps. The postmortem is just beginning, but seems clear that Amazon made a serious error. The outage should have been contained to a smaller part on their infrastructure, i.e. a single Availability Zone. The cascade failure into multiple AZs extended both the breadth and length of the outage.

However I stand behind my original conclusion. The timeframe was longer than I supposed, but my clients recovered without data loss or additional expense. Moreover, I’ve witnessed incidents far worse than Amazon’s or the story I relate above, and I can say with confidence that even in the presence of experienced staff with large budgets things still sometimes go horribly wrong. Cloud computing remains the least risk for most budgets.

Posted in Cloud Computing | Tagged , , | Leave a comment

Manual Labor

Posted on January 17, 2011 by Mack Earnhardt

It’s tough to let go of the idea that the ‘human touch’ is best. Human interaction is literally what drives us, but this doesn’t mean that human involvement improves every situation. Sometimes you have a gut feel that a person can perform a task ‘better’ than an automated tool. You may be right, but here are the key considerations:

Can you afford to wait?

Manual steps inevitably take longer to accomplish, because like money a web tool never sleeps. Is the task time sensitive? Are you keeping a client or prospect waiting? The trade-off between instant cold logic and slow human warmth merits consideration any time you’re considering a deliberate manual step. When in doubt repeat this mantra: Speed Wins. Speed Wins. Speed Wins.

Does the manual step have a clear purpose?

When you’re automating a process and deliberately include a manual step, it’s possible you’re creating a new problem. If the task is tedious and doesn’t have a clear relationship to a larger goal, it’s unlikely to be embraced by your staff. Are you able as a manager to clearly communicate the value and/or necessity of the step? If not perhaps the task should be eliminated or redesigned. Include your staff in brainstorming options. They’ll find a better way or become invested in the existing process.

How do you know it’s working?

This is related to time sensitivity, but is subtly different. What happens if the task is ignored? When manual tasks have a physical component such as stocking shelves or printing business cards it’s readily apparent when your staff falls behind. Tasks driven by a an electronic list are less obvious. Keeping on track requires dedication from your staff and a mechanism in place to alert you to any backlog. If the task isn’t important enough to monitor — at the risk of  repeating myself — perhaps it should be eliminated or redesigned. Unlike the cobblers workshop, magic dwarfs will NOT appear during the night to fix the problem.

Does the human touch build or destroy?

Every touch is part of a conversation. Every touch has several possible outcomes. If the least path of resistance leads to a bad outcome — say it with me — perhaps the task should be eliminated or redesigned.

Consider an example of Bad Touch: I know a company that runs a high volume email list. The content can be tailored to a recipient’s needs IF the recipient calls, but the only option given in the email is a global unsubscribe. Their reasoning is to get an extra chance to speak with the recipient, BUT… Some folks will live with a high volume list and just hit delete, but many don’t read the contents first. Some will be annoyed and unsubscribe. The ones who call are angry; they haven’t been invited to call for customization and have no way to know it’s an option.

Automated touches should be carefully evaluated, and good outcomes need to be easy and natural. Conversations that required switching communication media in order to reach the desired result are neither easy nor natural. So if you start a conversation electronically, there’s often value in keeping it there.

Finally

Often automation is seen as a magic wand. Not so. Usually the new possibilities created by web tools are accompanied by new roles and tasks for your staff. Decisions on which tasks should remain in human hands and which should be fully automated have consequences. Ignore these consequences at your peril.

Posted in Process Improvement | Leave a comment

And the Winner is…

Posted on January 11, 2011 by Mack Earnhardt

We’re more pleased than we can say to win a prize in the Marketing Tech Blog’s 2,500th Post Celebration. We won an SEOmoz Pro account! This is perfect timing since we just launched our white label spam filter service cleverly named ARsmtp. The site is clearly a poster child for marketing run by propeller heads, and we’re only a little ashamed to say we couldn’t find our SEO with both hands.

