Category Archives: Blog Posts

Emergency Conference Speaker Required!

2 Replies

I had the slightly dubi­ous priv­i­lege this week of stand­ing in at the last-minute as a speaker at a Mil­i­tary con­fer­ence on secu­rity in Prague.

On Tues­day at 4:30pm I found out that we needed some­one to speak at a con­fer­ence in Prague the next day… slightly fool­ishly I vol­un­teered and 24 hours later I found myself presenting!

The con­fer­ence was the “Inter­na­tional Con­fer­ence ITTE 2011 — Cyber Secu­rity and Defense” - http://www.afcea.cz/ My topic was “Open Source and Secu­rity: Engi­neer­ing Secu­rity by Design’ and I had to brush up a bit on the con­tent as it’s not some­thing I had ever pre­sented on before.

Still it went OK I think and I enjoyed my brief 24 hours in Prague — though not to the 24 hours before sweat­ing and prep­ping for the talk and the panel dis­cus­sion that fol­lowed afterwards.

Here are my slides: Open Source and Secu­rity: Engi­neer­ing Secu­rity by Design

 

How to load balance TCP connections with HAProxy

1 Reply

This week I was at a client where we were doing some per­for­mance test­ing of the JBoss Enter­prise Data Ser­vices prod­uct (EDS for short). EDS is based on the JBoss.org com­mu­nity project Teiid which is a data vir­tu­al­iza­tion sys­tem that allows appli­ca­tions to use data from mul­ti­ple, het­eroge­nous data stores. It’s a really cool prod­uct if you have a lot of back­end data sources and you want to expose a sim­pli­fied vir­tual (SQL) data­base to your front end appli­ca­tions — and it runs within the JBoss appli­ca­tion server, in our case the enter­prise ver­sion — Enter­prise Appli­ca­tion Plat­form or EAP for short.

As we were doing per­for­mance test­ing we wanted to run EDS within a clus­ter of JBoss EAP nodes, now clus­ter­ing EAP nodes is fairly straight­for­ward and you can then setup a front end load bal­ancer with Apache httpd, in my case I used the Red Hat prod­uct based on the Apache web server called Enter­prise Web Server (EWS) and mod_cluster to clus­ter and load bal­ance my appli­ca­tion servers. Now this sort of clus­ter­ing is fine if you want to do repli­ca­tion of your appli­ca­tions and use dis­trib­uted cache repli­ca­tion within the clus­ter, how­ever the ques­tion was how do you do load bal­anc­ing on the ODBC and JDBC con­nec­tions that EDS pro­vides for the appli­ca­tion tier? As these types of con­nec­tions can’t be load bal­anced by the Apache Web Server we had to come up with another way to do this.

As we were at a very large enter­prise client their ini­tial sug­ges­tion was that we use a hard­ware TCP load bal­ancer to do this, how­ever I was pretty sure this was a straight­for­ward prob­lem that must have been solved already and that a soft­ware based solu­tion must exist… and low and behold there is one and it is called HAProxy.

HAProxy is a really cool load bal­ancer that is very pow­er­ful and flex­i­ble and also really easy to use and it seems that not too many peo­ple are aware that it can be used to load bal­ance ANY TCP con­nec­tion, this blog post lead me in the right direc­tion and with the ethos of try­ing to help all of you out there on the web here is my very short how to and sam­ple con­fig­u­ra­tion for how to load bal­ance ODBC and JDBC con­nec­tions — specif­i­cally for Teiid embed­ded in the JBoss Enter­prise Data Ser­vices product.

First you need to get HAProxy, in my case I was run­ning every­thing on RHEL so the eas­i­est thing is to add the Fedora EPEL repos­i­tory to your machine and then just do a “yum install haproxy”, you should now have haproxy installed on your machine — now you just need to con­fig­ure and launch it!

So first con­fig­u­ra­tion, I’ve included a sam­ple con­fig­u­ra­tion file for 4 nodes, as I had two phys­i­cal machines with 2 nodes run­ning on each of them. The first node on each machine was run­ning the default JBoss ports and the sec­ond was using ports 100 greater than the default. Here is my file:

You’ll notice that I also cre­ate a lis­tener for stats on on port 9090 — this means that you can have a nifty web stats page that you can view on http://<haproxyIP>:8080/haproxy?stats (username/password = admin/admin).
Now that we have HAProxy con­fig­ured we just need to run it, in this case it would be “haproxy –f <con­fig file> –V”, I used the ver­bose flag so that I could see what was going on but you may not nec­es­sar­ily want this for production.

