Ruby Documentation Sucks

Okay, this is going up a day late. My bad. I’ve been busy. Regardless, I have a rant which any programmer can sympathize with.

I’ve been recently programming a proxy in the Ruby programming language, which is known for its code elegance. When you know how to use it, it’s a great language. The problem, however, comes when to learning about the API in the language. To put it bluntly, the documentation is crap. To be more specific, a good amount of it is incomplete, and those sections that are completed fail to follow a consistent fashion. To put things in perspective, there are 108 core libraries included in the Ruby documentation; over half of those libraries have incomplete documentation.

Now, this isn’t that much of an issue if you know how to use the language; after all, there’s no need to go to the documentation when you know the language. The problem comes when you are like me, learning how to use the language, and don’t know what any of the constants for the sockets library do, which is a bit of a problem when you need to program a proxy. See where I’m going with this?

Maybe I’m complaining because I’ve been spoiled on PHP‘s phenomenal documentation, which is an amazing feat when it comes to documentation. All of the functions are properly laid out with plenty of cross-references, and tell you exactly what to expect for each and every function. The documentation is a work of art, I kid you not. Don’t believe me? Try learning how to do something complex in PHP using the documentation only, then try to do the same in Ruby.

I have heard some people make the argument that Ruby is open source and relies on its members to do the documentation, hence the lack of it. While I understand this argument, it doesn’t entirely make sense. Ruby has a large band of dedicated followers (think Jehovah’s Witnesses-style) who should have filled in the 1.9 documentation by now. Thinking about it from another perspective, PHP is a free and open source language as well, and look at the detail in there compared to Ruby.

All I’m saying is that Ruby needs to step up its game a bit, otherwise it will have trouble competing for those people looking at learning a new language. If it wasn’t for an amazing IBM document on Ruby socket programming, I would have moved on to another language by now.

Anyways, tune in this Friday for something different. I realize programming isn’t everybody’s cup of tea, so I’m hoping to branch off into something a little different for those of you who either find computers boring, or those of you that simply don’t understand them. As always, I appreciate you reading, and I appreciate even more those of you who tell a friend about my blog :).

The First Week

Looking forward to going to work Is a feeling that I’ve never felt before this week. It’s an odd feeling, and one I don’t know if I will ever completely get used to. Of course, I’m sure the feeling will wear off after a while.

In the past week, I have gotten a number of experiences that I would not have gotten any other place. My first two days were spent trying to break into a web application on a VM. Although I managed to get access to a few things, I never really got that far.

Today presented a similar scenario. In a virtual network, there were a number of computers: some desktops and some servers. I had to gain access to some “fianancial information” hidden on a server, using exploits in the other machines to gain access. Although I needed a few hints here and there, I managed to get the sensitive information using a variety of tools, including two kernel exploits, sqlmap, Nmap, Metasploit, and RainbowCrack. It was a really fun experience, and I’m glad I got to take it for a test drive.

The icing on the cake for today, however, was using a decompiler to disassemble a fake program requiring activation and bypassing the registration. From the information gathered we made a keygen using 3 different methods. Doing so requires a bit of smarts and a lot of assembly knowledge, which is something I don’t have a lot of. With some help though, I managed to crack the registration, which was an exhilerating experience.

These experiences are pretty much all thanks to Ron Bowes, one of the guys I’m working with. I’d call him an IT Professional (he’s certainly skilled enough), but he might laugh at me for such a remark. The virtual network was all designed by him, and he walked me through the application hacking, showing me every step and how it was done. I certainly have no intentions of using any of that knowledge to break the registration information for any program for any reason other than my own personal development, but it was still a really amazing experience. He keeps a blog on his homepage (I’m mentioned in a recent post), and it’s certainly an interesting read.

A final thing that I’m working on at work is a suitable replacement for Burb Suite, which is an application for attacking web applications. It’s a really powerful program, but there’s three main problems with it: it’s closed source, you have to pay for it, and the Swing interface is god-awful ugly. Other free utilities lack in either power, the user interface, or both. So, upon approval from a supervisor, I might be helping to develop a free open source alternative which would be released into the public domain. We’ve decided to program the backend in Ruby, and so far it’s going really smoothly. In just one day I almost have the proxy designed, and I’m looking forward to getting the backend completed.

All in all, work is great so far. Getting paid to do something you love is amazing.

Ch-ch-changes

Over the next few weeks, there will be a lot changing in my life in many different aspects. I expect it might be an interesting experience.

