startontop.com

Dramatic title, huh? In all honesty though, what is worth dying for? Love? Yes. However, I suppose that depends on the type of love. For instance, I love my Garmin Nuvi, but there’s no chance in hell I’d risk my life for it. I’ve heard being a parent will instill a love in you so strong you’d consider dying for. I wonder if that’s true.

Is a cause worth dying for? Would I sacrifice my life for a school bus of children? I think if I believed in something strongly enough, I’d be willing to die for it. I’m wondering would it would take. Would a moral choice be enough though or would it have to be something that simply made rational sense? I think a moral choice would be enough. Take a bullet for my brother? Ya, I’d probably do that. Save a school bus of children? Ya, I think I would.

I know, this is quite a morbid post, but it’s something I was thinking about and wanted to write down.  Who/what is worth dying for to you?

People I love:

I know it’s been a long time since I’ve written a post, but it’s because I haven’t had anything of value to say. Forgive me, I’m back again.

Of the many things I’ve learned at Viget, “getting involved” is the probably the best one. The spirit of the development team and company at large has been, since I joined, to get involved in the community and make an impact. Not always are those contributions to the community, efforts to benefit the company. More often than not, those attempts to contribute to the community are aimed at pleasing people.

I never thought I’d be one to blog, but when I was encouraged to and convinced by coworkers that even the smallest effort can help out, I started this blog.  Employees at my office have developed Ruby on Rails gems and plugins, given speeches at conferences and conventions, and regularly write informative posts which are aimed at helping the development community.  It’s this kind of action that really inspires me to want to contribute myself.

So what I say is: “Get Involved!”  Go out, give a talk on a subject you have some inside knowledge on, seek out a group or organization in need of help, build something useful to someone other than yourself, and spread the word that you are a contributing member of your field.  Your company will thank you for it, the community will thank you for it, and you’ll end up thanking yourself for it.

If you’ve ever been a web developer before, you’ve probably installed and used the developer toolbar, an add-on for firefox. That add-on can be both helpful and convenient. However, that same tool can and does make exploiting vulnerable web applications extremely easy. The vulnerability I’m going to go over below can appear in some non-rails apps, but is inherently present in Model View Controller (MVC) frameworks.

The exploit lies in lazy programming, as most exploits do. Improper use of update_attributes and new are the main culprits in this case, but inattention to details is just as much of a problem.

The use of the developer toolbar’s feature “edit HTML” allows anyone to modify the HTML on the page quite easily, passing bogus name-value pairs in a form or modifying existing required ones. In most apps this probably isn’t a huge issue, as the values passed through the form are explicitly set on the back-end, one by one. However, in a rails application, the use of update_attributes() and new() are highly encouraged as ways to assign all of the form values in one swoop. This can be very convenient, as most web programmers know that dealing with each value from a form can lead to a lot of code and a huge mess. Rails attempts to solve this problem by handling validation in models and keeping actions fairly clean. Everything works well until lazy programming kicks in.

Flags on a model which should only be available to admins or not available at all need to be protected. That’s why rails has a built in method for this: attr_protected. Apply this in your model on the attributes you would like to only be updated explicitly and you will have yourself a semi-safeguard against this attack. So, if an extra key-value pair is passed (say “{admin => 1}”), as long as you have attr_protected applied to that column (”admin”) rails will just ignore that column when using update_attributes.

This solution works well if you have a system where there is only 1 level of permissions and nobody else needs to be able to update that column. However, most systems have some sort of admin account which should be capable of modifying any data in the system. In this case, update_attributes could be used in conjunction with a following direct setting of the attribute if the current user has permission, but that would muddy the code up.

Bad:

A better solution would involve using another method in place of update_attributes which could still take a hash in order to modify attributes, but could also be passed a boolean value which indicates whether the protected attributes should be protected or not. This allows the action code to remain the same size (assuming you have a method on your account model that resembles “.is_admin?”) while selectively allowing protected values to be set.

A similar solution may need to be applied to the new() and create() methods if you use the format:

in your controller.

The solution which we came up with at Viget was a patch to ActiveRecord::Base. Code below written by Ben Scofield:

This solution allows us to write tiny actions in our controllers while handling admin permissions for updating protected attributes.

Good:

*A similar solution may need to be applied to the new(), create(), and attributes=() methods if you use them for mass assignment.

Love it or hate it, you’re probably going to have to deal with it at least once in your life (if not 100 or 200 times). Customer service is one of those mythical creatures that people usually group with paying taxes and/or cleaning the bathroom. You can do you best to avoid it by purchasing trusted products from trusted manufacturers at trusted locations, but sooner or later you’ll be confronted with this behemoth of a burden.

