beTech :: Evolve Already

Today Ian Brill demo’d ITC’s VMware infrastructure. A similar system is hosted by BeTech to host any number of web software development efforts. Currently ITC hosts ~150 web servers utilizing four servers clustered and running VMware. Ian described Vmotion (product for moving live virtual running virtual machines), Virtual Center Server (product for managing the details of virtual machines), VMware High Availability (product for managing automatic replication and fault tolerance), and DRS (product for virtual load balancing).

This stable VMware infrastructure appears to be a solid solution for hosting systems with a high available requirement. Contact ITC Microsystem, ITC-Microsystems@virginia.edu, if you are interested in standing up a new system in this popular VMware system.

If you are interested in developing a test system in a VMware environment, you can get started free of charge by emailing betechlabs@virginia.edu.

Great talk Ian! Thanks from BeTech.

Looking for a customizable Web development project sandbox to try out your latest, greatest ideas for the University of Virginia? beTech Labs is here.

Join beTech this Wednesday, August 15, at 3:00PM to pull back the covers on beTech Labs—a unique space to start new Web application experiments or participate in existing projects. beTech Labs offers real Web server platform choices, source control management, and a thriving community of equally passionate developers. You provide the imagination and the innovation.

One of the biggest beTech audiences to date showed up to hear ITC Unix Group’s Hamp Carruth and Steve Losen share their University Web server war stories. It was a fun session chock full of entertaining ‘misguided user stories’ and tips for making Web sites more secure. Now, thanks to Scott Crittenden’s deft audio engineering, you can relive this magical moment in glorious MP3 stereo (44MB).

And for those that want to follow along, here are some of the links mentioned:

• NetBadge
• MyGroups
• Proxy

A mighty big thanks goes out to Hamp and Steve for sharing their time with us. If there’s interest, perhaps we can have them come out to chat about their services on an annual or bi-annual basis. Whaddya think?

This Wednesday, June 20, Hamp Carruth and his posse will host a rather informal, open session on the wide-ranging topic of the University’s Web servers. Come on out and hear from the Sage of Servers (official title: Computer Systems Chief Engineer) how the UVa Web server service blossomed into what it is today and how that growth guided some of the idiosyncrasies we experience. Furthermore, find out what the future of ITC’s Web services hold for the average users and all you advanced developers out there.

Hamp and his colleagues will also impart their knowledge and experience on SUPHP (and share how it can make your PHP applications more secure), MyGroups, NetBadge, and much, much more. If you have questions about the nature of the University’s Web server environment, this is the session you need to attend!

This week, the Virginia.EDU web cluster was quietly upgraded to improve performance and bring software up-to-date. Some nice additions include mod_pubcookie, GD, OpenLDAP, xpat, Sablotron, and libxslt. Many thanks to Hamp and the UNIX group for their work on the new configuration.

Soon after posting an article about the rise of hacker Cross-site Scripting (XSS) attacks, online security magazine Dark Reading was alerted to XSS vulnerabilities on its own site. The holes were quickly plugged and a valuable lesson was learned: don’t assume you’re safe, trust no one, and validate everything.

What may be even spookier for much of the beTech audience is that .edu sites may be particularly juicy XSS targets for hackers (according to Jaimie Sirovich, search engine marketing guru). And with a recent Mitre report placing XSS at the top of the list of Common Vulnerabilities and Exposures (CVE) and plenty of additional resources for the mischevious popping up everyday, you can be sure your site security skills will be put to the test for some time to come.

So what the heck is this XSS stuff? SecurityDocs defines XSS thus:

…an XSS attack is when an attacker manages to inject Java script code or sometimes other code… into a website causing it to execute the code.

What harm could this cause? Well if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script, obviously the attack could do some serious damage. When an attacker creates a malicious link he/she will usually encode the Java Script code in HEX or some kind of encoding in order to try and hide the malicious code.

Websites that are vulnerable to XSS attacks are running some sort of Dynamic Content, Dynamic Content is anything that changes due to user interaction or information stored in a database about a user, things such as Forums, Web Based Email and places where information is submitted are vulnerable to XSS attacks.

As you can see, the user and the host are at risk. Aside from stealing client cookies and login information, XSS can be used to locate and potentially take advantage of vulnerabilities in unprotected web sites. As a web developer, you should be concerned with both scenarios. Your site and your data may be your primary concern, but securing your user’s login and other sensitive information is of paramount importance if you wish to maintain their trust.

What can you do? As a developer, you trust no one and validate all incoming data—especially HTML text coming in on links. As a user, you try to manage JavaScript’s XSS weaknesses with tools like the NoScript extension for Firefox or Stanford’s SafeCache (another Firefox extension). The bottom line for both sides of the server is that XSS is on the rise, so trust no one and keep an eye on those links.

Additional information:

• Wikipedia: Cross-site Scripting (XSS)
• CGI Security: XSS FAQ
• SecurityDocs: XSS FAQ
• Chris Shiflett: Foiling Cross-site Attacks
• Slashdot: Cross-Site Scripting Hits Major Sites
• XSS Cheat Sheet

Next Thursday (September 21), beTech rouses out of its summer vacation schedule with a presentation on virtual machines. Whether it be for a server cluster or you personal laptop, virtual machines are more and more a viable option for running the operating system of your choice on whatever hardware you have. VMware, co-founded by University of Virginia alum Dr. Mendel Rosenblum, is a leader in the field and will be beTech’s guest presenter along with Dell (for the hardware side of the equation) in the Newcomb Boardroom. Please join us and bring a colleague!