Success as measured by time

I recently read an article on HBR.ORG titled “Stop Working All Those Hours” and it has really made to stop and think about how people, myself included, measure success. The general premise here is that success in the workplace is often measured by the amount of time spent in the office. Stop and think about this for a moment; is it true?
Will spending 50+ hours a week in the office really make you a better employee? Or is it a perfect demonstration of not being as efficient as you could be? Metrics are an important factor in a business, I mean you have to have some empirical data by which you compare employees against each other. But is hours worked a valid metric? Does the employee that came in on Saturday deserve recognition if they could have completed the task on Friday? Is the employee that leaves early to watch their childrens’ little league game less dedicated to his or her job?

Stop working so much!

That last question sort of hits close to home for me because I am frequently hard on myself for having to leave or miss work for any reason, but at the same time I refuse to be one of those parents that doesn’t get to see their children grow up. If time spent truly is a valid metric for measuring employees then my career progression is possibly doomed to be a slow and arduous process.

Admittedly time spent is a metric we instantly gravitate towards, I do however believe that it is, at the very least, an unreliable total picture metric. As leaders and managers we should strive to identify metrics that are specific to a position. By doing so we will be able to obtain a much better idea of how well our employees are actually performing.

As an employee I feel that it is important to closely evaluate our efficiency. If you can make yourself more efficient then perhaps you can spend a few of those hours focusing on your personal life as well. A couple more hours spent catering to yourself will go a long way in ensuring your happiness and overall well being.

https://www.wjd.io/disqus/

Our Move to Dot Net Core

I work at Synovia Solutions LLC. creators of the Silverlining Fleet Management software and Here Comes The Bus. Our solution installs hardware devices on vehicles that then report back over cellular to us. During peak times we are processing about 3000 messages / second over UDP.

Our current system includes a monolithic windows service that handles pretty much all aspects of message processing. Its written in .NET (currently 4.6.1) and runs on several physical machines located in a local Data Center. It uses SQL Server as a backend data store.

When I was brought on board one of my primary tasks was to migrate the existing queuing infrastructure, several Sql Server Tables, into a new queuing solution. We chose RabbitMq via the hosted provider CloudAMQP. This was a pretty new paradigm for me, as I had never worked with anything other than MSMQ (GAG!) .

After the initial implementation of Rabbit was written we discovered a show stopper. To explain that I’ll need to cover a bit more on how this all works.

You see the devices on the vehicle communicate over UDP only, but once we receive a message and persist it we have to send an ACK message back to the device. If the device doesnt receive this ACK within 30 seconds it will retransmit the same mesasge. With our existing infrastructure already strained, several times we found ourselves falling behind processing inbound messages, as both the number of incoming messages and the average processing times increased, during peak hours, we hit critical mass. If we had 3k messages in the queue to persist, and persisting was taking upwards to 10ms, devices would begin re transmitting messages, which, at this point are duplicates, and our queue would snowball.

This problem was only made worse by the fact that if the vehicle turned off before all of its data was sent and ack’d the data would reside on the device until the next time the vehicle’s ignition was turned on, at which point it would again resume trying to send out. This was usually during another peak time and so the cycle continued.

When we introduced hosted RabbitMq this problem got worse, because now we have at least a 25ms round trip time from our data center to the AWS data center where CloudAMQP was hosted. We could have opted to host RabbitMq ourselves, but lacking a dedicated Sys Admin this just wasnt in the cards.

It was around this time that Dot Net Core was in beta and we were looking at migrating our ‘Listener’ infrastructure into AWS to eliminate the 25MS round trip time, and move forward with RabbitMq.

We had the idea to take another step, and write a Listener Microservice. At the time I was really torn between using NodeJs, Python, Java or risking it and using the Beta version of Dot Net Core. The main requirements where:

*Be cross platform, specifically it had to run on Linux (Ubuntu).
*Be really freakin fast
*Accept messages, persist them, and Ack them
*Be stateless
*Scale automagically.
*Live behind a load balancer.

Thats it, small and fast. That last one though, the load balancer, yeah there wasnt much in the way of UDP load balancing when we started the project. AWS didnt support UDP, NGINX didnt and the only one I found at the time was Loadbalancer.org. Once I was about halfway done NGINX released their UDP load balancing. AWS still doesnt support it.

At the end of the day we went with the following stack:

*Loadbalancer.org for balancing
*Ubuntu OS
*AWS OpsWorks
*Dot Net Core
*Rabbit Mq
*Redis (for syncing sequence numbers across all instances)

There is still a slight bottleneck when persisting to RabbitMq b/c we have to utilize CONFIRMS to ensure the message is persisted before we can send the ACK. The average time from start to finish is between 5 – 7ms.

