It's been a while since I gave something away. I like to give things away, it makes me feel like I am doing something good for our community and, hopefully, for the receiving person. Today, I also want to do something for our veterans.
To start, I would like to give away a copy of ColdFusion Builder 1.0 (Preferably to someone who does not have it already).
I think ColdFusion Builder is a fantastic product. I use it every day and I love it. I use it at work, I use it at home. I recommend it to everyone. For this giveaway, I'd like to know, briefly, what excites you about ColdFusion Builder. Leave me a comment that tells me one or more of the following:
Sorry for the wait. I was delayed getting back from MAX due to weather.
I just got back from Los Angeles and I really had a great time. I was honored to have been asked to speak on Securing ColdFusion Applications, and I think the presentation went very well.
The recordings are up on Adobe TV already (Awesome). You'll find my recording here: http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/
I've been setting up our super-awesome new server this week and last night I ran into an issue that I thought I should blog about.
This is a Windows Server 2008 R2 64-bit machine with 8GB RAM and I am installing ColdFusion 9 running on Tomcat 6. And, as with everything Tomcat related, it was a pain in the ass and the documentation sucked.
To add Tomcat as a Windows service is pretty easy.
You just run:
For those that don't understand the notation above, CATALINA_HOME is the directory where Tomcat is. So in my case, we are going to N:\tomcat\bin and running service.bat.
This sets up Tomcat as a service, but by default it only gives it some tiny bit of memory to work with (256m or something, like it's 2002 again). So, of course, the moment I deployed a second instance of ColdFusion 9 on this container, I started getting "java.lang.OutOfMemoryError: PermGen space" errors.
Once a malicious user has discovered an XSS vulnerability in your web application, the sky is really the limit. The potential damage also goes beyond the scope of just your site and your users.
Here are a few examples of nefariousness that could be perpetrated via XSS in a website. A hacker could:
- use the credibility of your site to run a phishing scheme
- steal your users' passwords
- hijack your users' sessions
- try to launch an attack against the site administrator (you)
- redirect your users to another site (gambling, porn, Google, affiliate link, whatever)
- display inappropriate or mis-informative messages to your users
- Or anything else that could be done with client-side executable code
How would they do those things? It's actually quite simple.
Wow. Things have been busy and I have been neglecting my blog. I feel bad about that. My blog is so important to me, and things have been keeping me away.
I am a teacher at heart. I love to teach. That is why I blog, that is why I present at conferences, and that is why I am going to grad school. So the fact that I have been unable to blog for a while upsets me greatly. But I want to tell you a little bit about why. This is not about making excuses. This is about what is keeping me busy and what I am learning about. It will also motivate me to blog about these things, and that's the important part.
I keep forgetting to do this. Sorry :(
I have given three presentations so far this year, and I will have 2 or three more et before the end of the year. Here are the slides for the first three in both Keynote and PDF formats.
One thing that has always bugged the crap out of me is our inability to add additional resource filters to the navigator view in Eclipse. Specifically, I mean these:
Resource filters are very useful little tools that will hide anything that matches the filter from the navigator view. Which is great for things like .svn folders or any other crap you don't feel like you need distracting you at the moment. Like if you want to hide all the images in a project so that it is not as cluttered. But for some reason, we have never been able to add our own filters. So I can't, for example, hide the stupid Settings.xml file that CFB likes to add to my projects or the .settings folder. Grrrrr!!
A reader emailed me and asked:
I have a question re asymmetric encryption and the best way to achieve it....
I need to encrypt a CreditCard number on one server and store the encrypted string in a db and then 5 minutes later another server takes the card number off that DB and then needs to decrypt it. Any suggestions gratefully received :)
After an e-mail exchange we determined that we were NOT just talking about using SSL between ColdFusion and the DB and we determined that using a symmetric algorithm would not be acceptable to the credit card service. So it seems that this user really did need asymmetric encryption in his application.
A few weeks ago my buddy Pete Freitag posted his ideas for improving security for CF10 (link) (or whatever they call the next version of ColdFusion). I thought it would be a good idea to post my own ideas.
It's not that I disagree with any of Pete's ideas, I think they are great, I just thought a few more might be good, and I think some of my priorities might be different.