Friday, July 17, 2015

Regex for example.com (not www.example.com)

I had a failing test that indicated that I had some sample code in my source.

So, I needed a nifty regex to find it.

Failing Test

A test failed with the following message:


Authenticate User and get his Role
cookies: [ 'name=undefined; Domain=.example.com; Path=/admin; Secure',
  'session=7bi4j6U2VYleeAC_kLseiA.IBKutIFH6iuag66-hrWwyVf175J6NaJICEkgMLC1gl9OrWpvpNTpv-SQ3QJCJe_VfB4MBwjIkpwNgwEM8R99qp6qNm0CXYqbdjaq6_R7PB-O2Vm-cFavjZEohzkNVVnYjlu3BDWFU17y4ENZaMNADXiZ150Pf_nGvdoVZmNFiZh2ysiIk0eRmSOiLEJtkWyj84btuBew0ylUKLn0ywRlnFBllKm4X8_GrCaWxRCFG6iS9T76r_X9PDb9BQKC6eZB2hQRKsykidJ3OY-G5PC_GJwS_LGlgYwP25-0BP8V1524LCvEZ3w5qZBX2kmCxrpwVA4ycls1F4fz3XSDLCyOnxO9rYpP2JYwjfYhkgV71-JNBogeVdVDL_JqWDTjZJZLDPrOp4ZmESrh6kI3n_f6zuxaWvuYK-c31_icvWm_g1eXmpKo4CVB0-Vv6EYuDuh5tS9y4yybr9mMrnZaSwHpyTp6YBsd9i0H6cyHZ7YiyIQCVa30We0iTa335arKG2zG.1437151277357.3600000.UePJmiwfcRyceI0eQ32BbXyekHbzvQ1tk5tP2_8O7T8; path=/; expires=Fri, 17 Jul 2015 17:41:18 GMT; httponly' ]


Searching for ".example.com"

Searching for ".example.com" yielded too many results because there were a lot of "www.example.com" strings found.

Magic Regex

This regular expression did the trick:

^(?=.*example.com)(?!.*www).*


It says, "Give me everything that matches "example.com" but does not also contain "www".



This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Wednesday, July 15, 2015

The Philosophy of Success at Work

Quotes

Here are some related quotes from some notable people:


“To be is to do.” — Socrates
“To do is to be.” — Jean-Paul Sartre

“The way to be is to do.” — Dale Carnegie
“The way to do is to be.” — Leo-tzu, Chinese philosopher

“We act as though comfort and luxury were the chief requirements of life. All that we need to make us happy is something to be enthusiastic about.” —  Albert Einstein

“Success consists of going from failure to failure without loss of enthusiasm.” — Winston Churchill

“Nothing great was ever achieved without enthusiasm.” — Ralph Waldo Emerson



I think they are all correct.

Reflection

You need to be in at least two of the circles above to stay employed.

You need to be in all three of the circles to thrive at work.

At the heart of success in your endeavors is your enthusiasm.

So, find what you truly enjoy doing, deliver good work and be nice and you will be successful at it.



This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Wednesday, July 8, 2015

Upgrade Node.js to Avoid DoS Attack

TL;DR

If your are running Node.js v0.11.0 to v0.12.5 then you need to upgrade to v0.12.6 ASAP.



That's typically what happens with buffer exploits.

The Exploit

A bug in the way the V8 engine decodes UTF strings has been discovered. This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of Buffer to UTF8 String conversion.

Buffers

Here's some background information on how buffers work in NodeJS.

Buffers are instances of the Buffer class in node, which is designed to handle raw binary data. Each buffer corresponds to some raw memory allocated outside V8. Buffers act somewhat like arrays of integers, but aren’t resizable and have a whole bunch of methods specifically for binary data. In addition, the “integers” in a buffer each represent a byte and so are limited to values from 0 to 255 (2^8 – 1), inclusive.

There are a few ways to create new buffers:


var buffer = new Buffer(8);


This buffer is uninitialized and contains 8 bytes.


var buffer = new Buffer([ 8, 6, 7, 5, 3, 0, 9]);


This initializes the buffer to the contents of this array. Keep in mind that the contents of the array are integers representing bytes.


var buffer = new Buffer("I'm a string!", "utf-8")

Writing to Buffers

Given that there is already a buffer created:


var buffer = new Buffer(16);


We can start writing strings to it:


buffer.write("Hello", "utf-8")


The first argument to buffer.write is the string to write to the buffer, and the second argument is the string encoding. It happens to default to utf-8 so this argument is extraneous.

buffer.write returned 5. This means that we wrote to five bytes of the buffer. The fact that the string “Hello” is also 5 characters long is coincidental, since each character just happened to be 8 bits apiece. This is useful if you want to complete the message:


buffer.write(" world!", 5, "utf-8")


When buffer.write has 3 arguments, the second argument indicates an offset, or the index of the buffer to start writing at.

