WinZip Protection

I need to do some tests that involve the output of our application builds. Normally configuration management does the builds. They use their own build machine which is under their control. I want to run a modified build that goes against our branch in source code control. I have my own virtual machine. So I decided to configure it to perform my own builds. This turned out to be a lot harder than I thought it would. I am still fighting with the configuration to get the build script to run to completion.

One requirement for the build machine is to have a certain version of WinZip, along with some configuration files used by WinZip. Luckily I had all the files needed for this version of WinZip. The build scripts assume that the correct version of WinZip is located at C:\Program Files\Winzip. I thought this would be no problem. I decided to move the existing copy of WinZip from there to another place. Then I would put the version needed by the build there. Even this simple task was hard to accomplish.

The system administrators of my workstation much have set it up to ensure that the version of WinZip that they expect is always located at C:\Program Files\WinZip. I tried to delete the files there. They were locked. I was able to temporarily rename the WinZip folder. However when I tried to copy my new version of WinZip to the right location, a WinZip install process immediately kicked off, restoring the wrong version of WinZip to that location.

This was very frustrating. I did not even know what secret process was protecting the installed version of WinZip. I found that I was able to cancel the automatic reinstall process each time it ran. Then I could sneak in the version that I wanted. However at every turn I had to keep canceling this job. This was very frustrating.

My next problem is that Ant is looking for a “tools.jar” file. It is missing. I think I have successfully installed Ant. This must be some Java install from Sun Microsystems. I tried installing the latest Sun JRE. I also tried to install the JDK. Any still keeps complaining about this. I am a Windows C++ developer. The build scripts were written by Java guys who have long since left the project. It looks like I am going to have to dig into this problem. I need my build.

Security Debacle

I had previously mentioned that a security audit showed we were logging sensitive information to a plain text file. My solution to this problem was to encrypt the file. I thought it would be fun to research and implement some encryption code. However the boss said we had to use the approved method from the customer. Furthermore we had to use their routines. This quickly turned into a boring task. So I put it aside. The boss told me to get our security guy to find out what method the client requires, and to obtain the necessary code to do it.

So I gave out security guy a call. He said he would get us the information in a couple days. The boss checked on the status with me. Apparently our security guy had made some promises to the customer based on his research. I told the boss I was still waiting to hear back from this dude. We both conference called him. He said he had researched the question and provided an email with his findings to development. My boss asked who exactly in development he sent the information to. He said he emailed it to Hugh. The only problem with that is there is no Hugh working in software development. I thought to myself “poor Hugh”.

The next day I got an email containing the information that the security guy had sent to Hugh. It seems our guy queried some security folks in our company instead of checking with the client. The assorted responses were precious. I could not make this stuff up if I tried. One person stated, “In college I wrote a paper on applications for database security, including encryption.” Another guy chimed in with “Why don’t you look at Oracle 11G? I believe inherent within the RDBMS there is encryption as part of the package.”

These responses put the boss over the edge. I spoke with our security guy. And I told him we have some Windows C++ applications that wrote log files in plain text on the local hard drive. We just need to write encrypted files. It has nothing to do with Oracle or databases. Then the boss made me call him back to tell him we needed the information today. That caused security guy to recommend that we use McAfee SafeBoot. Now I am no security expert. However I think SafeBoot is something you use to encrypt the whole hard disk, or a file that the user specifies. However I think it best to keep an open mind about this. You never know. I might get a few more laughs out of this exercise. In the end, I think my boss will cave in and let me roll my own encryption algorithms. At least I could implement an industry standard like 3DES or AES.

Video Game Developer

I read an article in the Los Angeles Times about video game developers. More and more young developers are getting into the video game arena. But is this a legitimate career? And is there any money in it? This is what many parents want to know.

Initially, most video game developers were hobbyists. This was the same for early personal computer adopters. Things have changed now. Big games require lots of people to produce them. The largest often have staffs of 100 people or more.

The video game development field is still young. It involves multiple parts such as game design, artwork, and audio. There is nonetheless a high placement success for graduates. Many students go to work at Electronic Arts.

