Building IT

There is a big push by every company to go “green”.  The initiative started with the rising energy prices.  Another reason for the effort is to reduce pollution and waste.  Nowadays, it looks like the overall purpose for this push is to improve public relation and corporate image.

IT is certainly the first (and best) place to start for going green.  The savings are easily measurable and the latest technology allows the reduction in expense.

Shared Services

This model works best when a company has divisions around the globe.  A centralized data center, with excellent resources, needs to be chosen to handle the IT needs of the regional offices.   The consolidation includes servers and experienced IT teams.  With one data center, IT will save money by cutting the expenses of maintaining multiple sites.

Professional Open Source

Much of the open source products out there are excellent.  The support of the community made them a valuable source of technology.  The cost of open source software is free to begin with, so comparatively, building a professional version of it will be much less than a proprietary one.  The value in professional open source is in the tech support, which is the main reason a company purchases an Enterprise product.

Virtualization

With increasing CPU power, and decreasing prices for memory and hard drives, building a powerful server is easy and affordable.  Hardware capabilities have now outpaced the software requirements.  Modern operating systems are now able to “virtualize“, or carve out sub-sections, within the same hardware, to multiple software applications.  In a data center environment, the reduction in server hardware will be apparent by cutting power, rack space, and licensing requirements.

SaaS

Software as a Service (SaaS) is valuable when IT resource is severely limited.  One example is outsourcing a company that does e-mail newsletters.  For a company to run an in-house mail server, it will require a lot of resources.  Running bulk mailing lists through it will burden the infrastructure even more, possibly running the risk of an outage.  Outsourcing the software will also off-load the hardware, as well as the man power to maintain it.

The real benefits are to cut costs, reduce duplications, and streamline processes.    These should be standard operating procedure for every company.  Whether or not these steps are considered “green” is a matter of opinion, but everyone needs a renewed purpose to refocus on saving money.  It’s especially relevant in this slumping economy.  Going green is a great idea – only if it’s implemented efficiently, without much bureaucracy, paperwork, and politics.

I’ve described a way to install a self-signing SSL certificate using OpenSSL for testing purposes.  When connecting to a web server using a web browser client, it is straight forward to add the “fake” certificate (just follow the instructions on the browser screen).  However, in a Java application, it’s a little bit more work.

The procedure is the following:

• Obtain the SSL certificate from the website administrator.  Alternatively, use the browser:

1. Browse the URL, for example:  https://www.testmachine.com
2. When the security window popup appears, just click ‘continue’.
3. The browser has an option to view the certificate.  With Internet Explorer 7, next to the Address Bar there’s a “Certificate Error” button.  Press that and view certificate.  With Firefox, click on the yellow lock at the bottom of the screen.
4. Go to the Details tab.
5. Click on “Copy to File”.  In Firefox, click on the “Export” button.
6. Save the file as “website.cert”

• Copy the Cert file to where the Java client is going to be executed.
• Go to the JRE (Java Run Time) library under lib/security, for example: /usr/local/jdk_1.4.3/jre/lib/security/
• The certs are stored in a file called “cacerts”.
• Run the keytool app to import the “website.cert” file that was exported earlier from a web browser:

keytool -import -alias websiteAlias -keystore cacerts -file website.cert

• Enter the default password: changeit
• Check the content of the new “cacerts” file using:

keytool -list -keystore cacerts

• Test it.   If it’s a web container (i.e. Tomcat), restart the JVM.

Webapper site has a short Java client test code, and a quick procedure to compile/run a client to test it.

The whole idea of outsourcing is to cut cost while staying competitive.  This is especially true with offshore outsourcing, where labor is cheap.  I suppose there are a lot of reasons to blame the domestic American labor force, such as the worker’s union, high standard of living, or high medical and legal costs.  While this might be true for blue collar jobs,  outsourcing the ones that require more specialized skills (like Information Technology) doesn’t make sense.

American IT workers are specialized and skilled workers.  They’re smart and creative people.  They’re also hard working.  They are extremely loyal if the companies treat them right.