Reading from Buffers

Probably the most common way to read buffers is to use the toString method, since many buffers contain text:


buffer.toString('utf-8')
'Hello world!u0000�kt'


Again, the first argument is the encoding. In this case, it can be seen that not the entire buffer was used! Luckily, because we know how many bytes we’ve written to the buffer, we can simply add more arguments to “stringify” the slice that’s actually interesting:


buffer.toString("utf-8", 0, 12)
'Hello world!'

Using Buffers in the Browser

The Buffer exploit mainly affects backend server running NodeJS (or old versions of IO.JS), but the use of Buffers is not limited to the backend.

You can work also with buffers in the Browser by using: https://github.com/toots/buffer-browserify.

However, its performance is poor, mainly due to Buffer design decisions.

Equivalent functionality, with better performance metrics, in the browser is provided by TypedArrays or https://github.com/chrisdickinson/bops.

bops

bops presents a JavaScript API for working with binary data that will work exactly the same in supported browsers and in node. due to the way that Buffer is implemented in node it is impossible to take code written against the Buffer API and make it work on top of binary data structures (Array Buffers and Typed Arrays) in the browser.

Instead, you have to fake the API on top of Object, but Object isn't designed for holding raw binary data and will be really slow/memory inefficient for many common binary use cases (parsing files, writing files, etc).

Upgrade NodeJS

If your target operating system is OSX, then you probably have 3 main packages to consider:
  • NodeJS
  • NPM
... and probably these as well:
  • Homebrew
  • NVM

If you're a Homebrew user and you installed node via Homebrew, there are issues with the way Homebrew and NPM work together stemming from the fact that both homebrew and npm are package management solutions.

If you're a Homebrew user and you installed node via Homebrew, there is a major philosophical issue with the way Homebrew and NPM work together.

There are many ways to install these packages.

Read this article for my suggested solution (that does not require you to use sudo permissions): Cleanly Install NVM, NodeJS and NPM.

References

http://lexsheehan.blogspot.com/2015/04/cleanly-install-nvm-node-and-npm.html
http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
http://blog.nodejs.org/vulnerability/
https://github.com/toots/buffer-browserify
https://github.com/chrisdickinson/bops
http://www.read.seas.harvard.edu/~kohler/class/05f-osp/notes/lec19.html
http://jsdevs.com/how-to-use-buffers-in-node-js/

This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Tuesday, May 19, 2015

Microsoft IE8 End Of Life

Microsoft recommends customers plan to migrate to one of the above supported operating systems and browser combinations by January 12, 2016.



IE8 Issues

HTML5 CSS3 Incompatibilities

Remember having to insert the following into your head tag to help fix the lack of support IE8 has for html5 tags and CSS3 properties? (or using Modernizer)


<!--[if lt IE 8]>
      <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
      <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->

Missing functions

Remember having to use es5-shim because IE8 did not implement lastIndexOf, map, filter, every, forEach, etc. functions?

Security Vulnerabilities

Did you know the IE8 has over 500 known security vulnerabilities? (that will never get fixed)

IE8's continued reliance on ActiveX makes it vulnerable to the core.

Unforgiving Parser

Back in the days of IE5, IE was very forgiving when it came to HTML syntax.

IE8 is unforgiving in regards to HTML syntax and javascript.

I'm not saying that I approve of a lax enforcement of standards, but I do recall how quickly a web developer could crank out a web application when the user base were all IE users. Not so for IE8.

In many cases, IE8 would make your site break, even if it were coded perfectly.

Good bye, IE8. (and good riddance!)

p.s. Unbelievably, IE8 was actually somewhat better than IE7.

References

https://github.com/es-shims/es5-shim
https://support.microsoft.com/en-us/gp/microsoft-internet-explorer
http://www.zdnet.com/article/australian-retailer-charges-customers-ie-7-tax/

This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Wednesday, May 6, 2015

We're doing emergency maintenance to recover the site (github.com)

How many companies depend on github.com?

What is your mitigation strategy when things go wrong?

Today, github had a major outage.

Granted, github was only down for under 30 minutes or less, but that can still wreak havoc for scripts that depend on github and don't have 30 minute+ retries built in.