As many of you may know, I run a site called H2H Security Group, which has been an ethical hacking knowledge base. Over the past few months, there has been little-to-no contributions to it, and it doesn’t seem reasonable to keep the site up and running without any participation from other members. My interests have also shifted (matured, if you will) to encompass development-related topics rather than hacking, and I believe that another style of site would suit my interests more than this one. As such, I have decided to take down H2H. It was a hard decision to make, but I believe that my knowledge and expertise would be more suitable in a development site. Therefore, rather than simply removing a part of myself from the internet, I have decided to replace it with a development site. I realize that there are a lot of them out there, but this is something that I am much more passionate about, and will coincide much more with my interests in web development. Hopefully I will be able to attract more people interested in topics similar to this.

H2H spent a lot of time up and running because of its members. Specifically, I need to personally thank Aaron Goldsmith (aka AltonRashmire) and Sam Jenkins (aka Satal Keto) for their donations, dedication, and hard work. Their support, both technically and monetarily, has meant that H2H has survived for much longer than expected. They have earned both my respect and my friendship, and I will no doubt keep in touch with them, hopefully on my new development site.

One thing that certainly held H2H back was the hosting I went with. I have been with Lunarpages for 2 years now, and I have decided to move on due to lackluster tech support (a phone call I made to them which was not toll-free resulted in me yelling at the person because he was completely unaware of the DNS exploit which resulted around that time which crippled my site) and significant downtime as of late, which has been severe enough to even take down their own site. Add to that the additional costs for simple things like installing SSL certificates, and you have one unhappy customer. I am now starting a web hosting company with a few friends, which will be an eco-friendly web host. If you are looking for a good deal on hosting, contact me; mention this blog post, and I’ll take $1 off per month, which works out to 20% off (this offer good until the end of September 2009). I’ll bring you more information on the new host when it is purchased.

Finally, I start my new job in a week and a half, at the Manitoba Information Protection Centre. I have been looking forward to this for quite a while, and I expect it to be an amazing experience. This will certainly be a great learning experience, and definitely be a great source of income, which will be needed to fund my technology addiction.

That’s all for now. More later. Sorry for not following my schedule. I’ll work on that.

The Waiting Game

While taking a Computer Science degree at my university, I have the option of participating in the Co-Op program, which will help me get intern positions at firms in the Computer Science field. The positions range from performing basic technical support to working on active projects with the rest of the team at the firm. I will hopefully be starting my co-op term this September, and I’m looking forward to the plethora of new knowledge I will gain from the experience.

All in all, I applied for a whopping 17 positions. Normally, I wouldn’t have applied for so many, but this is my first co-op term, and all of the other students going into a work term this September will be in their second work term; in short, I’m at a natural disadvantage. So, in order to increase my odds of getting a job, I’ve decided to apply for a ton of jobs (all that I would find interesting, mind you), in order to (hopefully) guarantee myself a position. The one job I would kill for, however, is at a web design firm called Tipping Canoe. The firm focuses on PHP and MySQL development, which is exactly what I’m interested in. There are a number of other technologies, such as Sphinx and memcached, which would be invaluable for any large scale development I may work on. Other reasons for liking the job include the location, which only requires that I take one bus to work, and the work environment, where they offer a casual, relaxed work environment in the Exchange district and they refer to their employees as Coding Ninjas (!!!). From what I’ve heard they prefer students who have little-to-no PHP experience, but I still have a lot to learn even though I’ve covered some of the basics.

Unfortunately, I’m not in a position to be picky for which position I get. If I get the position at Tipping Canoe, I’ll be happier than <insert happiness simile here>, but I should be just as satisfied with a tech support position. Anything I get will teach me more and give me real world experience, which is what this opportunity is all about. Any job I get will help me develop my skill set, and there’s always the opportunity to apply for them another year if I don’t make the cut. What it comes down to is that I’ll be making money doing something that I love and learning more about it at the same time. It’s hard to pass up an opportunity to get paid for doing something you love.

And Tipping Canoe, if you’re reading this, I’d love an interview. Pleeeeze? Can’t help to ask, I guess…

Going Open Source

The first time I wrote a full website, I made a lot of mistakes. A LOT.

Although not completely obvious from looking at it on the outside, H2H Security Group is built on a pretty shoddy content management system (CMS). There are bugs, there are incomplete sections of the site, and there is little administration that doesn’t require direct database access. I’ve stopped development on the current CMS and decided to go for a complete overhaul. That’s right: I’m completely re-building the system, H2H CMS, from the ground up.