That may not sound like much of an improvement, but it doesnt tell the whole story either. Thats the time to process a single message, on a single instance on a single thread. Its about 200 messages / second.

But when I use a typical Producer Consumer model with 25 processing threads we can hit 5000 messages / second, and do so without incurring any additional latency b/c RabbitMq is just awesome. At that rate here is my cpu utilization (from DataDog) over the last 24 hours:

Needless to say we arent even scratching the surface of what this thing can do. Of course we have a few instances running behind the LB.ORG appliance, so we can easily handle 30k messages / second.

All of this running on a T2.Medium instance with 2vPUs and 4GB of RAM, costing ~ $300 / year / instance to run 24/7. We could save even more money utilizing Spot Instances for peak times, but we just dont need it right now.

At the end of the day it has been a pretty awesome experience learning all of these new technologies. RabbitMq is amazing. But I have to give an enormous shout out to the ****Dot Net Core**** team and MSFT. What they have done is really going to shake shit up in the development world.

Gone are the days of going to a Hackathon and being laughed at for not rocking Ruby or NodeJs. C# is an incredibly powerful language and now that it is truly cross-platform I think we are going to start seeing a major paradigm shift in the open-source world.

Some will say yeah, Java has been doing that for ever, and I get that. Java is great. But what Java lacked, at least in comparison to .NET / C#, was Visual Studio. VS is, in my humble opinion, hands down the best development environment in existence.

Seriously, you couple VS with JetBrains ReSharper and you have a code churning productivity machine. Now add in Docker for windows and I can prototype and hack on a level never before possible in this world; and on a level that is, at the very least, equal to that of any other language. I would probably even say it is superior.

https://www.wjd.io/disqus/

BentBox.co Security Concerns

Please note that as of this writing, the majority of the problems discussed below have been addressed by the BentBox.co team. I will point out that they were fairly responsive and thankful for the issues that I presented them.

However there are still some of these problems that exist on their site.

On or around June 25th I discovered several security issues with the website BentBox.co. This website provides a platform for photographers and other artists to sell their work. I reached out to a well known security researcher whose name I wont mention until I get permission.

Following that individuals guidance I contacted the folks at BentBox.co where I provided them with the details of my findings. Over the course of the next few weeks we emailed a few times.

Below are the details of my findings.

BentBox.co vulnerability

Overview

Cookies are used to store session information. The cookies that are set contain 3 pieces of information:

  1. PHPSessionId
  2. Adult Content filter setting
  3. User Id

It is possible to sign in with a valid user name and password to get a valid PHPSessionId and then edit the cookies stored locally to insert a different User Id in order to access another user’s private account information.

You can easily obtain any user’s user id value by browsing to one of their boxes and looking at the page source

var loggedinUserId="";var userId="";

It is trivially simple to gain access to any user’s private information in this manner. In fact the entire website could be easily compromised with a simple script used to harvest user id’s.

What information is accessible?

From my initial research it appears that everything related to a user’s account is accessible, including:

  1. Private account settings
  2. Private messages that have been sent / received
  3. All boxes and their content
  4. Payment Information

Other Information

Another major issue is that the website does not use HTTPS by default. This means that every time the page is loaded the cookie’s containing the PHPSessionId value are transmitted in clear text. This is a major problem b/c it allows for trivial session hijacking.

How to Fix?

Here are some of my suggestions on how to resolve this problem:

  1. Enable HTTPS by default for ALL PAGES
  2. Do not store the userId in the cookie, instead only the session id.
  3. Map session Ids to the correct account in memory server side
  4. Enforce access control checks on all page loads that verify that the session is still active and is valid for the account.
  5. I would suggest not using that user’s Id anywhere in the page, but, it appears this would require significant work to achieve and may not be feasible.
  6. Expire sessions after a shorter period of time.

Using Moq to override calls to App.config

The other day I was working on a new implementation in our product to re do logging. I’m taking us from a custom File Writer to using Log4Net wrapped in a Facade.

To make this transition a bit smoother, and allow us to roll back to the old style if something breaks, I also implemented a Factory Pattern to provide the correct logger based upon the current App.Config settings.

To clarify, we are using Ninject for DI, and usually I would use the DI container to inject the correct implementation. However, we are also using the NinjectModule interface to setup bindings at runtime, based upon a compiled assembly. So instead, I’m using DI to inject the factory and it can provide the correct implementation.
I’m sure there will be countless opinions both ways here, but its convenient and makes sense in our project

I had sketched up my interfaces and got ready to write unit tests, when I discovered that I wasnt sure how to get NUnit to read from my App.Config, so I jumped on DuckDuckGo and ended up finding this article on CoryFoy.com

This definitely game me the direction I needed, but all of a sudden I had a revelation. I’ve been wanting to learn to use Moq and I thought this was a great opportunity to try it out.

