First LinkedIn Intro, then BonzyBuddy 2.0

By Ashish Datta | Leave a Comment on First LinkedIn Intro, then BonzyBuddy 2.0

Last week, LinkedIn published an indepth technical explanation of how their new LinkedIn Intro mobile product works on iOS. What Intro does is basically display LinkedIn data about your contacts directly in your email client – similar to what Rapportive did for gmail. It’s a cool app but the implementation details LinkedIn shared ignited an Internet firestorm, especially among the startup/hacker crowd.

How Intro works is it basically modifies the users normal iOS email client so that it connects through a LinkedIn proxy server instead of interacting with their webmail provider directly. What this does, is allow LinkedIn to dynamically modify a user’s email before it reaches their mail client, depending on if the user is connected to the sender on LinkedIn. From a IT security standpoint, introducing a third party that would sit between a user and the mail server they’re connecting to undoubtedly introduces a new attack vector but what really caught my interest was how LinkedIn was achieving this. In order to smoothly update the user’s proxy settings, LinkedIn is using a iOS feature known as Configuration Profiles.

I’m not familiar with the iOS SDK or APIs so this was the first time I’d heard about Configuration Profiles. In short, what they allow an app to do is install a set of settings on an iOS device – from email and web proxy settings to additional credentials and SSL keys. Configuration profiles are typically used in enterprise environments to allow a company’s IT department to quickly configure the settings on an employee’s iOS device. When provisioning a new device, IT would basically use the configuration profile to install things like a VPN, internal credentials, etc. So what’s the problem?

Well according to the LinkedIn post and comments from users that have used profiles before, the user experience of installing a profile which radically alters your iOS system settings is surprisingly unassuming. As a user, you click through a couple of prompts and boom, all of a sudden Safari is using a proxy server to fetch websites. So what nefarious things could you do by routing iOS mobile traffic through a proxy server? Unsolicited injected display advertising.

On the desktop web, unscrupulous extension developers have been monetizing their install base by injecting display ads into the browsing experience of their users for years. From companies like Bonzi Buddy to newer companies like PageRage, the model is tried, true, and profitable. However, on mobile there isn’t an obvious opportunity to inject ads and get access to the rapidly growing number of mobile web impressions. It seems like using configuration profiles would be the perfect vector to change this. Crapware iOS developers could quietly prompt their users to install a configuration profile to get access to “hot new features” and then surreptitiously start injecting display ads into websites on the proxy server.

I’m not familiar enough with iOS development to speak to how easy developing an app like this would be or if it would get past the app store approval process, but if it’s feasible someone is certainly going to do it. If anyone is familiar with an app already doing this, I’d love to know about it.

Movember: End of Week #1 and a Client Launch

By Matt Daum | Leave a Comment on Movember: End of Week #1 and a Client Launch

Well, it’s one week into Movember and three of our engineers, including myself, have joined the team.   It’s too late to join our team, however if you want you can still donate.  We’ll continue to provide an update each week.

Here we are this week.  Let us know which week you think will be the best mug shot and who has the best ‘stache:

daum jared ashish

On a side note, we’d like to congratulate DiscoverE on a successful launch earlier this week.  We helped the DiscoverE team build their entire site which aggregated a number of old sites they had.

Drupal 7 Views: Directly Edit Content Rendered In Views

By Jared Clapp | 1 Comment on Drupal 7 Views: Directly Edit Content Rendered In Views

1

Thought I’d share a trick that I learned from Metal Toad while working on a Drupal 7 development project. This trick may make you very popular with your clients if they hate the being forced to dig through the content table in the standard admin overlay until they find the specific piece of content in a view they want to edit. Instead, using this method will create a gear button when you hover over the content on the front end, with a link that says “Edit” when you click on it.

I should note that if you style each row in the view using ‘Content’ under the Format > Show menu then views will add the link for you automatically. If you have a very simple view and this is all you need, no need to read further.

Unfortunately for me, many of the views I tend to create are formatted using ‘Fields’ because it provides me more flexibility to customize the output. The drawback is that it doesn’t automatically add these useful contextual edit links for content. But don’t worry, a pretty simple solutions follows..

1.)  Open up your view and navigate to the ‘Fields’ section.  Click ‘Add’ and search for ‘Content: Edit link’, check the box next to it and apply it to the display.

3

2.)  Navigate back to the ‘Add’ button next to ‘Fields’ section of your view and click on the small arrow to right of of it. Next select ‘Rearrange’ and move your ‘Content: Edit Link’ field to the top of the Fields list. Apply the change.

3.)  Now go back and click on the ‘Content: Edit Link’ to bring up the field configuration screen.  Expand the ‘Style Settings’ section and make the following changes.  Be sure to change the HTML element to DIV and spell the class names exactly as below.

4

4.)  Scroll down further in the same screen until you see the ‘Rewrite Results’ section and expand it. Check the “Rewrite the output of this field” box and put the following HTML into the text box:

<ul><li>[edit_node]</li></ul>

5

5. )  Scroll up to the ‘No Results Behavior’ section and make sure that “Hide if empty” and “Hide rewriting if empty” check boxes are checked.  Apply your changes.

6.)  Lastly, you need to add some styling to the edit links wrapper. For my example I used the following which put the edit links in the top left of the content box.  If you want it to appear at the top right just leave out the ‘top:0px’ line.