But is all that worth sacrificing for the sake of cutting expenses?

Let’s take an example an offshore IT worker being paid $20/hour.  He does a good job.  Problem is, he’s now a hot commodity, so he won’t work for less anymore.  He’ll move on to the highest bidder.

So, let’s hire another offshore IT worker being paid $20/hour.  Now, the company has to waste time while he’s learning the ropes (or “ramping up”).  It’ll cost additional money in delayed projects, missed deadlines, high stress, and low morale.  Does he even have the same quality as the first one?

If yes, then we’re back to the guy looking for greener pastures.

If no, then we’re in a sink hole.  A company then needs to hire another candidate (or two) to help complete  the project.

Offshore turnover rate for IT workers is bad.  It also applies to non-IT workers.

Some companies have thought about offshoring to other countries with “emerging” skilled workers, such as China and Vietnam.  But those places are not any better, since China and Vietnam lack in communication skills, mainly with English language.

They’re also not up-to-date with technology due to export controls and lack of relevant education.  They’re trying to catch up with educating recent graduates with emerging technologies.  But it might be too late.  The market is being flooded with new graduates in the same field.  Also, now the job market in a slump due to the worldwide recession.

So what’s the best move now?

Stay home. In-source.  On-shore.

Nowadays, a lot of people are out of work, and they include skilled IT workers.  This is a great time to hire them at a competitive rate — possibly even cut rate!  Local IT workers are willing to work, and ready for the long term commitment.   Companies just need to step up and keep America working again!

Incorporating the use of Secure Socket Layer (SSL) library is straight forward with Apache web server.  This is the library I always use for all of my Apache web servers installations.  From one robust open source software to another, they’re a perfect fit.  They make deployment quick and easy.  Here’s are the steps for Apache HTTP and OpenSSL:

Compilation

Assuming the OpenSSL installation in /usr/local/ssl, the Apache web server source code compilation will require the configure option:

–enable-ssl –with-ssl=/usr/local/ssl

I use the following:

./configure –prefix=/usr/local/apache2 -enable-ssl –with-ssl=/usr/local/ssl

Then just run:

make install

On Unix platforms like Solaris and Linux, the configure and compilation should work without a hitch.

Configuration

Go to the configuration directory and edit the httpd.conf file (in my example /usr/local/apache2/conf) and uncomment this line:

include conf/extra/httpd-ssl.conf

Then proceed to the /usr/local/apache2/conf/extra directory and edit the httpd-ssl.conf:

1. Specify the machine’s IP address to “listen” on port 443.  Specifying an IP address is useful if the machine has multi-homed (multiple IPs configured).
2. Ensure the Signed SSL Certificate is on this machine.  Store it in /usr/local/apache2/conf/www.website.com.cert pathname.  It can be anywhere that’s accessible from the web server level.
3. The SSL key for the host needs to be available also, and stored in the same /usr/local/apache2/conf directory.
4. For the <VirtualHost> tags, edit the _default_ with the IP address, and may look something like this:

<VirtualHost IPAddressNum:443>

ServerName www.website.com

SSLEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile “/usr/local/apache2/conf/www.website.com.cert”
SSLCertificateKeyFile “/usr/local/apache2/conf/www.website.com.key”

<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>

<Directory “/usr/local/apache2/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog “/usr/local/apache2/logs/ssl_request_log” “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

</VirtualHost>

References

Further options and settings for SSL are available from the Apache.org site:

• SSL How-To
• SSL FAQs

The use of Secure HTTP (or HTTPS) is essential to avoid getting my browser communication hijacked, or hacked.  For savvy web users, browsing a site with HTTPS is a must to protect login and other private information.  As a Web Application administrator, the way to accomplish this is to use the Secure Socket Layer (SSL) library in combination with an Apache web server.

The widely used SSL library is by OpenSSL.  It’s constantly updated, and it’s freely available.  I use it because it also compiles well on Linux and Solaris operating systems.   The source code is portable and has been tested in many flavors of Unix.  Windows install is available also.  Compiling the source code is as straight forward as running the “configure” script and run “make”.  The default install for OpenSSL is usually in /usr/local/ssl directory.

