Web development using Internet Explorer is often a more painful endeavour than developing with Firefox due to the lack of development tools in IE compared to Firefox.  If requirements dictate Internet Explorer, the Fiddler add-on for IE provides valuable capabilities for inspecting the details of HTTP connections.  From the website, "Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data."

There comes a time in every system administrator's life that the dreaded hard disk failure occurs.  Unfortunately, I just lived this nightmare, but the outcome was not as bad as it could have been.

The Scene

It was a Tuesday after a 3-day weekend--a Monday-wanna-be.  A main web server had just died and refused to boot.  Upon mounting the RAID 1 root partition, a never-ending stream of hard disk unrecoverable and invalid op-codes errors filled the screen. 

Attempt 1

Not a big deal, I thought to myself.  I'll just shutdown, disconnect the bad drive, and let the mirrored partition take over.  Success was on the horizon--the computer POST'd, the kernel loaded, the drives were mounted, services began to start, and finally success--a login prompt!  Unfortunately, the hostname was completely wrong.  This "mirrored" partition, although perfectly sized to mirror the bad root partition, conveniently held a completely separate Redhat installation.  Strike 1.

Most system and network administrators are very familiar with brute force attacks against their devices.  Every day, thousands of script kiddies and worms scan the Internet attempting to guess passwords for SSH, FTP, telnet, and other services.  A typical signature of these attacks is to see hundreds of failed attempts but only a few attempts per account.  In this case, the account is simply being tested for the simplest of passwords such a blank password, username as the password, or 'password' for the password.  Although typically futile on a properly administered network, these attacks are annoyances and create noise which may conceal real suspicious activity or even worse, successful intrusions.  

In a recent project, we have decided to incorporate and AJAX functionality to create a dynamic and interactive user experience in the browser.  With information learned from Stuart Halloway's presentation at one of Platinum Solutions' training events, I decided to utilize Prototype (http://prototype.conio.net/) as a helper library for implementing AJAX functionality and making the Javascript cleaner.  

AJAX

My primary goal for utilizing Prototype was to assist with AJAX.  Although the creating AJAX requests in the browser is not complex, Prototype hides browser variations in the process and makes implementation extremely simple.  To implement the loading of data upon click, I utilized Prototype’s Ajax.Request object.

    new Ajax.Request(this.getDataUrl, {
            method: 'post',
            postBody: 'fromDate=' + fromDate + ‘&toDate=’ + toDate,
            onSuccess: this.processDataJSON.bind(this),
            onFailure: this.ajaxError.bind(this),
            asynchronous: true
        });

This simple AJAX call just requires the url and an associative array of self explanatory parameters.  The only unintuitive part of this call to developers of other languages is the bind call.  This is covered later in the discussion on classes.  This AJAX call gets initiated in a ‘click’ event handler, and the processDataJSON and ajaxError callback functions were written to process the success or failure of the AJAX call.

This request calls a URL which could be implemented in any server-side language such as Java, PHP, or Perl.  For this project, we implemented the server as a Java Servlet and chose JavaScript Object Notation (JSON) as the data protocol.  JSON is a very simple, yet effective way to deliver data to the client in the form of JavaScript objects.  This eliminates any conversion or translation on the client side.  However, a small amount of work is performed on the server side to create the objects.

Once the client receives the AJAX response, the JSON is parsed to create a standard JavaScript object.  You can use a standard JavaScript eval to create the objects, but it is recommended to use JSON.org’s JSON parser available at http://www.json.org/js.html.  This parser will only process and create JavaScript objects from the JSON response as opposed to eval which will run any JavaScript code.  Here is the processDataJSON callback function:

    processDateJSON: function(response) {
        // create collect array from JSON text returned
        var newData = JSON.parse(response.responseText);
        
        // process new data here...
    }

There is no translation or conversion necessary.  The JSON parse function simply returns a JavaScript object for use.

Classes

Another purpose for using Prototype was to use basic object oriented programming.  Prototype offers a Class object for creating and defining classes.  Use Class.create() to create a Class object, then define the class functions by assigning an associative array of functions to class_name.prototype.  A special function called initialize is used to act as the object’s constructor.

    var CalendarData = Class.create();

CalendarData.prototype = {
        initialize: function(year, month, day) {
        },

        processDataJSON: function(request) {
        ...
        }
    };

To harness the power of inheritance, use Class.extend to create an object oriented hierarchy of objects.  My primary complaint of JavaScript objects is the notion of context.  Object oriented programmers are used to calling functions on objects with the assumption that the target object is executing its own function.  In other words, car.explode() called from a class called Person might not cause the car object to explode.  Instead, the car.explode function would be executed in the context of Person, thus causing the Person to explode.  This is likely not the intended result.  To solve this issue, Prototype offers the bind function.  In the car example, the Person would call car.explode.bind(car)().  This notation is definitely less clean but necessary.  Bind causes the function to be executed in the context of car.  When the function uses the ‘this’ keyword, ‘this’ will refer to car and NOT the Person object calling the function.  This issue of context may be simple to fix, however it can waste much time debugging function calls missing binds.

Iterators

In the past years, virtual machines that allow a guest operating system to run within a host operating system (VMware, Virtuozzo, Virtual Iron, Xen, etc) have found an important role across the IT spectrum.  As computers become more powerful, running multiple operating systems becomes easier and more productive.  The role of virtual machines ranges from software development to server hosting to desktop productivity.

In Dec 2005, the standard of virtual machines, VMware, released a free VMware Player.  This product allows anyone to run a virtual machine created by other VMware products such as VMware Workstation.  This move by VMware to further their market share provides a tremendous benefit for those that would not typically purchase VMware.  Software vendors and consultants can now deliver a completely configured operating system image for customers to run as a demo.  Development teams can produce images from one machine with one license, and test on many machines with the free VMware Player.  Typically, the best way to try out linux was to boot to a live cd-rom, but it still required shutting down the primary OS thus interrupting productivity.  With VMware Player, just visit the Virtual Machine Center and download images ready to play.

With dozens of vulnerabilities and hacking tools released every week, it is difficult for a security professional to keep up with the latest, greatest news and tools.  One of the most popular security websites is SecurityFocus which provides great news and tech articles relating to security and the ever popular Bugtraq vulnerability mailing list.  It also has great primers on security technologies.

While SecurityFocus also has newsletters, mailing lists, and Bugtraq (read information overload), I use SecuriTeam's mailing list to feed me important security updates without flooding my inbox.  SecuriTeam's website provides an excellent searchable database of security articles, tools, exploits, and vulnerability notices collected from a variety of sources.  You can signup for these notifications via email or use the RSS feed.