So here is the interface for my LogFactory

public interface ILogFactory
{
ILog GetLogger();
ILog GetLogger(string name);
string GetServiceName { get; }
string GetLoggerType { get; }
}

And its impl.

 

public class LogFactory : ILogFactory
{
public virtual ILog GetLogger()
{
if (GetLoggerType != null && GetLoggerType.Equals("Log4Net", StringComparison.InvariantCultureIgnoreCase))
{
return new Log4NetLogger(GetServiceName);

}
else
{
return new LogHelper(GetServiceName);
}
}

public virtual ILog GetLogger(string name)
{
if (GetLoggerType != null && GetLoggerType.Equals("Log4Net", StringComparison.InvariantCultureIgnoreCase))
{
return new Log4NetLogger(name);
}
else
{
return new LogHelper(name);
}
}

 

public virtual string GetServiceName
{
get
{
return ConfigurationManager.AppSettings["ServiceName"] ?? "Service";
}
}

public virtual string GetLoggerType
{
get
{
return ConfigurationManager.AppSettings["Logger"] ?? "LogHelper";
}
}
}

As you can see we are currently dipping into the App.Config to grab the settings and return the correct logger.

To test the implementation I needed to override the methods (ok they are properties but still):

GetLoggerType ()
//and
GetServiceName()

To accomplish this I setup my unit tests (I am using NUnit) and used Moq to override the properties:

var mock = new Mock();
mock.Setup(f => f.GetServiceName).Returns("My Test");
mock.Setup(f => f.GetLoggerType).Returns("Log4Net");
mock.Setup(f => f.GetLogger()).CallBase();
LogFactoryLog4Net = mock.Object;

Then in the test you just call the GetLogger() method and Moq takes care of the rest for you:

[Test()]
public void LogFactoryLog4NetGetLogger()
{
var factory = LogFactoryLog4Net.GetLogger();
var type = factory.GetType();
Assert.AreEqual("Log4NetLogger",type.Name);
}

Here is the full unit test for reference:

 

[TestFixture()]
public class LogFactoryTests
{
public ILogFactory LogFactoryLog4Net { get; set; }
public ILogFactory LogFactoryLogHelper { get; set; }

public ILogFactory LogFactoryDefault { get; set; }

[SetUp]
public void Init()
{
var mock = new Mock();
mock.Setup(f => f.GetServiceName).Returns("Service Test");
mock.Setup(f => f.GetLoggerType).Returns("Log4Net");
mock.Setup(f => f.GetLogger()).CallBase();
LogFactoryLog4Net = mock.Object;

var mock2 = new Mock();
mock2.Setup(f => f.GetServiceName).Returns("Service Test");
mock2.Setup(f => f.GetLoggerType).Returns("LogHelper");
mock2.Setup(f => f.GetLogger()).CallBase();
LogFactoryLogHelper = mock2.Object;

var mock3 = new Mock();
mock3.Setup(f => f.GetServiceName).Returns("Service Test");
mock3.Setup(f => f.GetLoggerType).Returns("INVALID");
mock3.Setup(f => f.GetLogger()).CallBase();
LogFactoryDefault = mock3.Object;
}

[Test()]
public void LogFactoryLog4NetGetLogger()
{
var factory = LogFactoryLog4Net.GetLogger();
var type = factory.GetType();
Assert.AreEqual("Log4NetLogger",type.Name);
}

 

[Test()]
public void LogFactoryLogHelperGetLogger()
{
var factory = LogFactoryLogHelper.GetLogger();
var type = factory.GetType();
Assert.AreEqual("LogHelper", type.Name);
}

[Test()]
public void LogFactoryDefaultGetLogger()
{
var factory = LogFactoryDefault.GetLogger();
var type = factory.GetType();
Assert.AreEqual("LogHelper", type.Name);
}

}

Hope that helps someone, and thanks for reading!

Using Moq to override calls to App.config

The other day I was working on a new implementation in our product to re do logging. I’m taking us from a custom File Writer to using Log4Net wrapped in a Facade.

To make this transition a bit smoother, and allow us to roll back to the old style if something breaks, I also implemented a Factory Pattern to provide the correct logger based upon the current App.Config settings.