Normally, this would be a preposterous idea, and perhaps it’s not the most efficient route for me to take, but I won’t be walking away from the CMS empty handed. It was an amazing experience working on it. Despite it being terribly designed, I’ve grown a lot as a programmer since I first started. I’ve learned about things like classes, hierarchies, debugging tools, exceptions, mysqli, more advanced MySQL statements, and caching. I’ve learned about the differences between versions of software such as PHP, which had monumental changes from PHP4 to PHP5. Most importantly, I learned proper software development in a university course. Looking back, every mistake I made during the design of the old CMS I have learned from, and I’m willing to make a mistake if it means that I learn from it.

Another big change I’m making is that I am going Open Source: letting anyone take a look at the source code. I’m sticking with a Creative Commons license, which allows anyone to take the code, modify it, and redistribute it for free, providing they give me credit for the original work. I think it’s the right choice to make, sticking with the hacker mentality and whatnot. With a goal of distributing knowledge and information to the masses, I think the open source route is a logical step to achieving that.

I started off the development of the new CMS quite differently than before; rather than jumping straight into the coding, I started off old-school: with a pen and paper. Design before development helped ensure everything stayed organized this time. Developing class-by-class, piece by piece allowed for logical places to start and stop work.

The part about this CMS that I am most proud of, however, is that security is added and implemented standard – not as an afterthought. Being interested in security, this seemed like a no-brainer, but it seemed to be either non-existant, poorly implemented, or at the expense of efficiency in other systems available. By considering both security and efficiency at the same time, I hope to develop a system that maintains both equally.

I always like to see people become involved in my projects. If someone is interested in helping with the development, let me know, and maybe something can be arranged.

Ohloh Page: http://ohloh.net/p/h2h-cms/

Project Trac Page: http://dj-bri-t.servehttp.com/projects/cms/

Meat In A Tin

Over the past week or so, I’ve found that one of my other websites, H2H Security Group, has been getting a lot of spam. Unfortunately, it’s not just the random ads from bots. Bots I can deal with, and it’s unlikely that they’ll ever get past registration because there’s a reCAPTCHA in the registration. No, I have to deal with credit card spam.

Most people I know get spam in their email; it happens to almost all of us if we have a presence on the web with that email address. If any of you have read the spam before, usually it’s just a random string of words with a few links in them. Heck, some of them are just downright amusing. But credit card spam is more of a problem; not only is a nuisance, but it’s highly illegal. Not something that you want on a legitimate website.

The first problem was determining if the spam was automated (ie. from a bot), or a person who was posting the spam. The easiest way to do this was to install the reCAPTCHA system as I mentioned above. If you’ve signed up for any major service recently, chances are you’ve encountered a CAPTCHA of some sort. CAPTCHAs are the images with random numbers and letters which is supposed to be hard to read by an automated system, but fairly easy for a human. They are specifically designed to prevent bots from accessing the system. Although the reCAPTCHA system I installed stopped some of the spam, it didn’t stop all of it.

Stopping spam requires ruling your web site with an iron fist. Some automated scripts will help minimize it, but on a long enough timeline, spam will get through. It’s bound to happen. Currently the only way I’ve found to stop the spam is to start blocking IP addresses. In the case of this incident, I was forced to block an entire subnet of IP addresses. I found that ISP in Vietnam was producing a lot of the spam that I received. Despite numerous emails to their abuse department I found out that they deleted the emails without reading them, and made the decision to block the entire ISP from my web site.

Doing so is a bit of a double-edged knife. On one hand, the spam has stopped since I’ve done this (although I only did this two days ago – let’s see what happens!). On the other hand, I have pretty much cut off an entire country from visiting my site. Granted, the primary language there is not my primary target for my site, but still has the problem of cutting off legitimate users.

Of course, this is not a foolproof solution. There’s no reason that a person on that ISP couldn’t use a proxy to access my site and post more spam, but I’m taking a proactive approach to preventing this spam, and that’s about all one can do. Perhaps an interesting project would be to keep a central repository of known spamming IP addresses so that those IPs could be blocked by many websites around the world, and not just by a single server. Allowing a group of servers who pick up spam regularly to add IPs to the list for a number of days, and then many servers could download a list. It’s maybe something to consider to stop the spread of spam across the world.