We’ve been generously offered some help in learning how the drive the new toy, so it’s a very cool learning opportunity with nowhere to go but up.

Posted in Random Thoughts | Leave a comment

Spinach in my Teeth

Posted on July 14, 2010 by Mack Earnhardt

Every day we interact with friends, business partners, clients, prospects… You get the idea. Many of those folks politely hear whatever we have to say. If we’re lucky they’re not just hearing but listening. If we have a real relationship we may reach one rung higher. Criticism.

Adviser, sounding board, or devil’s advocate. Call them what you will, but you need at least a few people around you who don’t hesitate to give their honest opinion of both your current strategy and your execution. These are the folks who point out the downside, the flaws, or in extreme cases the cranial rectal inversion. They’re the mirrors you check before you leave the house. In other words, “Excuse me, you have spinach in your teeth.”

Some of your advisers won’t offer their opinions unasked. That’s fine, but be sure to ask. Others will communicate in embarrassingly public ways! Get over yourself, and learn to love them for it.

The nature of the flaws they see depends on their point of view. If you’ve sought my advice there’s probably a technology angle. If you seek out Lorraine Ball, you probably have marketing on the mind. Chris Reed runs a home repair business, but is almost more visible as a networking coach! And Tim Dugger knows more about helping job seekers that I ever care to.

I could go on, but you get the idea. I exchange opinions, help, and advice with all three of these folks on a regular basis. And we each speak and contribute based on our experiences in business and in life.

Now go out and find a mirror!

P.S. Lorraine, that thing I emailed you about? Looks much better now!

Posted in Process Improvement | 1 Comment

Nikki in my Pocket

Posted on December 16, 2009 by Mack Earnhardt

“Is that a rabbit in your pocket, or are you just happy to see me?”

Who Framed Roger Rabbit (1988)

We’ve come a long way, baby, since the days of boring old cell phones and television. It’s amazing how in just a few short decades, today’s technology has become so advanced that we are able to connect with LIVE video streaming anytime we need to. Right now, we literally have everything we need to run and operate a business in the palm of our hands. Since the first video phone in 2003, there are currently over 1.1 million users of video phones. Essentially, who needs paper anymore? The age of digital marketing is upon us.

As a matter of fact, I have everything in my pocket…all the time. The use of Web 2.0 and use of video on phones are prime examples of how technology has transformed lives, impacted all types of organizations and businesses, and is continuing to be one of the fastest growing marketing platforms in history.

It occurs to me that the written word doesn’t quite cover today’s topic, so here’s my take:

Posted in Random Thoughts | Leave a comment

Cycle of Buzzword Oblivion

Posted on November 30, 2009 by Mack Earnhardt

“To-morrow, and to-morrow, and to-morrow,
Creeps in this petty pace from day to day
To the last syllable of recorded time,
And all our yesterdays have lighted fools
The way to dusty death. Out, out, brief candle!
Life’s but a walking shadow, a poor player
That struts and frets his hour upon the stage
And then is heard no more: it is a tale
Told by an idiot, full of sound and fury,
Signifying nothing.”

Macbeth, Act 5, Scene 5

Within the sound and fury of business communication, there’s a particular sort of mystification caused by the use and abuse of buzzwords. Whether you’re selling technical solutions, or something seemingly mundane, it’s easy to get caught up in the buzzwords that catch our ears at any given moment. There is a certain “buzzwords cycle” that occurs.

I’m labeling this the Cycle of Buzzword Oblivion:

  • A new concept, business model, creation, notion, etc. takes form.
  • Someone, maybe you, labels it with a snazzy phrase.
  • If it’s catchy and timely, others begin to use it and it generates ‘Buzz’.
  • As other players in your space claim their product or service has “It”, the meaning of “It” begins to morph.
  • If enough different sorts or players claim to have “It”, the original meaning can be obfuscated to the point of oblivion. 

