Facebook Security Alert! Random Account Possession

I just got done posting a Facebook message in an account that was not mine. It started with me being logged in with Chrome into my own Facebook account. After a few minutes of casual browsing, “liking,” and following links…I then noticed that my Facebook account was greeting me as somebody else! No, I did not hijack a cookie from a prior user session. The account I suddenly “possessed” was that of one of my Facebook friends living a thousand miles from me and who had never physically touched my computer before. The only feasible explanation is that Facebook session, content data, and state management got into a tangle.

To minimize skepticism of this event, I left a post in the possessed Facebook account.

Over the years I’ve encountered a number gross flaws in any number of commercial web sites. In the even fewer times where I actually took the time to contact the pertinent company, I’ve usually been told “we’re sorry your web access isn’t working.” In other words, they can’t grasp that I’m trying to tell them about a serious defect in their software. But for all that this current experience, and the related gravity, is a first for me. I figure if I write it up in a post, it will help to clarify and prevent the usual “sorry for your broken web access” response.

ASP.NET Debugging: Pick Your IIS Site?

In web-related Visual Studio projects, under the project-properties->web tab there is an option to “Use Local IIS Web server.”  In turn, that option provides a “Create Virtual Directory” button.

Having more than one site configured in my local IIS, the first question I asked when I saw that was “into which IIS web site will it create this virtual directory?”

Since it was painful to figure this out, I’ll share the results in hopes it will help another.  Simply put, Visual Studio will choose the first web site that:

  1. has a binding that matches what Visual Studio has indicated in the “Project Url” entry (e.g. “http://localhost/MyApp”)
  2. is already “started”
  3. has the lowest site ID number.

For example, if three of your five sites have a matching binding, but those three sites are currently in a “stop” state, then the final tie-breaker is the site ID number.  Most of the time, the site that wins this selection process is the IIS “Default Web Site.”

So if you want to pick a different site than what Visual Studio would pick, either (1) adjust the “stop” and “start” states of your sites or (2) in Visual Studio, for the “Project Url” entry, add a port number (e.g. http://localhost:88/MyApp) and be sure there is a corresponding IIS site that listens on that port.

Using either option above, after hitting the “Create Virtual Directory” button in Visual Studio, the site application will then appear where you intend it.  Of course assigning a host name to an IIS site, and using that in Visual Studio’s “Project Url” should also work, but that wasn’t the scenario I was concerned with…

ANTS and Orchard CMS

If you’ve tried profiling Orchard with ANTS, you’ve probably gotten this YSOD message:

Operation could destabilize the runtime

To solve this problem, download the Orchard source and open the Visual Studio solution. In the AssemblyInfo.cs of the Orchard.WarmupStarter project, add this:

It does not matter if this step is taken before or after you “cook the recipe.” But before you start the ANTS profiler, be sure to clean and/or re-build the solution.

I’ve tried this fix successfully with IIS, IIS Express, and with Orchard version 1.4.0, 1.4.1, and 1.5.1. In all cases, I was using SQL Server Express for the database and ANTS Performance Profiler 7.3 Professional.

Of course if ANTS is not your thing, you could try the Eqatec profiler or DotTrace.

A New Adventure in The Great Recession

The Gig is Up!

So far I’ve spent half my career consulting, and half as a permanent employee. As I look back I feel I’ve had greater liberty to make significant contributions as a consultant.

The Great Recession led me into FTE, as I felt a permanent position would provide better security. However, I eventually concluded that consulting remains as durable as ever, and often with less perils of office politics.  So when the right opportunity came along I allowed myself to step back into consulting, despite the continued recession.

So I’ve begun a new adventure. It goes like this: American Express bought a company called Serve Enterprise. Contrary to the Amex IT strategy, Serve is Microsoft stack.  So Amex had Microsoft consulting brought on board to provide guidance. In turn, Microsoft engaged me as a subcontractor.

Thus I’ve joined the Amex/MS platform software architecture group, where I provide guidance on ASP.NET MVC3, WCF, performance engineering and process engineering. I’m travelling 100% between Phoenix, my home, and St. Petersburg Florida (with an occasional trip to Manhatten). I take non-stop flights both ways from Phoenix to Tampa, on Sunday evening and Thursday evening.

The work and the team are fantastic. I couldn’t have hoped for better.

Maximizing Return

In a corp-to-corp engagement like this, it is typical for consultants to add $25/hour to the overall hourly rate to cover the three major expenses of air-fare, lodging, and auto-rental.  Of course it is a shame to see that money spent that way, and I was determined to do something about it.  To put this in rocket-science terms, I keep the expense money I don’t spend.

Part of my adventure has been exploring my cost-savings options.  Other than purchasing air-fare 3 weeks out, there is nothing I can do to reduce that cost.  That leaves lodging and auto-rental.  The hotel used by some of the other consultants is $180/night, and even if they obtain a corporate rate at $120/night for four nights a week, it still means about $2000/month.   Worse than this, I have recently taken on a new self-imposed diet that requires I greatly reduce eating out;  I can’t prepare meals in a hotel room.

My next stop was to consider Extended Stay hotels.  I found the best deal in the St. Petersburg area (Clearwater to be precise).  At $300/week it was at a sweet spot for quality and price.  Unfortunately it is 10 miles from the downtown office where I work, which means I’m footing a $200 to $260 rental car each week.

I then decided to be more creative.  I looked into being a room-mate in a home or condo.  My first stop was roommate.com.  It is a great web site, and I didn’t mind the modest subscription fee.  However, what I foud is that far too few home-owners know about roommate.com.  Rather, craigslist was a firehose of opportunity.  More than half of the offerings included furnishings (bed, dresser, etc.).  In a single evening I located three condo owners all in walking distance to both my work and groceries.  All three had pictures showing a beautiful residence.