Now just launch the stats page to see your nodes con­nected and you are up and run­ning — don’t for­get to con­fig­ure the ODBC and JDBC lis­tener sec­tions to put your own ports to lis­ten to depend­ing on the setup you are going to use.

Oh and by the way the per­for­mance test­ing we did showed that Teiid is amaz­ingly performant!

Cheap And Easy Cloud Cracking On The Way

Leave a reply

Ama­zon recently announced a new instance type for their EC2 cloud ser­vice that they call the Clus­ter GPU which has an impres­sive spec:

22 GB of mem­ory
33.5 EC2 Com­pute Units (2 x Intel Xeon X5570, quad-core “Nehalem” archi­tec­ture)
2 x NVIDIA Tesla “Fermi” M2050 GPUs
1690 GB of instance stor­age
64-bit plat­form
I/O Per­for­mance: Very High (10 Giga­bit Ethernet)

The really inter­est­ing part that has got a lot of peo­ple inter­ested is the fact that it has two high-powered graph­ics cards which can be used to do mas­sively pow­er­ful par­al­lel com­put­ing. Now there are many poten­tial appli­ca­tions for these GPUs — image and video pro­cess­ing, com­pu­ta­tional biol­ogy and chem­istry, fluid dynam­ics sim­u­la­tion, CT image recon­struc­tion, seis­mic analy­sis, ray trac­ing and so on. But what really inter­ests me is the pos­si­bil­ity of using these GPU instances for pass­word cracking.

It’s now well-known that using a GPU to crack pass­words can reduce the time required from some­thing like 2 months to 3 days, but what hap­pens when you throw one of these new Ama­zon instances at the prob­lem? And what if it’s not just one instance but a clus­ter of them that is used to do the mas­sively par­al­lel com­pu­ta­tion? The sheer com­put­ing power that even a small clus­ter of these machines has avail­able would make short work of crack­ing all sorts of pass­words. Some that come to mind are:

  • Sys­tem Pass­word files which use the MD4, MD5, NTLM or SHA1 algorithms.
  • WPA-PSK or WPA2-PSK net­work pass­words (WEP is already triv­ial to crack).
  • Pass­word pro­tected RAR or ZIP files.
  • Pass­word pro­tected Microsoft Office or Open Office files.
  • Pass­word pro­tected PDFs.
  • Encrypted disks

Some peo­ple have already tested these GPU instances to crack pass­word hashes and Pyrit has been tested on it (could be used to crack WPA/WPA2). The per­for­mance of a sin­gle instance is impres­sive, the cost is equally impres­sive ($2.10 for an hour). Just a few years ago this kind of com­put­ing power was only avail­able to organ­i­sa­tions that had a large amount of resources such as gov­ern­ments, large cor­po­ra­tions and a few uni­ver­si­ties and research organ­i­sa­tions. Now any­one with a bit of tech­ni­cal knowl­edge and a credit card has access to it.

It’s only a mat­ter of time before some­one uses a clus­ter of these instances in anger to start crack­ing pass­words, in fact I’m sure some­one already is. How long will it be before some­one releases a com­mer­cial ser­vice based on this platform?

The only com­mer­cial ser­vice for pass­word crack­ing that I’ve found so far is WPA Cracker who claim to have a 400 CPU clus­ter, how­ever a ser­vice that uses a few EC2 GPU instances could blow away the per­for­mance of WPA Cracker. We could soon start to see pass­words being cracked in just a few min­utes with a large enough clus­ter. I wouldn’t be sur­prised if it wasn’t long before some­one sets up a ser­vice like this which inte­grates nicely into back­track or some other wi-fi sniff­ing soft­ware that grabs the required wi-fi pack­ets and uploads it to an EC2 clus­ter that cracks the pass­word in a few minutes.

All of this is a very strong argu­ment for using longer and more com­plex pass­words that are less vul­ner­a­ble to dic­tio­nary and brute force attacks, and one more rea­son not to assume that your wi-fi net­work is secure because you are using WPA or WPA2 instead of WEP.

Do Cameroonian ISPs care about their customers?

2 Replies

I wanted to inves­ti­gate the typ­i­cal expe­ri­ence of a Cameroon­ian Inter­net user while vis­it­ing the web­sites of the major Inter­net Ser­vice Providers (ISPs). I fig­ured that the time and energy a com­pany puts into opti­mis­ing their web­site for slow con­nec­tions might indi­cate how focused they are as a com­pany on their cus­tomers. After all, if ISPs know what band­width they are giv­ing their cus­tomers then surely they will have opti­mised their sites to work well on those connections?