The question I pose to you is does your use of buzzwords actually hurt your message and leave your prospects in a fog? For example, “Cloud Computing”. I’m beginning to hate this nebulous phrase, because it obscures some very important details. If you’re speaking to a salesman and they’re touting Cloud Computing, there’s a good chance they’re blowing sunshine up your bum. It’s no longer USEFUL information. The term Cloud Computing has been bastardized to the point that some folks even use it to sell internal systems. (Keeping in mind the Cloud was presumed to be somewhere on the Internet physically separate from your business.)

How often do your marketing materials and proposals describe the effects of your product or service on the prospects business, rather than use buzzwords to fill up space or pass a litmus test. When buzzwords are abused in business, it causes prospect confusion and tempts the decision maker to play “Buzzword Bingo” instead of measuring each option against a list of goals.

For example, why might you need a “Cloud Computing” solution?

  • Are you looking for global access from any browser? Then say so.
  • Would you like to avoid an up-front investment in server hardware? Cloud Computing isn’t the only way to go, but in most CC solutions someone else owns the hardware.
  • Do you need Virtualization of your servers?

The last option is a trick question and here’s why: If you’re outsourcing server management, virtualization may come into play. However, your evaluation should be focused on items that impact your business, such as cost and level of service. Virtualization is gee whiz cool, but in most cases it should only be considered based on how it affects the real criteria.

Ultimately, your conversations with either vendors or clients must communicate needs, cost, and value. Make sure you’re using words that explain rather than confuse. Otherwise, you’ve allowed yourself and your prospect and clients to play in the “Cycle of Buzzword Oblivion,” and no one has been done any favors.

To speak to software developers who speak business instead of buzzwords, give us a call.

Posted in Random Thoughts | Leave a comment

Making Time For Squirrel

Posted on November 10, 2009 by Mack Earnhardt

squirrelI know it’s not just me. I know there are plenty of folks out there who are easily distracted. One moment you’re focused on a task, then all of the sudden, “SQUIRREL!” If you’ve seen the Disney film, Up, you know exactly what I’m referring to.  There are many great lessons in this movie, however seeing squirrel is one aspect of the film that rings true with me on a daily basis.  The dog in the film is able to talk due to a device on his collar that a mad genius invented and placed on him. No matter what the dog is doing, no matter how important the task, anytime a he sees a squirrel, he hollers “SQUIRREL!” and his focus shifts completely.  Now, this is funny, but the point here, is that he is easily distracted. 

How many of us have daily ‘squirrels’ or daily distractions that keep us from any given task at hand? I mean, a squirrel could be an email, a text, an employee, a woman, ANYTHING that we see out of the corner of our eye that easily gets to us…good or bad.  I’m not saying that all squirrels are bad.  Some squirrels give us inspiration. We need the squirrels in our life, but we have to keep them in check. Ultimately, we don’t want the squirrels to cause dis-coordination, because dis-coordination can wreak havoc on the goals we set out to accomplish.

So, what if squirrels are not the issue? What if you deal with folks who thrive on tunnel vision, the extreme opposite? The place where they are so entirely closed off, almost too focused on the task at hand to really hear any outside input. People who are prone to this end of the spectrum can easily miss out on an opportunity to learn and grow that could actually help IMPROVE the task. I know I have dealt with people like this. They can be very frustrating to talk to. Perhaps they even ignore you altogether. Are there people like this in your life?

What I have found over the years, even in dealing with all my distractions, is there is a fine line to draw between chasing squirrels and developing tunnel vision. Seeing squirrels can create value. Recognition of the right squirrel at the right time is the key.

Posted in Process Improvement | Leave a comment

Counting Twitter Followers is Pointless

Posted on October 9, 2009 by Mack Earnhardt

What do you value?

Are you part of the Social Media phenomenon that is Twitter? If you are, then you’re sure to have others ‘following’ you. Hanging on you every word. And of course the more followers you have, the more important you must be. Size matters and all that.