Between approx. 7:40 a.m. and 7:54 a.m. EST, if you were to try to reach any resource with github.com in the url this is what you'd see:



GitHub Status





References

https://status.github.com/messages
https://twitter.com/githubstatus

This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Friday, April 17, 2015

Where all Good Software Goes to Die

TL;DR

My local NodeJS build started breaking. It caused me heartache (and is no doubt affecting others). I learned that it was because some employees at Joyent--the company that took ownership of NodeJS--ticked off core NodeJS software engineers; They left to form a new truly open source software package called IOJS (that's a fork of NodeJS and now is far better than NodeJS).

Where does all good software go to die?

Corporations that put politics, political correctness, and profits ahead of creating great software.

Here are a few examples:
  • Oracle - MySQL
  • Oracle - OpenOffice
  • Joyent - NodeJS

There are no doubt many more, but these are the ones that percolate to the top of my mind.

Decline in Interest in MySQL

Interest peaked before Oracle acquired MySQL:


MySQL was left to the roadside, usually, since it was considered a useless appendage that prevents people from using the Oracle DB software. There were several community blunders (not making source public, not accepting patches, long-standing bugs with existing patches, etc) that forced MySQL guys to move to MariaDB. There was a big renaissance after the move, with many new features added and many bugs fixed. Sort of like the party when the house drops on the witch in the Wizard of Oz.
~ reddit

LibreOffice Forked from OpenOffice

Interest peaked before Oracle acquired OpenOffice:



OpenOffice. Oracle botched this so hard. No patches accepted, no timelines, no community communication. Oracle only paid attention to Fortune 500 contributors. Eventually, OpenOffice heads formed a foundation to start correcting some of these compounded issues. Oracle responded by kicking the members out of the project, telling them they couldn't use the OpenOffice trademark, etc. So all the experts left and formed LibreOffice. Another renaissance was had, and many long-standing issues were fixed. Code was maintained. The LibreOffice guys now regularly publish updates, statistics, reports, etc. It's a great example of how a professional FOSS project should be.
~ reddit

Number of NodeJS Releases

The following chart shows the number of stable NodeJS releases, per year:



The rest of this article will focus on NodeJS.

Implications

The number of stable releases of a software package is a good indication of its health.

It's clear that NodeJS should be in the ER. STAT.

As with other open source projects, a decline in the number of stable releases immediately precedes a major decline in public interest in it.

Common Thread

Mostly poor management decisions caused the best software development talent to leave the project, which directly related to the decline in that software's quality, interest and significance in the industry.

Joyent Calls Prolific NodeJS Contributor an "Asshole"

I'm not making this up. Seriously, I'm not.

Read it for yourself here.

First, it would help to understand how software development works using the Git Workflow that NodeJS was using.

I explained the pertinent part of it in this snippet from this post.
  • Developer creates feature branch, commits file changes and then submits a Pull Request
  • Other developers are notified of Pull Request, perform code review and the last one merges the feature branch to master


  Here's what happened:
  1. A code reviewer noticed that Ben Noordhuis wrote the pronoun, "him", a few times instead of "him/her" or "them", in an inline comment that described part of the NodeJS logic and submitted a Pull Request (PR) to change the pronouns. See patch here.
  2. Ben rejected the PR, providing this comment: "Sorry, not interested in trivial changes like that."
  3. A shit storm of bullying comments ensued from, "...always assumed to be male first on the internet. I'm +1 on this documentation change." to the more direct, "Stop pissing around and merge the damn PR."
  4. Some other contributor undeleted the trivial pronoun-changing PR and force pushed it.
  5. A stream of praise was given to that committer that pushed the PR to replace "him" with "them", e.g., "I believe these kinds of things do make a difference. Same for speakers, presenters, organisers etc. at events making an effort to e.g. switch between gendered pronouns (because yes, for many this is indeed still an effort, and probably even more so for non-native speakers of English, who are often not so aware of the finer points of the language or "accepted" alternative ways to express things). I'm always happy when someone does this!"
  6. Ben left the NodeJS community to help form IO.JS (an improved version of NodeJS) and is back to being highly productive.
  7. Joyent calls Ben an "asshole".


Cyberbullying

Cyberbullying is a global term that means the harassment of someone by use of electronic media, usually but not always social media.

The Thread That Took Down NodeJS

Whoever said NodeJS was fault tollerant was wrong.



Can you find any technical merit in any of the above (un-edited) comments?

Does that sort of dialog belong in a source code repository?

How does any of that help Joyent sell more NodeJS services?

There is a clear lack of vision from the technical management team at Joyent.

Here it is in it's entirety: https://github.com/joyent/libuv/pull/1015#issuecomment-29568172

Joyent's behavior (lack of leadership/poor management practices) has replaced NodeJS core contributors with individuals that are obviiously more interested in the proper use of pronouns in comments than improving what matters, the NodeJS software.

