Friday, January 31, 2014

windows server 2012 missing flash player Internet explorer 10

I was trying to get selenium tests working on IE10 on a windows server 2012 box in EC2. The IE10 kept saying that flash player is not installed and gave get Adobe flash player link  but when I click it Adobe site says that IE 10 has flash installed. It gave me steps to go to Manage addons and enable Shockwave Flash or disable ActiveX filtering. But when I went to Manage addons I didnt found Shockwave Flash. I even tried installing the windows 8 update for flash player but that said this is not a valid installer for your machine.

Finally I found that I had to install windows server 2012 "Desktop experience" from add roles and features.

Installing it solved the issue.

Monday, January 20, 2014

Encrypting stored passwords in spring web application

We take security very seriously and have taken steps to harden our services so if some one has ssh access to the box he wont be able to read the files but the webapp has to be able to read the spring config which has passwords to database so we need to protect it from any file download vulnerability.

So the plan was to encrypt passwords stored in spring files and decrypt it at runtime. As we had to decrypt the passwords back this has to be a symmetric encryption but with salt.  After doing some research I found jasypt library that would be able to do this. The steps I followed were:

1) move all passwords to a separate  file called as XXX_passwords.properties
2)changed spring xml to use property placeholders like ${mysql.user.password}.
3) added spring beans to load the password and decrypt them using the ENV variable ENCRYPTION_PASSWORD and added two jars to class path jasypt-1.9.1.jar and jasypt-spring31-1.9.1.jar

    <bean id="encryptablePropertyPlaceholderConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" />
       <property name="location" value="classpath:xxx_passwords.properties" />
    </bean>
    <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
       <property name="config" ref="environmentVariablesConfiguration" />
    </bean>
    <bean id="environmentVariablesConfiguration"
          class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
       <property name="algorithm" value="PBEWithMD5AndDES" />
       <property name="passwordEnvName" value="ENCRYPTION_PASSWORD" />
    </bean>
4)Wrote a sample property file encoder that will take a normal file and encode the passwords.
public class PPFileEncoder {
    public static void main(String[] args) throws Exception {
        String filePath = args[0];
        File file = new File(filePath);
        if (!file.exists()) {
            System.out.println("File " + filePath + " doesnt exits");
        }
        Properties inputProps = new Properties();
        FileReader reader = new FileReader(filePath);
        inputProps.load(reader);
        reader.close();
        EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
        config.setAlgorithm("PBEWithMD5AndDES");
        config.setPasswordEnvName("ENCRYPTION_PASSWORD");
        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
        encryptor.setConfig(config);

        Properties outputProps = new Properties();
        for (Entry entry : inputProps.entrySet()) {
            String key = (String) entry.getKey();
            String value = (String) entry.getValue();
            outputProps.setProperty(key, getEncryptedProperty(encryptor, value));
        }
        FileWriter writer = new FileWriter(file);
        outputProps.store(writer, "Encrypted file");
        writer.close();
    }

    private static String getEncryptedProperty(StandardPBEStringEncryptor encryptor, String value) {
        if (value == null || value.trim().startsWith("ENC(")) {
            return value;
        } else {
            return "ENC(" + encryptor.encrypt(value) + ")";
        }
    }
}

5)Changed install process to encrypt passwords as the last step of install and overwrite the original property file.
6)Now ops will unset the env variable once app is up.

with jasypt if your original file was

mysql.user.password=KalpeshPatel
it would become
mysql.user.password=ENC(B4UEFvcfdIJqavADLRTZqw\=\=)






Good thing about this solution is that devops  can choose a completely random value for ENCRYPTION_PASSWORD variable everytime they install the installer and different value for different machines.

Saturday, January 18, 2014

Offsite

Last week I attended first offsite in my carrer. I had no idea what offsite meetings were so it was an interesting experience for me. Honestly I was skeptical that about entire offsite thing and thought it would be a waste of time. I work from home and I vist Bay area may be twice a year. I have a 4 year old and going for these one week trips are not fun for the family as wife has to manage the kid alone along with her hectic job. So I try to avoid a trip to Bay area as much as possible. Also these bay area trips are not at all productive for me, I somehow feel productive if at the end of the day I deliver some tangible code and in bay area trip as I am pulled into all sorts of meetings its not at all suitable to write any kind of code, there are too many distractions.  The max amount of code that I am able to write is on the 4 hour aeroplane ride back and forth.  Anyway coming back to offsite, we did it over 2 days in 4 sessions. In the first session marketing,sales,and management presented their goals for 2014.  Then we were divided into 2 groups and asked to discuss for 4 hours and come up with some tangible goals for each quarter based on the goals presented by management in first session. We were given 5 additional questions to debate upon and one of the question was to double the team size and revenue and how do we scale the engineering organization and add 50 more people, other question was how do we improve performance and quality of the product and many more.  We give each team member a pack of sticky notes and set a timer and asked him to write how he thinks we should solve this question and at end of timer we put sticky notes on the wall and prioritized the actions based on the common things. It was interesting to see most of the votes were given to Automation and new employee on-boarding and code reviews.  This again brings up my famous topic of human touch points and as the organization is growing the only way to scale is to come up with proper guidelines and self sustaining processes.

