The use of business email has grown exponentially over a relatively short period of time, bringing with it the huge advantages of worldwide, cost-effective, easy and near-instantaneous communication. But as all those involved in the management of IT systems know, the growth in email usage has brought its own challenges.

Read more...

For the last 6 years I have been working for Loud-n-clear Ltd, with whom I merged CFMX Hosting back in 2003. After 6 years of feeling like I was banging my head against a brick wall  I decided it was time split the companies up again so that I could actually work on growing and expanding CFMX Hosting, and get out of the rut I had found myself in. So In January I left Loud-n-clear, separating CFMX Hosting and taking it with me and launched a new company called "BlueThunder Internet". This will be the new name of CFMX Hosting, which I am re-branding to be more generic and less CF-centric which I feel will be a positive move in the in this current recession where I don't think one can afford to restrict oneself to such a small niche especially in such a competive market place as hosting. Plus there is the fact that there is no such thing as "CFMX" any longer since Adobe changed the name back to plain "ColdFusion", so I have been thinking of changing the name for a while.

While I am still a huge ColdFusion fan it is no longer the only cfkid on the block, so my new company will be specialising in "CFML" and supporting the likes of Railo and BlueDragon as well as ColdFusion and all the other usual technologies. I have become a big fan of Railo of late especially since it is far better suited to the shared hosting environment than ColdFusion with its per site admin interface which means less support tickets and more control for the customer, plus the security side of things is also significantly better.

If you haven't yet heard about railo or you have heard about it but don't know why you would want to use it, I strongly recommend heading over to CFMeetup and watching the recent recording of the Railo 3.1 Open Source Presentation, this should give you some idea of how cool Railo is and some of awesome and unique new features it provides, or perhaps like me it will even get you as excited as you used to be about ColdFusion :-)

With the emergence of open BlueDragon and railo now also being open source as well, I think this is going to give a much needed boost to CFML as a language and the community at large. Finally CFML is now on equal footings with the likes of PHP as it is now also free to download and use, but with the added advantage of being easier to learn and more powerful, oh and it works better on windows too ;-)

For those who may be wondering where the name "BlueThunder" came from, it was many many hours of trying to find a domain name that wasn't already taken and is easy to remember, which is very hard by the way. I had exhausted just about every name using the word "fusion" or "hosting" so I then randomly just decided to start thinking of names of old 8 bit computer games and old TV shows and then I remembered that old show about the helicopter called Blue Thunder, which as well as liking the name I thought was also a bit of a play on words in the same vein as ColdFusion, it has that same feeling of power, so having found a domain name that was free, I snapped it up. You may also notice the new logo might look slightly reminiscent of the original Allaire ColdFusion logo.

Me it seems, for the 3rd time. Yes on January 5th 2009 my wife gave birth to our 3rd child, a girl this time who we have named "Teyla Rayne". She popped out even faster than our 2 boys, both of whom only took around 2 hours, but Teyla couldn't even wait for me to get to the hospital, just as I arrived I heard a big grunt from my wife and it was over. She was 4 weeks early and was a tiny thing only weighing 5lbs.

Now you are probably wondering why I wasn't with her at the hospital in the first place, well aside from the fact I have 2 small boys that would have made it rather impossible to be there for the birth anyway, as sods law would have it we were actually down in Somerset at my sisters wedding at the time and the baby was not actually due for another 4 weeks anyway. Thankfully it was the day after the wedding, so we didn't ruin it, but we were however in the middle of no-where, 200 miles from home, no birthing bag and no more clothes as we were only supposed to be there for 2 days. The hospital she was taken to "Musgrove Park Hospital" in Taunton was an absolute nightmare, they didn't give my wife anything to eat or drink until she begged, didn't give her a change of clothes or anything to wash with after the birth or bother to tell her there was a bathroom she could have used, so all in all a bit of a farse and not a pleasant experience for her, especially considering we were planning to have another home birth.

Anyway baby is doing well and growing rapidly, her brothers seem to like her and haven't tried to torture her or feed her sweets and crisps yet, so it's going well :-) Of course the already limited amount of sleep we get with a 2 and 4 year old who wont go to bed and yet still get up at 6am has now been decreased further, but all in all she is actually a very quiet baby.

I have also finally had to accept that working from home is just not going to work any more, it had become hard enough with 2 kids, but with 3 no chance, so I have got myself a proper office and will finally be getting some peace and quiet during the day, yippee.

Mozilla's Firefox browser has earned the undesirable title of the most vulnerable software program running on the Windows platform. Something that will probably dismay most web developers, as it is the browser of choice for most of them due to its superior debugging capabilities. I would imagine this is also a shock to most of you Internet Explorer haters as well, especially as IE is not even on the list.

According to application white-listing vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008.  These flaws exposed millions of Windows users to remote code execution attacks.