Once installed, the first step is to create a Key Pair:

/usr/local/ssl/bin/openssl genrsa -des3 -rand <anyfile1>:<anyfile2>:<anyfile3> -out www.website.com.key 1024

• The anyfile1, anyfile2, or anyfile3 can be any file in the system.  There has to be at least one file specified.
• Specifying a pass phrase is required in this case.  But for convenience, I might opt to do it without specifying a password.  To disable the password prompt, remove the “-des3″ option.

Next create a Certificate Signing Request:

/usr/local/ssl/bin/openssl req -new -key www.website.com.key -out www.website.com.csr

Fill in the requested information.  At the end of the questionnaire, a “challenge password” is usually not required.

Submit the CSR to a CA such as Thawte or Verisign.  After payment is processed, they will send an email with directions how to get the certificate file.  It might require cut and paste of the cert code into a file, usually with  a .crt or .cert suffix (such as www.website.com.crt).

For development or QA environments, where a valid signed certificate is not required, I can create a self-signing one.  To create a “fake” (aka Snake Oil) certificate, use the following:

/usr/local/ssl/bin/openssl x509 -req -days 999 -in www.website.com.csr -signkey www.website.com.key -out www.website.com.cert

Both the cert and key files are required for the web server.  I’ll cover Apache web server installation in the next post.

The talk around Twitter right now is the phishing scam via Direct Message, as reported by many including Read Write Web, Mashable, and Chris Pirillo.  The victims include Twitter accounts for Barack Obama, Fox News, Britney Spears, and Rick Sanchez of CNN.   Getting their Twitter account hacked is a potential public relations nightmare.  The bait was a simple message to direct recipients to a fake Twitter login page, and enters their Twitter passwords.  Unsuspecting users went ahead and entered their information.  A similar trick was done in e-mail for the longest time using pages that looked like E-Bay, PayPal, or a banking site.

I get similar complaints with the websites that I maintain.  What can server administrators do to figure out who’s behind these attacks?   Here are the steps I take:

1. Ask the business or customer when the suspecting hack happened.  Find out the exact date and time, if possible.
2. Comb through the web server logs to find the IP addresses of the hackers using the date and time range reported by user.  For example, in Apache HTTPD, the file is normally called “access_log”.
3. Most hackers try multiple times, in quick successions.   In this case, running through web logs through an analyzer like Webalizer or Awstats will reveal the IP address with the most hits, within a specified time range.
4. Find out who the IP belongs to using tools like dig or nslookup.
5. Report the offending IP address to the Internet Service Provider (ISP) as indicated by the lookup tool.  It can be done via email to postmaster@<isp.name> or abuse@<isp.name>.
6. Depending on the severity, a fax or a phone call to the ISP may be required.  This is usually done when the hacking continues and there’s no indication of the ISP intervention to stop it.
7. Start using the web server IP filtering features to blacklist the offending IPs.  For example, in Apache it can be done via Deny directive for doc-root in httpd.conf or .htaccess file.
8. For known hackers’ IP addresses, make it permanent by blacklisting them in the firewall or router level.

Users do get complacent with their username/password.  They type (or even share!) passwords to others without thinking twice.  With more and more sites requiring a login, it’s easy to forget about checking the legitimacy of the page presented on the web browser.  Proactively, the web applications need to be modified to prevent login hacking such as:

• Using Secure Socket Layer (SSL)   With SSL, most phishing sites will not bother with it because of the cost involved.  If logins are not done securely, users need to be extra careful.
• Using OpenID, the open standards user login.  A site needs to be registered with OpenID to be able to use this service.  This removes the guesswork if the site is legitimate or not.

Hopefully the word is out for both users and web developers, to do whatever is required to secure login passwords.

