Archive for the ‘Life: Work and Techy’ category

Varnish: Normalizing / Normalising the url

March 3rd, 2010

We’ve had a small issue with our installation of the Varnish Proxy Cache not working as efficiently as we hoped. This was tracked down to the fact we are using Google Adwords and Google Analytics for tracking and Google was adding query string items such as utm_source , utm_medium , utm_campaign and gclid to the URL. This caused Varnish not to cache the page (and/or treat them as separate urls) and just led to bad cache usage.

I’ve added this code to fix this which may be of use for others:

/* Normalize the url - first remove any hashtags (shouldn't make it to the server anyway, but just in case) */
if (req.url ~ "\#") {
set req.url=regsub(req.url,"\#.*$","");
}
/* Normalize the url - remove Google tracking urls */
if (req.url ~ "\?") {
set req.url=regsuball(req.url,"&(utm_source|utm_medium|utm_campaign|gclid)=([A-z0-9_\-]+)","");
set req.url=regsuball(req.url,"\?(utm_source|utm_medium|utm_campaign|gclid)=([A-z0-9_\-]+)","?");
set req.url=regsub(req.url,"\?&","?");
set req.url=regsub(req.url,"\?$","");
}

No comments »

Posted in Life: Work and Techy

Tags:

Techy: How I investigated Counterpath Bria’s licensing issue

February 14th, 2010

On Saturday the 12th of February 2010, myself and many other users of the popular Counterpath Bria VOIP Software started getting the message “The data received from the license server appears to be corrupted. Please try again and if the problem persists, contact Counterpath Support.”, but without any idea of what caused it. Many people contacted Counterpath’s support forums, but as of the time of posting the only official status we have is “It is being investigated”. However, I took it upon myself to try and figure out what had gone wrong and then if I could “work around” the issue.

I knew from the error message that Bria was trying to contact the licensing server to validate the license, so the first step was to investigate what was being transmitted. Luckily, I had the very handy Charles Proxy and after installing its CA Certificate (so Bria didn’t complain about an invalid certificate authority when retrieving the data via Charles), I could see the communicaitons.

Bria made a post to https://secure.counterpath.com/Service/LicensePool.sv/RegisterClientBinding with my license key, a hash of something on my machine, the type of product I’m checking the license for (Bria), the time my computer thinks it is, and identifying hashes of my machine (in particular, hard disk, motherboard and Mac address) – this data is sent to try and reduce “license sharing”. In return, Counterpath sent back the same information, including an expiration date and duration of the license (30 days), instructions to recheck the license after 24 hours and then every 4 hours (+/- 30%), confirmation the license if valid and then they signed the response using an X509 digital signature. Why have they signed it? Well, otherwise it would be reasonably simple for somebody of about my technical knowledge to be able to intercept the SSL stream and modify the data to always have approved licences (and, no, I’m not going to say how I would do this – but I can think of 2 ways straight way).

As all the other data looked correct (Counterpath used descriptive XML tags which did really help in this process: although since it’s just communicating between their servers and their products, I would have personally obfuscation it just for a little more ’security’: yes, I know “security by obfuscation” isn’t good security practice, but sometimes “every little helps”), I then investigated the X509 certificate. I copied and pasted it into a new text document, called it “x509.crt” and just let Windows’ certificate explorer show be the details – and it was immediately obvious what the fault was. The expiration date on the certificate was dated 2 days ago.

So about 5-10 minutes of investigation and I knew to roll back my computer clock to pre 12th February 2010. Run Bria to get it to reacquire a new license and viola everything working (well, hopefully for 24 hours until the license starts revalidating). I just wish Counterpath had actually provided the “roll back your clock” workaround on their forum: Bria is an excellent product and I’m just disappointed that because somebody dropped the ball and forgot to renew a 2 year old X509 certificate (which would be easily done as that length of time people would have left and the details would have just been forgotten to be passed on), their reputation and good product range may be tainted. I’m guilty myself of letting the SSL certificate on my online dance wear site expire for a couple of days (mainly because the certificate provider wouldn’t let me renew the certificate until after it had expired!) so I know how easily it can be done – I now have a 3 year certificate so it might again happen to me in 3 years time.