The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs.  Here’s Bit9’s dirty dozen:

1. Mozilla Firefox:  In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
2. Adobe Flash and Adobe Acrobat:  Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issuesâ€? and malformed parameters.
3. EMC VMware Player,Workstation and other products:  A total of 10 bugs introduced risks ranging from privilege escalation via directory traversal, ActiveX buffer overflows leading to arbitrary code execution and denial of service.
4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE):
   Inability to prevent execution of applets on older JRE  release could allow remote attackers to exploit vulnerabilities of these older releases. Buffer overflows allowing creation, deletion and execution of arbitrary files via untrusted applications.  10 patched vulnerabilities listed.
5. Apple QuickTime, Safari and iTunes: In QuickTime, the list includes nine vulnerabilities that allow remote attackers to execute arbitrary code via buffer overflow, or cause a denial of service (heap corruption and application crash) involving malformed media files, media links and third party codecs.  The Safari for Windows browser was haunted by three flaws that could be lead to arbitrary code execution and  denial of service involving JavaScript arrays that trigger memory corruption.  Apple’s iTunes software was susceptible to a remote improper update verification that allowed man-in-the-middle attacks to execute arbitrary code via a Trojan horse update.
6. Symantec Norton products (all flavors 2006 to 2008): Stack-based buffer overflow in the AutoFix Support Tool ActiveX exposed Windows users to arbitrary code execution.
7. Trend Micro OfficeScan: A total of four stack-based buffer overflows that opened doors for  remote attackers to execute arbitrary code.
8. Citrix Products: Privilege escalation in DNE via specially crafted interface requests affects Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote and HighAssurance Remote. Search path vulnerability, and buffer overflow lead to arbitrary code execution.
9. Aurigma Image Uploader, Lycos FileUploader:  Remote attackers can perform remote code execution via long extended image information.
10. Skype:  Improper check of dangerous extensions allows user-assisted remote attackers to bypass warning dialogs.Cross-zone scripting vulnerability allows remote attackers to inject script via Internet Explorer web control.
11. Yahoo Assistant: Remote attackers can execute arbitrary code via memory corruption.
12. Microsoft Windows Live (MSN) Messenger: Remote attackers are allowed to control the Messenger application, “change state,� obtain contact information and establish audio or video connections without notification.

See Bit9’s full report (.pdf) for information on how the list was put together, including criteria for inclusion.

I have been coding a new protX interface for a client this week for processing credit card payments. Bizarrely out of the blue today my code stopped working. Even though nothing had changed on my end, any attempt to send a transaction through to the protX server resulted in a response of "connection failure". I switched my code to post to the live server instead of the the test server, and suddenly I got a response back, so it definitely wasn't a connection problem my end and my code was still working. So I gave protX support a call (actually I opened a ticket first, but they never replied, and still haven't 12 hours later), and their support guy assured me that nothing had changed on their end and that nothing was broken, so it must be a problem with my code. Which is actually quite ironic as it is usually me saying this to customers who are saying "My code is fine it must be your server". So as this conversation was clearly going no further it was time to put on my Sherlock Holmes hat and start investigating.

One thing the support guy had pointed out is that my transactions were coming through, so I logged into my VSPadmin and there indeed were my transactions, so why was I getting a "connection failure" in my CF page?

So next I tried a plain old HTML form, which posted directly to the protX gateway, and this worked and I got back the expected response, so it seemed the problem was only affecting ColdFusion pages and my CFHTTP call, now that is weird I thought.

Next I checked the HTTP response headers from the live and test servers, being as I had already discovered that posts against the live server were still working, there had to some difference between the two.

Live showed

HTTP/1.1 200 OK Date: Tue, 09 Dec 2008 23:40:33 GMT Content-Language: en-GB Content-Length: 312 Server: Microsoft-IIS/6.0

Test showed

HTTP/1.1 200 OK Vary: Accept-Encoding Date: Tue, 09 Dec 2008 23:41:49 GMT Content-Language: en-GB Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET

The main difference here being the "vary: Accept-Encoding" part. A bit of googling on this header told me it is to do with http compression. So it seemed that protX had turned on http compression on their test server without telling anyone. So I added the following to my CFHTTP call.

<cfhttpparam type="Header" name="Accept-Encoding" value="deflate;q=0"> 

And lo and behold, things started working again. So my previous assumption was correct and while browsers may know how to decompress gzipped or deflate encoded content by default , ColdFusion does not it seems.

If you send the Accept-Encoding HTTP header, then httpZip (or any other compression solution) should be responding with the first compression scheme specified by that header's value.  So, in other words, if the cfhttp call is sending:

Accept-Encoding: gzip, deflate

Then the server running httpZip should be responding with gzip-encoded data (which would be accompanied by the HTTP header "Content-Encoding: gzip").  If, on the other hand, the cfhttp call is sending:

Accept-Encoding: deflate

Or

Accept-Encoding: deflate, gzip

Then the response from the httpZip-enabled server should be deflate-encoded data (which would be signaled by the HTTP header "Content-Encoding: deflate").

Now i say should be, but in this case it is not, as I still get the same response back from the protX server regardless, even though it is taking notice of the new header in my request.

I certainly hope protX are not planning to enable http compression on their live server without warning, otherwise they may have a lot of very pissed off customers with broken shopping carts.

So you may want to set the above header in your CFHTTP calls by default just in case, it wont have any affect if there no active http compression, but may save your ass if it gets enabled in the future.