Image Credit: Ashenzil

I’ve been using Twitter for a while now, and I’ve used it mainly to connect with friends, bloggers, and geeks alike. Although it’s not ubiquitous, it is slowly becoming more and more popular among celebrities, scholars, politicians, and journalists. As more people are starting to spotlight Twitter, it’s inevitable the marketplace is also starting taking advantage of it. Businesses are starting to pay attention to it. There are successful companies on Twitter, such as Zappos, South West Airlines, and Comcast. However, since Twitter is such a new medium, most companies don’t know where or how to start.

I maintained marketing web sites for more than 11 years. I learned the process a company must do to succeed in marketing their product on the Internet. Twitter’s approach to product marketing is fundamentally similar to a web site promotion, with a few unique differences:

Preparation

1. Have management, or executive level approval. It will serve as an insurance, or a due dilligence, if you will, in case something goes wrong and the finger-pointing starts.
2. Form a social media committee. Choose the right people to handle Twitter updates. If possible, choose folks who understand Internet Social Media.
3. Set an engagement policy. Everyone’s must be clear on what information (and when) to share with the public.
4. Have direct lifeline to the support teams, both technical and business, to escalate difficult questions. These questions need not be handled on Twitter, but can be taken offline via phone, or e-mail.

Execution

1. Create a professional looking Twitter profile. Update the Twitter profile’s background picture to include company logos, or brand images.
2. Twitter updates (or tweets) must contain only useful information. Tweets must have value. A good example is OC Register’s @ocreggie. They hand picked the articles posted on Twitter. The human attention to detail is important.
3. Start slow, and not rush into getting thousands of followers right away. Followers will come when they see the company’s updates are important to them.

The above are steps in the right direction for a business to adopt Twitter as its new communication and customer service tool. There are other suggestions on how companies can succeed with Twitter. There are also questions to ask if Twitter is right for corporations.  Either way, when business takes Twitter seriously, it will reap the benefits, and work out the disadvantages. As long as it focuses on providing creative and valuable information, using Twitter is going to feel natural and easy.

Storage technology has gone a long way.  Back in the 90’s, I used to install 20 MB hard drives that cost hundreds of dollars and weigh a ton.  Now, hard drives are so cheap and capacity has now broken the terabyte barrier!   The next step in storage technology is in solid state drives, using flash memory chips.   Toshiba announced the 512 GB Solid State Drive (SSD) for Notebook computers, game consoles, or other home electronics.  It’s definitely good for lightweight Internet Notebook computers, or Netbooks.  Planned mass production is slated for April-June 2009.

Solid State Drives are good for IT support in many ways:

1. No moving parts.  It means better reliability:  Less prone to crashes due to shock or mishandling.
2. Replacement is safe and easy: just unplug and play.  I suspect it may require the device to be turned off first before removing it.  Otherwise, a device with SSDs will need mechanisms to handle hot swapping, either by doing graceful stand-by or friendly warning screen.
3. Low energy consumption means low heat.  Heat causes more problems in Notebook computers circuitry, ranging from fan failures to circuit board overheating.  It means fewer problems with the overall electronic unit.
4. Quiet operation.  Less people will complain about the noise.

Trying to beat Toshiba into the market is Intel’s version of SSDs.  It looks like they’re releasing the smaller capacity 160 GB version.  They’re also slated to release in 2009.  Competition is good because for the technology to gain mass adoption, it needs to go down in price.  First releases will not be as cheap, so business use will be the initial target market.  As a consumer, in this difficult economic condition, it’ll be hard pressed for me to buy one for home use if it’s not below $200.  I’m comparing to a regular 2.5″ hard drive for notebooks, selling around $60 for 320 GB capacity.

My hope is the use of SSDs in Smartphones.  I’m dreaming of an all-in-one “Computer Phone” with plenty of storage capacity.  The next few years will be an exciting development for portable electronics.

Welcome to my new blog site!  This one is my repository of knowledge, commentary, and notes of the computer/internet industry.  I’ll draw from the lessons learned from my current employer, as well as previous ones.  My experience centers around computer support, so this blog will feature a lot of technical IT geekery.

I welcome your comments, suggestions, and criticsm.  I want to make this blog a learning experience for everyone.