In addi­tion I hope that this post will high­light the fact that you must opti­mise your site for low-bandwidth users, espe­cially if you oper­ate in coun­tries with poor Inter­net con­nec­tiv­ity. In fact it’s not too hard to do these days if you take a few sim­ple steps, but first you need to be aware of the issue.

Hav­ing lived in Cameroon for the last two years I’m more than famil­iar with surf­ing on a poor unre­li­able con­nec­tion and it stag­gers me that so few Cameroon­ian com­pa­nies have made an effort to improve the user expe­ri­ence for the major­ity of peo­ple who visit their web­sites over these slow con­nec­tions. Inter­net users in Cameroon either have their own 128 kbps “broad­band” con­nec­tion or they are at an Inter­net café that shares a slow con­nec­tion between their users (who are all on Face­book and YouTube com­pet­ing for the band­width avail­able). Some are using USB don­gles to access mobile data net­works, but as none of the oper­a­tors have a 3G license users are stuck at slower GPRS speeds with patchy coverage.

The ISPs

The major ISPs in Cameroon today are:

  • Cam­tel — the state-owned incum­bent who has a monop­oly on all the fibre in the coun­try and the SAT3 cable, all other ISPs must buy band­width from Cam­tel. Cam­tel pro­vides Inter­net access via ADSL or over Wire­less using CDMA.
  • MTN — the mobile oper­a­tor with the largest mar­ket share, pro­vid­ing Inter­net through GPRS, wire­less hotspots and WiMax.
  • Orange — the sec­ond largest mobile oper­a­tor, pro­vid­ing Inter­net through GPRS and WiMax.
  • Ringo — they claim to have more band­width avail­able than their com­peti­tors (apart from Cam­tel). Ringo is using pro­pri­etary SCDMA based McWill tech­nol­ogy from Xin­Wei in China and have also started to pro­vide wire­less hotspots in the major cities.
  • Matrix Tele­coms — ISP using wire­less tech­nol­ogy to pro­vide access.
  • Cre­olink — uses cable to pro­vide access to their customers.

I’ve tried to sum­marise the cheap­est options for con­sumers from each of these ISPs in the table below.
[table “2” seems to be empty /]

As you can see 128 kbps is pretty typ­i­cal, even if some providers claim to have faster speeds the actual speed is closer to 128 kbps in real world con­di­tions. Price wise they are all pretty sim­i­lar, though it’s quite a dif­fer­ence from the prices we are used to pay­ing in Europe! For exam­ple, from Vir­gin in the UK you can pay €15 a month for a claimed 10 Mbps.

Analy­sis and Results

So given all of this I thought I would do a com­par­a­tive analy­sis of the major Cameroon­ian ISP’s web­sites to see how they actu­ally fared on a typ­i­cal 128 kbps con­nec­tion. I used a com­bi­na­tion of pipes and the ipfw com­mand on my mac (for band­width sim­u­la­tion), Page Speed/YSlow plu­g­ins for Fire­fox and the devel­oper tools in Google Chrome to mea­sure the page load results. The tools used and approach wasn’t totally sci­en­tific but they give a pretty good indi­ca­tion of real per­for­mance. If you are inter­ested in run­ning this test your­self Apti­vate have a great blog post of how to do this. The met­rics I mea­sured were:

  • Page load time, empty cache and primed cache
  • Page size, empty cache and primed cache
  • Num­ber of HTTP Requests, empty cache and primed cache
  • Page Speed Score
  • YSlow Grade

The table below details the results.

Web­sitePage load timePage sizeNum­ber of HTTP RequestsPage Speed ScoreYSlow Grade
http://www.matrixtelecoms.com/15s / 4.5s587K / 6.9K30 / 28688
http://www.camtel.cm/25s (50s) / 6s339K / 0.0K22 / 228784
http://www.mtn.cm/28s / 7s191K / 41.6K20 / 207680
http://www.orange.cm/44s / 10s424K / 37.7K56 / 567581
http://www.ringo.cm/66s / 9s746K / 10.9K69 / 696566
http://www.creolink.cm/66s / 21s2171K / 96.8K123 / 1087065
A com­par­i­son of web­site per­for­mance of the major ISPs in Cameroon over a sim­u­lated 128kbps con­nec­tion.
Note 1: Where two fig­ures are given this is for the sce­nar­ios of an empty cache and then a primed cache.
Note 2: Page Speed and YSlow scores are out of 100.
Note 3: When the cache is empty both Cam­tel and Cre­olinks sites load at the time stated but keep load­ing flash con­tent in the back­ground con­sum­ing fur­ther band­width.
Note 4: The Ringo site had 26 bro­ken links or errors that keep the browser try­ing to ren­der long after the page was loaded.
Note 5: Though the HTML of the Cre­olink site loads quickly, flash keeps the page load­ing until it has down­loaded over 2 MB of con­tent.