.views-field-edit-node .contextual-links-wrapper {

    height: 50px;

    width: 50px;

    top: 0px;

    left: 0px;

}

If you want the wheel to be a different color than standard grey, you can use image editing software to alter the color of the image of the wheel at the following location:  “[your projects base url]/modules/contextual/images/gear-select.png “.

Hope this trick helps you as much as it has helped me! Feel free to reach out with any questions.

 

 

Tips: Small Business IT Best Practices

By Matt Daum | Leave a Comment on Tips: Small Business IT Best Practices

I’ve worked with a number of start-ups and young companies over the years and one thing I’ve noticed is that it is quite common that a smaller company does not think much about their IT.   They are not insuring that it is properly structured, safe, and reliable.  The smaller companies can become so focused on their product/business that they forget to make sure their underlying infrastructure is solid. Companies place all their energies on their code and their code quality; however, often overlook equally important setups:  such as, the servers that run the code. Here are some of tips I frequently give companies.

Where is your code?

Small companies are often focused on making sure that their product is bug free, or doesn’t crash in certain browsers, etc. However, if tomorrow their outsourced developer disappeared or their server crashed, they might not have access to their code. I recommend that companies keep a hard copy document stating how to recover the code, which is in turn backed up across multiple company computers in which multiple people have access.

Knowing how to recover the code without outside help is critical. If the outsourced development firm/developer disappears, there is a conflict, or any other reason they are unreachable or will not cooperate, it is important to be able to have access to the code. Far too often outside contractors disappear and I’ve seen companies stuck being unable to get their own code.

Making sure there is always access to the up-to-date codebase, will save the headaches later. Also, the current developer won’t be needed to ask for the code if you want another developer to work on it or do a code review.

Where is your database?

Similar to above, what happens if for any reason (server crash, hackers, an act of God, etc.) your production database disappears? Do you and your colleagues know where to recover the information?

Often data is the most valuable possession of your business. Being able to recover it is critical. If you can’t recover any of your data, it is very possible that will be the end of your company. How often should you back your data up? That depends on your business. Some companies a daily backup will be plenty, however for others such as companies which pay people to take surveys, losing a day of data could equate to tens of thousands of dollars lost. This is something you’d need to discuss with your colleagues.

Another important part of database backups is making sure that they are stored for long enough. If you only keep one backup which happens at midnight each night what happens in the following situation? At 11:59 PM one night your database is compromised and most of the data is corrupted. That night when your backup runs, it will erase all your data.

Nowadays, data storage is very cheap (under 9 cents per month per GB), so keeping backups for plenty of time is well worth it. At a bare minimum you should make sure that your database backups are kept long enough that you’d notice any problem with the data before the oldest backup is removed. For example, for a forum you may want to keep at least 2 weeks of database backups. If someone deletes data from your forums, you’d most likely notice it within 2 weeks and can recover it. Again, data storage is cheap so keep backups for plenty of extra time (or forever).

Server Configurations

Using the cloud? Your own private hardware? Either way, an often overlooked backup is the backup of how your servers run. Without a server to run your code and serve your data, the other two become insignificant. Keeping up to date backups of your server configurations are critical. You need to make sure that you can always recover a failed server.

I’ve seen several Amazon EC2 instances fail. With the failure, sometimes companies are left scrambling to figure out how to get their site or product back online. How long can your company afford to be offline? If over an hour is too long, make sure that you always have up to date server images that you can immediately boot.

If you don’t have any documentation of how your server is setup, it’s likely that when it crashes you may not be able to get back online quickly. It’s even more likely you’ll forget different settings that will continue to cause the product or site to not fully function correctly.

Aside from keeping a backup of your server configuration, having access to the server permissioned correctly is equally important. An example of what I’ve seen: A company hires a new contractor who they want to work on a development version of the product while the main developer works on a different feature. The contractor mistakenly runs the wrong command on the server and wipes out the entire site. This happens all too often and is narrowly avoided at other times. Making sure that different users only have access to specific environments (such as the development environment above) on the server is very important. Everyone should have their own logins to the server so that you can remove any user without requiring everyone to know the latest password. I also recommend always using SSH Keys, they make weak passwords irrelevant and the server more secure.

Have a Written Disaster Plan

I’ve listed out some key tips above for how to keep your business running properly. However, all these should be summarized in one document. The document should be backed up itself and accessible to multiple people in your company which you trust. If something happens to you, you don’t want it to ruin your entire company, so distribution of the disaster recovery plan is critical.

Making sure you understand the plan and that the plan is effective is equally important. At least once a month it makes sense to go through the plan, make sure it is up to date, that all the different parts are actually working (you aren’t backing up a blank database due to a typo), and doing the steps to do a recovery.

While planning for disaster, failure, and unforeseen events takes time, it will pay for itself when something goes wrong.

Have any questions? Shoot me an email with any questions!

Happy Movember!

By Matt Daum | Leave a Comment on Happy Movember!

Happy Movember all! This year some of us are participating in Movember. Movember is where you grow a moustache to support men’s health. Each week we’ll be taking a picture as our moustaches grow and are shaped into beautiful sculptures.

Our team page show’s some updates, how much we’ve raised, and who has joined our team. Join up with us or donate to the cause!

Here are the three mugshots of us who are participating (smiles not allowed) so far:

ashish jared daum

Here’s to a great Movember!