To clarify, we are using Ninject for DI, and usually I would use the DI container to inject the correct implementation. However, we are also using the NinjectModule interface to setup bindings at runtime, based upon a compiled assembly. So instead, I’m using DI to inject the factory and it can provide the correct implementation.
I’m sure there will be countless opinions both ways here, but its convenient and makes sense in our project

I had sketched up my interfaces and got ready to write unit tests, when I discovered that I wasnt sure how to get NUnit to read from my App.Config, so I jumped on DuckDuckGo and ended up finding this article on CoryFoy.com

This definitely game me the direction I needed, but all of a sudden I had a revelation. I’ve been wanting to learn to use Moq and I thought this was a great opportunity to try it out.

So here is the interface for my LogFactory

    public interface ILogFactory
    {
        ILog GetLogger();
        ILog GetLogger(string name);
        string GetServiceName { get; }
        string GetLoggerType { get; }
    }

And its impl.

 public class LogFactory : ILogFactory
    {
        public virtual ILog GetLogger()
        {
            if (GetLoggerType != null && GetLoggerType.Equals("Log4Net", StringComparison.InvariantCultureIgnoreCase))
            {
                return new Log4NetLogger(GetServiceName);

            }
            else
            {
                return new LogHelper(GetServiceName);
            }
        }

        public virtual ILog GetLogger(string name)
        {
            if (GetLoggerType != null && GetLoggerType.Equals("Log4Net", StringComparison.InvariantCultureIgnoreCase))
            {
                return new Log4NetLogger(name);
            }
            else
            {
                return new LogHelper(name);
            }
        }


        public virtual string GetServiceName
        {
            get
            {
                return ConfigurationManager.AppSettings["ServiceName"] ?? "Service";
            }
        }

        public virtual string GetLoggerType
        {
            get
            {
                return ConfigurationManager.AppSettings["Logger"] ?? "LogHelper";
            }
        }
    }

As you can see we are currently dipping into the App.Config to grab the settings and return the correct logger.

To test the implementation I needed to override the methods (ok they are properties but still):

GetLoggerType ()
//and
GetServiceName()

To accomplish this I setup my unit tests (I am using NUnit) and used Moq to override the properties:

var mock = new Mock<LogFactory>();
mock.Setup(f => f.GetServiceName).Returns("My Test");
mock.Setup(f => f.GetLoggerType).Returns("Log4Net");
mock.Setup(f => f.GetLogger()).CallBase();
LogFactoryLog4Net = mock.Object;

Then in the test you just call the GetLogger() method and Moq takes care of the rest for you:

 [Test()]
        public void LogFactoryLog4NetGetLogger()
        {
            var factory = LogFactoryLog4Net.GetLogger();
            var type = factory.GetType();
            Assert.AreEqual("Log4NetLogger",type.Name);
        }

Here is the full unit test for reference:

[TestFixture()]
    public class LogFactoryTests
    {
        public ILogFactory LogFactoryLog4Net { get; set; }
        public ILogFactory LogFactoryLogHelper { get; set; }

        public ILogFactory LogFactoryDefault { get; set; }

        [SetUp]
        public void Init()
        {
            var mock = new Mock<LogFactory>();
            mock.Setup(f => f.GetServiceName).Returns("Service Test");
            mock.Setup(f => f.GetLoggerType).Returns("Log4Net");
            mock.Setup(f => f.GetLogger()).CallBase();
            LogFactoryLog4Net = mock.Object;

            var mock2 = new Mock<LogFactory>();
            mock2.Setup(f => f.GetServiceName).Returns("Service Test");
            mock2.Setup(f => f.GetLoggerType).Returns("LogHelper");
            mock2.Setup(f => f.GetLogger()).CallBase();
            LogFactoryLogHelper = mock2.Object;

            var mock3 = new Mock<LogFactory>();
            mock3.Setup(f => f.GetServiceName).Returns("Service Test");
            mock3.Setup(f => f.GetLoggerType).Returns("INVALID");
            mock3.Setup(f => f.GetLogger()).CallBase();
            LogFactoryDefault = mock3.Object;
        }

        [Test()]
        public void LogFactoryLog4NetGetLogger()
        {
            var factory = LogFactoryLog4Net.GetLogger();
            var type = factory.GetType();
            Assert.AreEqual("Log4NetLogger",type.Name);
        }


        [Test()]
        public void LogFactoryLogHelperGetLogger()
        {
            var factory = LogFactoryLogHelper.GetLogger();
            var type = factory.GetType();
            Assert.AreEqual("LogHelper", type.Name);
        }

        [Test()]
        public void LogFactoryDefaultGetLogger()
        {
            var factory = LogFactoryDefault.GetLogger();
            var type = factory.GetType();
            Assert.AreEqual("LogHelper", type.Name);
        }

    }

Hope that helps someone, and thanks for reading!