On the whole the results are pretty dis­ap­point­ing and show just how out of touch with their users the ISPs really are, Matrix does best with a page load time of 15 sec­onds, not too bad but they still have room for improve­ment, in com­par­i­son it takes 10 sec­onds to load www.google.cm’s 174K page when the cache is empty and 1 sec­ond when primed. The results for the other web­sites go from bad to worse to incredible!

What is really fright­en­ing about these results is that the slow­est load­ing sites took nearly a minute or more, surely none of their cus­tomers spend that long wait­ing for the sites to load or much time brows­ing on their pages. The big cul­prit in all of this is of course Flash! As far as I’m con­cerned it just isn’t a tech­nol­ogy that should be used on web­sites, espe­cially in low-bandwidth sit­u­a­tions. Usu­ally coun­tries where band­width is very low the PCs being used to the access the Inter­net are old and slow and Flash causes even more prob­lems as it hogs CPU, a dou­ble whammy of user pain.

Flash used on these sites to pro­mote the ISP’s prod­ucts, how­ever because they take so long to dis­play the user has usu­ally moved on by the time they load so they don’t even achieve the aim that jus­ti­fied Flash in the fist place.

One inter­est­ing point to note is that though MTN’s site has a rel­a­tively small size in com­par­i­son to some of the other sites, with very few HTTP requests, they still take a long time to load because they redi­rect the browser sev­eral times, this sig­nif­i­cantly increases the total time it takes to load the page.

All the sites tested could improve their page load times by tak­ing the rec­om­mended steps in the Page Speed and YSlow plu­g­ins, remov­ing errors and bro­ken HTML and mostly by remov­ing Flash.

Con­clu­sion

In con­clu­sion we can see that most Inter­net Ser­vice Providers in Cameroon seem to be out of touch with their cus­tomers and pay lit­tle atten­tion to the user expe­ri­ence on their web­sites AND Flash is very bad in low-bandwidth situations!

Does a web­site reflect a company’s treat­ment of their cus­tomers in real life? I’m curi­ous to hear what your expe­ri­ence is, please leave a com­ment below.

How to Optimise WordPress Performance for Search Ranking

1 Reply

Google says that they use the per­for­mance of your web­site as part of your search ranking:

You may have heard that here at Google we’re obsessed with speed, in our prod­ucts and on the web. As part of that effort, today we’re includ­ing a new sig­nal in our search rank­ing algo­rithms: web­site speed. Site speed reflects how quickly a web­site responds to web requests.

Speed­ing up web­sites is impor­tant — not just to site own­ers, but to all Inter­net users. Faster sites cre­ate happy users and we’ve seen in our inter­nal stud­ies that when a site responds slowly, vis­i­tors spend less time there. But faster sites don’t just improve user expe­ri­ence; recent data shows that improv­ing site speed also reduces oper­at­ing costs. Like us, our users place a lot of value in speed — that’s why we’ve decided to take site speed into account in our search rank­ings. We use a vari­ety of sources to deter­mine the speed of a site rel­a­tive to other sites.

Here are more good rea­sons why speed matters:

Speed is among the most sig­nif­i­cant suc­cess fac­tors web sites face. In fact, your site’s speed directly affects your income (rev­enue) — it’s a fact. Some high traf­fic sites con­ducted research and uncov­ered the following:

  • Google.com: +500 ms (speed decrease) -> –20% traf­fic loss [1]
  • Yahoo.com: +400 ms (speed decrease) -> –5–9% full-page traf­fic loss(vis­i­tor left before the page fin­ished load­ing) [2]
  • Amazon.com: +100 ms (speed decrease) -> –1% sales loss [1]

A thou­sandth of a sec­ond is not a long time, yet the impact is quite sig­nif­i­cant. Even if you’re not a large com­pany (or just hope to become one), a loss is still a loss.

So how do you speed up your Word­Press web­site to get that extra edge in search rank­ings and give a bet­ter expe­ri­ence to your users? Well you install a caching plu­gin of course! How­ever not all caching plu­g­ins are cre­ated equal. For years WP Super Cache has been my weapon of choice because it is sim­ple to install, very fast and is being con­stantly devel­oped and improved.

One thing always annoyed me though, when I ran any of the per­for­mance analy­sis plu­g­ins like Page Speed and YSlow in Fire­fox or the built in Webkit devel­oper tools in Chrome and Safari, my sites still weren’t scor­ing top marks even though caching was fully on. This really bugged me as I’m such a per­fec­tion­ist! I just hated to see those red results in the Page Speed report.