Is NodeJS doomed to the same fate as other similar, significant open source software products?

Joyent and the Future of NodeJS


Currently, it's not clear what will become of NodeJS.

NodeJS' corporate owner, Joyent, is apparently still at awe with its "progessive views" as it continues to publish an article that calls one of NodeJS' most talented contributors an "asshole".

Technically minded, merit-based software engineers are going to have a hard time getting behind a company that pushes its social agenda ahead of software development.

The vast majority of NodeJS' core developers left the NodeJS community to form IO.JS

Joyent is making the appearance of mending fences, but time will tell ...

You can read the active dialog in the Reconciliation Proposal thread.

But the task force may find it difficult to reconcile with reasoning like the following from the IOJS community:

i'd rather not reconcile. the benefits are not substantial, and i'm very happy with how iojs has been run. i don't want iojs to change organizationally in the name of reconciliation. for me, iojs' organization is an ultimatum. i don't really care about naming and recognition. i'd rather just start pushing #!/usr/bin/env iojs and iojs-only (specifically, ES6+) support everywhere.

MIT License

There is a big difference. Node is MIT. And other companies with power and interest in node could simply fork if Joyent were to act foolishly. ~ Tim Caswell

For details, see Joyent & Node

JSDOM

One of the major components in most of my current front-end application architectures is JSDOM.

JSDOM is the first component in my stack to formally declare a divergence from NodeJS.

Here's what it says at the top of their README:

Note that as of our 4.0.0 release, jsdom no longer works with Node.js™, and instead requires io.js. You are still welcome to install a release in the 3.x series if you use Node.js™.


Available ES6 features in IO.JS

The following list of features are available without using any flags:

  • Block scoping (let, const)
  • Collections (Map, WeakMap, Set, WeakSet)
  • Generators
  • Binary and Octal literals
  • Promises
  • New String methods
  • Symbols
  • Template strings


Those ES6 features are very important. I'm sure I'll blog more about them in the future.

When the other NodeJS dependencies (besides JSDOM) support IO.JS I'll jump ship.

Personal Value Driven Decisions

I chose to move from MySQL to PostgreSQL

I chose to drop OpenOffice in favor of LibreOffice

I will very likely drop NodeJS in favor of IO.JS  

The NodeJS Debacle - Lessons Learned for CTOs

Here are some suggestions, if implemented, could help with some issues of software development, socially aware employees and profitability:
  • Retain your real talent
  • Streamline software development governance
  • Do not allow the political correctness dept, finance dept., etc. to make decisions that impact software quality
  • Keep politics and social agendas out of your Git Workflow
  • Create an internal social media site for your writers and comment editors to discuss their non-technical beliefs
  • Hire a management team that can reconcile all time spent (X) to the question, "Does X help us sell more product?"

When you perceive that one of your software vendors is offering more and more discounts (frequently in the form of a recurring revenue scheme), you should look into the technical viability of the product being pushed.

If there is another open source alternative that has sprung out of the discontent of the lead developers of the software you're considering (or have been sold), beware.


Personal Opinion

I think that Joyent will continue to take the lead in gender-neutral-pronoun political correctness.

NodeJS may have the most politically correct, properly conjugated documentation, but that's not important to me.

What is important is being able to rely on the current and future stability of my software platform.

I bet that the interest curve and hence the viability of NodeJS is going to take a much steeper dive into insignificance than either MySQL or OpenOffice.

I personally applaud Ben for his professionalism and technical and social contributions.

I see the IOJS / NodeJS situation as a David / Goliath story.

It's only a matter of time before Joyent and its flagship product, NodeJS, fall to the feet of IOJS.

Reality and Drama

Money talks.

So, here's what I think is going to happen:
  1. Joyent financial backers will soon understand why their cash cow is dying
  2. Joyent's management team will replaced
  3. The real talent(s) behind NodeJS (doing IOJS development) will be offered a deal and we may soon see an announcement like, "Joyent's core business (cloud computing) aligns well with a free and open IO.js."
Will the IOJS talent(s) take the hush money and be good boys or retain their dignity?





References


Share this article



This work is licensed under the Creative Commons Attribution 3.0 Unported License.

Automatic Semicolon Insertion in Javascript

You can write (mostly) semi-colon-less Javascript code. See example below.

However, there is a significant performance impact for doing so. See example below.



ASI performance is abysmal

A bug was created on 2013-01-24 and assigned to nobody. See Bug 107901: ASI performance is abysmal

Summary

IMHO - Perhaps, one day ASI performance will become a priority and the hit won't be significant, but until then keep using semicolons.

Share this article



Share this article



This work is licensed under the Creative Commons Attribution 3.0 Unported License.