But what does follower count really measure? Is it feedback on your content, or feedback on your efforts to build follower count? Here’s a method to build a ‘following,’ as described by a friend of mine:

When someone you’re following mentions someone, follow that person. Check back in a few days, and un-follow the ones that didn’t follow you back.

So what’s does he value? Follower count. He doesn’t care what the other person had to say; only that he was followed back. His followers provide an audience to promote his business, or so the logic goes. NOT LIKELY. That method may build followers, but it doesn’t build LISTENERS.

You can’t lead a horse to water (any more)

News flash: You can’t make people listen to you. We use DVR to skip commercials. We pitch junk mail without opening it. We filter email spam. And most of all, WE FILTER SOCIAL MEDIA. If you don’t understand, you’ll naively build a follower count that’s a hollow shell of people who mainly ignore you.

To illustrate, here are some stats on 4 people I know in real life who are on Twitter. Two of them are very engaged and are often spoken to, about, and re-tweeted (quoted), one is me, and the other? Well anyway here’s the data:

Twitter Name Followers TweetMentions
(1 week)		 Ratio
@kyleplacy 5,146 253 1/20
@roundpeg 2,408 102 1/24
@MacksMind (me) 679 38 1/18
mercifully anonymous 30,332 5 1/6,066

Now the TweetMention count doesn’t include every single mention in the last week, but at 17k tracked users and growing, it’s a large sample. Do you see a problem here?

Listen, Learn, Engage

I admit I like it when I’m followed. But who I follow is more important. I seek people who have something to contribute, and the best indicator I’ve found is: Who are my friend already engaging? That is who are they talking to, who are they talking about, and who are they re-tweeting. The mentions tell me far more than follower count. It’s the ultimate feedback on content, and yes content is still king.

I wanted an easy way to visualize who my friends are mentioning, and that led me to create TweetMention. It shows me the Top 50 Twitter accounts that my friends are mentioning, but I don’t follow. Those are the folks I’m most likely to find interesting and follow. And learn from. And talk to. And it will only become more useful as I create new and different ways to visualize the information I’m collecting.

Posted in Random Thoughts | Tagged , , | 3 Comments

How Cindy Lou Foiled the Grinch

Posted on September 16, 2009 by Mack Earnhardt

Vacation homes let us escape for a bit,
But the Grinch is so jealous, he just has a fit.

So while Willy was working and his back was turned,
The Grinch took some things that he hadn’t earned.

Candles from mantles, and runners from halls,
Food from the freezer, and artwork from walls.

When Willy next came, he received quite a shock.
His stuff was all gone, and his door wasn’t locked!

Help! Help! I’ve been robbed, cried Willy to all.
He called the police, because that’s who you call.

The detective that came was as sharp as they come.
He looked for the crook, but he didn’t find none.

His report was quite clear, and it made Willy gurgle.
“Why you haven’t been robbed! What you’ve been is burgled!”

With that fact established, Willy knew what to do.
“I know what I’ll do. I’ll call Cindy Lou!”

Now you might be thinking, who’s Cindy Lou?
Why it’s Cindy Lou Hartman, silly goose, that’s who!

Cindy Lou came to Willy’s before all this gruff,
And pictured, and noted, and listed his stuff.

She bound it all up in a binder quite clearly,
And made several copies, and cared for them dearly.

Cindy Lou said to Willy, “Willy, just rest your head.”
Replied Willy, “I’d love to, but the jerk took the bed!”

Cindy Lou brought her binders, and lists, and still views,
out of safe-keeping quite quickly for Willy to use.

Willy’s adjuster was surprised, and exclaimed in amazement,
“These records are so thorough, it doubles the payment!”

On the matter of timing, they weren’t even iffy.
“Mr. Willy, we’ll have you a check in a jiffy!”

Remember a Grinch heart is two sizes too small.
He saw Willy’s things and he wanted them all.

But Willy just has a little shopping do to.
Thanks to Cindy Lou, Cindy Lou Hartman, that’s who!

Posted in Random Thoughts | 4 Comments