Some of the things that always came up when I looked at the gen­er­ated reports included:

  • Make fewer HTTP requests
  • Add Expires headers
  • Com­press com­po­nents with gzip
  • Make JavaScript and CSS external
  • Use a Con­tent Deliv­ery Net­work (CDN)
  • Con­fig­ure entity tags (ETags)
  • Use cookie-free domains

When I finally came across W3 Total Cache I knew I’d finally found the solu­tion to all of this. After mak­ing the switch from WP Super Cache to W3 Total Cache I know I’ll be doing this for all Word­Press imple­men­ta­tions I do in the future. Don’t get me wrong though, for a sim­ple low traf­fic site WP Super Cache is prob­a­bly the way to go every time for it’s sim­plic­ity and the lack of tech­ni­cal skills required to install and get it up and run­ning. How­ever if your site has a lot of traf­fic or you want to improve your web­sites per­for­mance by an order of mag­ni­tude then I would rec­om­mend switch­ing to W3 Total Cache. It requires a lit­tle bit more tech­ni­cal knowl­edge, but it is well worth it.

We were run­ning WP Super Cache (fully opti­mised) on our site limbelabssolutions.com before switch­ing to W3 Total Cache, the stats below speak for themselves.

Page Size (bytes)Total RequestsGrade (0–100)Load Time (ms)
Before23878124751960
After18212112941299

This could make all the dif­fer­ence to your server if you get a lot of traf­fic or want to be pre­pared for a sud­den spike in traf­fic and of course improve your search rank­ing at the same time.

Here are the steps I rec­om­mend you take before installing W3 Total Cache, includ­ing some gotchas to watch out for.

  • Bench­mark your site before, dur­ing and after to under­stand the impact of your changes. There are many tools out there that you can use. I would rec­om­mend a com­bi­na­tion of the following:
    • Use Google Web­mas­ter Tools, they have some nice stats on crawl­ing your site, page load times and page sizes.
    • Use the Page Speed and YSlow plu­g­ins for Fire­fox to pro­file your site.
    • Safari and Chrome have a great Webkit pro­filer built into the devel­oper menu.
    • There are some online tools that you can use, some I like are www.showslow.com, www.webpagetest.org, tools.pingdom.com
  • Remove all exist­ing caching plu­g­ins AND delete them. I didn’t do this and it cause me end­less prob­lems until I realised what was going wrong.
  • Install the W3 Total Cache Plu­gin, com­pre­hen­sive instruc­tions are here. Read them before you start as there are a few extra essen­tial steps that dif­fer from the norm and they will throw you if you don’t RTFM. Here’s a good tuto­r­ial on how to do it.
  • I used our own sim­ple Con­tent Deliv­ery Net­work, which was very easy to setup (see the the tuto­r­ial link above). One com­ment I would have on the CDN is that I wouldn’t host your mini­fied CSS/JS on the CDN as they aren’t gzip com­pressed when served up, if you keep them on your main site then W3 Total Cache will serve them gziped. I’m run­ning all this in a shared host­ing envi­ron­ment, if I had a ded­i­cated server I would have more con­trol. You will also need to set your Word­Press cookie domain in your wp-config.php file if you use this setup.

So there you have it, def­i­nitely use W3 Total Cache over WP Super Cache if you want to get that extra edge. How­ever it is a bit more com­pli­cated to install and keep running.

tenfourty.com on the Way Back Machine

Leave a reply

When I was think­ing of what this site used to look like I thought of the Inter­net Archive’s Way Back Machine and funny enough I found tenfourty.com on it. Who would have thought that a lowly per­sonal site would have a snap­shot kept for pos­ter­ity, hardly worth keep­ing around I would have thought.

It seems that the 29th of June 2006 was the last time there was con­tent on the site. I’m sure I have some back­ups of all those old posts — should I try and res­ur­rect them?

Relaunching tenfourty.com

2 Replies

This is my first blog post in quite some time. I used to have a per­sonal web­site and blog on tenfourty.com quite some time ago, but I got really busy at work and stopped updat­ing it before even­tu­ally tak­ing it down when the con­tent got incred­i­bly stale. Since then my per­sonal domain, tenfourty.com, has been empty for years, not even a place­holder. I’ve recently had a bit of free time so I thought I would setup a sim­ple site using WordPress.

I prob­a­bly won’t update the site too often so please don’t be dis­ap­point­ed if I don’t blog too much, how­ever it is here and I guess I will occa­sion­ally write stuff or update the site.

You can read more about me, or view my CV (dynam­i­cally updated from my Linked In account).