There are many forms of customer service. They sometimes come in the form of a phone call, sometimes an email, and sometimes even in person. From my experience, the larger the company you have to get in contact with, the worse the service. Sure, you may be served fast, you may be treated cordially, you may even *gasp* get a person who speaks english, but you will almost undoubtedly be blockaded from the truth behind your concern.

If you found an unwarranted charge on your credit card and contacted the suspected culprit (TiVo), you’ll probably get a run-around for at least 30 mins. If by then you aren’t thoroughly frustrated and ready to give up hope, you’ll be put on hold while the agent “looks something up.” If by then you still aren’t deterred from expunging the charge from your bill, you will probably have to argue with the agent over fault and what needs to be done to correct the problem. “Tom” from TiVo’s customer support will probably tell you that you were misinformed by “Sally” from technical support about how business is done. You’ll retort to “Tom” that it shouldn’t matter who you talk to at TiVo, you should get the same answer every time. He’ll apologize for the inconvenience and assure you they’ll do their best to prevent it from happening again, which we all know does nothing to quell your anger or prevent future mistakes.

One piece of advice I can give to aid you next time you have to weather the war that is customer service, is to not be afraid to ask for someone’s manager. Ask for names and take them down. Repeat what the agent says back to them and confirm facts. And last but not least, don’t get discouraged. You are the customer, you are always right, you make the rules.

To say this show was the most underrated t.v. show in existence might be an understatement. Man Versus Beast was undoubtedly one of my favorite shows on television. Where else can you see 40 midgets trying to pull a plane faster than an elephant, a chimpanzee race a marine through an obstacle course, or the world’s hot dog eating champion go toe to toe with a zodiac bear? Rediscovering this show on the internet recently, I fell in to a deep state of nostalgia.

Possibly the best part of the shows is that the animals have zero idea they are competing in a race of sorts, but manage to nearly beat or blow away their human counterpart in each race. Nowhere is this more apparent than in the hot dog eating contest in which the zodiac bear looks around half of the time, sizing up the small asian man as more of a meal than a competitor. It was/is a great show which really conveys the awesome power of nature.

If you feel compelled to research this show and come up with any more links to episodes, post them in the comments. Good luck, and may the best life-form win.

I was very hesitant when first introduced to Ruby on Rails (RoR or Rails) to commit to another web language/framework that wasn’t much like PHP at all. It’s a big commitment to learn a whole new language (Ruby) and a whole new well-structured framework (Rails) while at the same time keeping up on PHP and continuing to develop in both.

For all of those not familiar with Ruby on Rails, it’s becoming more popular by the day. Based around the relatively new concept of agile development, developers use short-term development cycles for fast results. Churning out iteration after iteration of code in quick terms allows project managers to quantify progress quickly, which in turn makes clients happy as well.

Not being much of a Java guy, even I could appreciate a statement claiming RoR could cut code to “1 line of Ruby for every 10 lines of Java”. Understandably though, I was skeptical when I heard some of the outrageous claims about RoR cutting development time by 80% of an equivalent development effort in PHP.

Well, it’s been about 4 - 5 months of serious development since my company decided to only start new projects in Rails and I have to admit I’m pleasantly surprised with the ease at which we have pieced together some great websites. Albeit we have a rails core contributor working at our company, we’ve all come a long way in understanding and working toward writing better, more efficient, and more agile code.

Rails, I’m convinced now, does cut down on development time for websites that aren’t enterprise-size. But that decrease in time comes at a high overhead cost. To start with, learning a new language as different as Ruby from other common web programming languages will put you back on the level of a beginner (a beginner with a big intuitive advantage). Then, adapting to the Rails architecture isn’t exactly self-explanatory unless you’ve been working recently in a framework that emulates the Model-View-Controller (MVC) concept.

My impression of Ruby on Rails has been a positive one so far and I hope to keep it a positive one in the upcoming months. If you too decide to give Ruby on Rails a shot and brave the confusion that is learning a new programming style, keep an open mind, stick to the Agile Programming principles, and be ready to develop at a faster pace than you ever have before.

I feel productive and I haven’t even finished my first post yet. For all of you who know me as the blog-hating, anti-web-trend, fascist pig… (ok, well maybe not fascist), try and save the tar and feathering for my real blunders.

I haven’t decided what the purpose of this blog is yet, but I’m sure it will come to me as time passes. I imagine this is often how blogs start out, with someone who feels like they have something to tell the world, but just haven’t figured out quite what that is yet.

I’ll give it a shot, here goes nothing.