Anyway each team lead also came up with concrete projects they would start in order to meet company goals. On second day the two groups gave a presentation of their quarterly goals and then we merged the goals with other team to come up with action items per quarter.  Now I am still skeptical of how much we can really execute on these goals as Q1 and Q2 goals still seems more clear but it become fuzzy as we move on to Q3 and Q4.

But my biggest take from this offsite was that I am again charged up and motivated to take on the bigger tasks. As the team will grow I see many big and interesting projects to take on. As the organization doubled its size year over year in past 4 years, I have seen that the more challenging projects you do the better it is for you and for team members. You feel more confident and the fear of going into unexplored territory starts vanishing. You also push team members out from their cocoon and they feel more confident and grow more faster in the org hierarchy.  I feel a growing startup has too many things to work on and there is never shortage of interesting work to keep you on your toes. So you an finish one project and jump on to other. Its like you are addicted to the working culture as if you are on some kind of drug or caffeine. If you are given some boring work then you sloth on it and try to finish this and move on to the next interesting task. But once in a while you feel burnt out and for me this offsite was a nice way to get out of that daily routine and meet different team members, see what they are doing, and discuss interesting ideas. Also I met from friend from google and had dinner at the googleplex and it was interesting to see the amount of young people they have, the environment was full of energy. So I am charged and ready for the next big thing.

Friday, January 10, 2014

ubuntu 12.04 freeze

so I was getting random freezes on ubuntu where mouse keyboard or anything wont work.  The probability of freeze increases if I start youtube.  Ultimately my colleague recommended upgrading linux kernel following

http://www.unixmen.com/linux-kernel-3-12-2-available-download-installation-instructions-ubuntu-linux-mint/


5 days after the kernel upgrade and no more crash even if youtube is running in background for almost 3-4 hours.

The only thing I had to for was reinstall virtualbox. Now yesterday I had to install guest additions and unfortunately the ubuntu package tried installing virtualbox-guest-additions-iso with old kernel compatibility and it didnt worked.  Anyways for now its not itching me that much and I will scratch it if it become unbearable, due to this I am unable to copy paste between ubuntu host and guest even though I had enabled bidirectional clipboard sharing.

Lost trust in manual QA

At my employer's startup the product footprint has grown so big that I have lost trust in manual QA.  Take an e.g. of today,  last night QA found an issue and then my team mate fixed it, before I woke up I saw that QA passed the ticket in flying colors and they did tested many things like update user, bulk update user.

As there is a release today night, I did a detailed code review of the fix and immediately within 2 minutes I see an issue in the bulk update and the problem was that original developer didnt used DRY. So the team mate had fixed update user and from UI the bulk action would still call updateUser. The other bulk update would be called only when you do import CSV or some other public api.

The point being I have lost trust in manual QA because they really cant regress a ticket using all possible combinations in the short amount of time.

We do a release every 3 weeks and in 2 week is dev and 2 week is QA (2nd week is overlap), but in those 2 week we are always scrambling to get our act in shape so corners has to be cut.  Many times I see QA raising tickets after its live in prod.

The only way here is to remove the human touch point from equation if we want to maintain the same release velocity and code quality.

Wednesday, January 8, 2014

Courage and change in focus

It takes courage to acknowledge product issues. Hats off to evernote CEO to acknowledge and pledging to focus on core product issues on the blog post.

http://blog.evernote.com/blog/2014/01/04/on-software-quality

Some times you are aware of issues in the product but unable to put dedicated focus on it as you have to add new features fast and I guess sometimes all you need is an external push to again align dedicated focus on quality rather than features.

startup path to success is not a hocket stick growth but it looks more like a zig zag mountain hike.


Monday, January 6, 2014

0,1, 5,20,50,100

Heard an interesting comment that 50% of the people who are at MVP($0 revenue) to 1M revenue, from 1M to 5M, from 5M to 20M revenue, 20M to 50M and 50m to 100M will need replacement or needs augmentation in the company.

Interesting comment and now that I think about it, I had observed something similar in the startup I am employed at (although not at 50% but I have seen as the revenue grows in few areas people constantly gets replaced or consultants gets replaced by motivated and sharp employees).

another intersting observation I saw was at how to figure out revenue of a competitor http://saastr.quora.com/How-to-Figure-Out-Your-Competitors%E2%80%99-Revenues-in-About-70-Seconds  this one was almost accurate.