This was my ticket.  As a roomie, I’ve reduced my monthly lodging and auto expenses from about $2500/month down to $700/month (plus $60/week for an airport shuttle).

If you are reading this and are thinking of doing the same thing, my advice is to seek a place to be a room-mate after you have already started your new engagement.  This means you should start your engagement living at an Extended Stay hotel.  Assume you will need to stay there for about two weeks.  When you search craigslist for rooming opportunities, hold out for best!  There is no need to stay in a home that feels wrong, or is distant from your work place.  There are fresh postings on craiglist each day; It will take you very little time to find something awesome!  If you do room somewhere that is not in walking distance of work, at least be sure it has walking-access to suitable public transit.

Keeping It Fresh

Life is what happens while you make other plans.  This is one reason I so welcome all this change in my life.  I’m travelling to new places, having new experiences, and meeting new people.  To the reader, my suggestion is not to wait-out the Great Recession.  Make your move now, to live your life now.  You won’t regret it.

New Orchard CMS Screencasts!!!

I’ve finally completed my screen-cast “jump start” demonstration of the Orchard CMS. The four part series can be viewed on youtube:

I made these videos for two reasons. First, it is somewhat a sales-pitch for the work place. You know, try to get your employer hooked! Second, I wanted to give back to the community; I saw a need for a mid-level overview for technical types new to Orchard. After watching these videos, the uninitiated should quickly be able to understand most any subsequent documentation they encounter.

Speaking of which, I want to take this time to indicate what I think are the best pieces of documentation available for Orchard. Obviously the Orchard site official documentation is a primary place to get started. However, for technical types, there are two other sources that I can’t recommend highly enough:

After watching my screencasts, be sure to immerse yourself in the above links. And speaking of my screencasts…

The Good, the Bad, and the Funny.

Funny: Sometime after I made the material for part 1, I noticed that my demo restaurant “Cowboy Ciao,” was misspelled. It is a real restaurant, which I highly recommend, in downtown Scottsdale. But the demo incorrectly captured its name as “Cowbory Ciao.” I keep picturing Jackie Chan helping me with pronunciation. I quietly fixed this typo in the later videos. Adding insult to injury, I stated in the video that it is in downtown Phoenix, rather than Scottsdale. I hope I don’t get sued for being geographically challenged.

Bad: My videos are based on Orchard 1.3.10, and I released them precisely when Orchard 1.4.0 was released. DOH! The good news is that I don’t believe 1.4.0 changed anything about what I had demonstrated in the videos.

Good: Another coincidence. I demonstrated how to use rule-tokens in the context of comments notification, and at the same time Bertrand blogged comment related tokens in greater depth. A nice one-two punch.

Good: While I was making the demo for comment notification rules, I found a bug which the Orchard team dispatched effortlessly. Orchard 1.4.0 was given the fix just before its release date, and I think 1.3.10 may have been given it as well.

Ok, enough talk. Get thee to youtube, watch my videos, and get to know Orchard!

setAttribute Bug

The book “Javascript: The Definitive Guide” says “these methods (getAttribute and setAttribute) use standard attribute names, even when those names are reserved words in JavaScript” (6th edition, p 376).  But as it turns out, this is incorrect where IE7 is concerned.

To demonstrate this, consider the code below. If you can access “compatibility mode” of IE, notice that the “one two three” result stacks horizontally in IE with compatibility mode off, but stacks vertically in IE with compatibility on (e.g. imitating IE 7).

To work around this issue, without requiring jquery, simply replace the setAttribute call with a direct assignment to the predefined “className” attribute.

You can try this solution by editing the code above (hit the plus symbol in the top right corner). Just uncomment the “className” assignment line, and comment the setAttribute line. Then toggle compatibility mode again – the horizontal format then becomes consistent!

Acquitting setInterval

A co-worker spotted me using setInterval in my Javascript, and sent a link explaining why to avoid setInterval.  In summary, the reasons:

  • If the termination token is lost, it is not possible to stop the repeated invocation.
  • Multiple setInterval configurations, if you have them, are difficult to debug.

My co-worker added a third reason: re-entrancy issues.  “What happens,” he asks “if the callback does not complete before the next appointed interval?”

What is being suggested by these arguments, is that I should use a “self-renewing”  setTimeout instead of setInterval.

Well, I disagree with the rationale.  Answering the objections in reverse order…

The Javascript execution environment in the browser is single-threaded.  Both setTimeout and setInterval are implemented as events placed on an event loop.  Thus there is no re-entrancy issue to worry about.

Otherwise, I believe the remaining “manageability” objections are handled simply by encapsulating setInterval code within an object.  Below is an example of a count-down clock, where setInterval can’t lose its termination token, and can be stopped or started as needed.

As seen in the object literal assignment to the prototype of CountDown, the termination token is wrapped behind start() and stop() methods. And within start(), an interesting bit of indirection is used to establish the setInterval callback:

This looks funny simply because we need a parameter, the ‘this’ reference, to be passed to the countBack callback. Unfortunately, the setInterval call can’t take explicit parameters in IE8 or earlier, so the parameters must either be fed into a string or represented with a closure. The string solution is, generally, a very bad idea. The closure approach requires an anonymous function, which will hold the ‘this’ value. Even so, ‘this’ can’t be captured by a closure the way one might expect; ‘this’ always represents the caller. So the code above cheats by feeding the temp variable ‘me’ to the anonymous function.

All is well that is encapsulated well!