What has this taught us: If you use a secure certificate (for your website or code), keep a note of the date it is due to expire and set reminders. Your certificate provider might send you emails to remind you – but don’t rely on them. Communicate with your customers and if a problem could take more than a couple of hours to fix, propose a workaround (such as rolling back your computer’s clock) – they might not like it, but at least you are doing “something”. And signing license files with your own digital signature is a good idea (yep, I bet you weren’t expecting that!) as it stops people easily bypassing it – but just remember to keep your digital signature up to date!

[n.b. might just be worth mentioning that I investigated this all on my own – Counterpath or any third party did not ask me to investigate it. However, within an hour of me posting on their forums with the information I had found, the problem was fixed. Coincidence or were they already waiting for the new certificate to be approved/installed? I don’t know, but I like to speculate ;) )

No comments »

Posted in Life: Work and Techy

Tags:

Cost of sales – makes you wonder why you bother

January 23rd, 2010

It’s amazing how quickly cost of sales tot-up. An item I am going to be selling costs me £12 to purchase from the supplier (as long as I buy more than £200 at a time and pay before shipping and don’t want express shipping) – however, to sell it, I’ve got to add postage costs of £2.24 to get it to the customer (well, I will come the 1st of April when UK postage prices go up again), then I’ve got to add VAT at 17.5% on top, then I’ve got to add Paypal fees of 20p and 3.4% on top of that – giving me the final “cost of sale” of £19.54 – that’s £7.54 I’ve got to pay to third parties just to sell this item. One of my more expensive items costs me £21 to purchase, and the cost of sale is £31.19 as Paypal and the VAT man both want a larger cut….

I’ve then got to try and make a profit on it, remember that if I do make a profit I’ll then have to put around 30% of it to one side to pay as Corporation Tax – I’ve also got to try and account for “shrinkage” (i.e. when a package gets lost in Royal Mail’s systems and I’m not able to reclaim the full amount), got to try and account for the costs of running the server and website I’m running the site from (around £120 per month, plus bi-yearly domain registration fees and SSL certificate costs), any bank/charges and interest, telephone line usage (even if it’s just for incoming calls, I’ve still got to pay line rental), £35 monthly accountancy fees, £15 annual return fees and various other little bits and bobs (insurance/storage costs etc): and that’s all before I can even consider paying myself some money for the time and effort I’ve put in. Oh and if I do start paying myself money, I’ve then got to pay National Insurance contributions, Employers and Employees tax, Payroll fees and other little annoying bits…

I do sometimes ask myself why I’m bothering: all this work for very little (if any payoff) – but if I was just unemployed, I’ll actually end up, at the end of the day, with more money… Meh!

1 comment »

Posted in Life: Work and Techy

Web: Bad eset emails

December 2nd, 2009

Just tried to signup for a trial of the eset antivirus from eset.co.uk and received the following useful emails…. After trying a second time, I just went to eset.com and downloaded the 64bit antivirus software without having to register…

Here’s the email:

Subject:ESET NOD32 Antivirus Home Edition – Trial Licence
Layout['Header'] Content['Generic-TrialIntroduction']

Content['Generic-TrialLicenceInformation']

Content['ENAHE-Instructions']

Content['ENAHE-SystemRequirements'] Info['CustomerSupport']
Info['AdditionalInformation']
Info['awards'] Layout['Footer']

Yep, useful!

2 comments »

Posted in Life: Work and Techy

Bouncing Emails – Some Stats

September 25th, 2009

Well, yesterday at work we launched Manga High’s Educational Maths Games and we were featured on Radio 4’s “Today” show (6.6million listeners), the Guardian newspaper (0.35million paper readers) and Guardian website (25million uniques per month) and Channel 4’s “News at Noon” (around 1million viewers) and apart from a 3.5hour “outage” between 7.30 (Today show’s broadcast time) and 11am when the site was under terrific load, things went well and we had a very very high number of registrations and visitors.

However, we did have a number of incorrect email addresses entered into the system which caused bouncebacks the the stats were quite interesting:
* We had 1 bounce back from Yahoo
* We had 6 bounce backs from Hotmail
* We had 1 bounce back from Gmail (disabled account)
* We had 3 other bounce back – each from a different domain name
* We had 5 people who entered an incorrect domain name (which didn’t even look like Yahoo/Hotmails/Gmails domains).

I wonder what this indicates – that you are more likely to get people who cannot enter their email address correctly from Hotmail?….

3 comments »

Posted in Life: Work and Techy