However video game development is not all fun and games. For example, it is not as fun to thoroughly test a game as it is to play a finished game. There is also a lot of stress due to tight deadlines. There is some hope. The average salary for a game developer is over $73,000 a year. This is according to Game Developer Magazine.

I remember I once worked for a defense contractor. We had some good work to do. But it was not too exciting. Almost all the people on the development team dreamed of being game developers. They went to game development conferences. And they were coding games at home in their spare time.

Me I really do not idolize the game development world. Yes it may have a product which is fun. However I don’t think many people will get rich doing game development. Sometimes the hours can be tough. And I do not think there is a lot of maintenance in the game development arena. You are most likely going to be developing the next big game all the time. I will let the younger more enthusiastic crew deal with that.

Reports Mystery

We have a number of reports in our system. They are written with an old version of Oracle Reports Builder. We store them in RDF format. Recently a customer wanted some changes to the most complicated report we have. The reports developer coded up the changes. The modified report was included in our build to the test team. However it seemed that the test team was having a lot of problems. Our reports developer said it looked like the testers always got an old copy of the report. The reports developer decided the only solution was to turn the RDF report into an executable.

That solution screamed of doubt. Our team lead also said he could not imagine that this could be the best course of action. He asked me to assist to find out what was really going on. I said that we could turn the report into an executable. However I strongly encouraged that we understand the cause of the problem first. I am really to busy to spin my wheels on fixes that are guesses. I tasked the reports developer to get to a stage where the problem could be reproduced at will. I said that the testers could duplicate the problem. So this should not have been a difficult task.

Once the reports developer got a tester login, we were ready to move on. I said we needed to find out whether the report that got modified was actually getting called. I told the reports developer to look at a database table which logs the path of each report that we run. Sure enough, the updated report was getting called. I then had the developer look at the logic inside that report. It seemed this report was spawning off another worker report. The report developer jumped at the chance, and modified this report to use another technique to spawn the second worker report. That only caused more errors.

I instructed the reports developer to roll back those changes. Then we continued on. I asked the reports developer to determine whether the second worker report was getting called. Some logging code was added to this report. And yes indeed, the second worker report was getting called. Then I had the reports developer mimic the configuration of how that second worker report was getting called. With that configuration in place, I had the reports developer run the report using the Oracle Reports Builder tool. At once the problem was evident. This second report was expecting a certain table structure in a temporary table. This new structure was supposed to be controlled by an update to a stored procedure. It looks like that stored procedure change did not get promoted to the test database.

What is the moral of the story here? There are a few. The first is that you should not fix a bug that you can not reproduce. You should also not try to code a fix if you do not fully understand the root cause of the problem. Breaking down complex processes into smaller steps helps isolate problems. Old school error logging also helps you get a handle on things gone awry. I hope these lessons get learned with experience. Everybody has to learn sooner or later.

Sun Downloads

My customer told me to enter a request in a web application that their organization hosts. I tried to launch the application. However it required a newer version of the Java runtime environment. The application navigated me to the Sun Microsystems download page. There were a lot of downloads listed there. I went through the list and found the one I needed. It happened to be the J2SE Runtime Environment 5.0 Update 16. Or in other words, I needed the latest Sun JRE.

On the Sun web page, I chose my operating system. The only button I saw was one which started up a Sun downloaded application. So I clicked the button. It was strange that I only selected the latest JRE, but this downloader was trying to download more than that. On top of this, the downloader was aborting with an error. The status said that it could not create the file on my disk. This was disappointing. I had enough disk space. What was I to do?

I looked more carefully on Sun’s web page. There was actually a link for me to perform a normal download of the JRE without using Sun’s download application. It was then that I was able to download the JRE update. This whole process was a bit disturbing. Couldn’t the initial application from my customer just configure my system automatically? That would have been much easier for me. Sun is also partially to blame here. Why are these people trying to push their download application? I also strongly recommend they ensure the darn thing actually runs the first time I try it.

Hey. I am a developer. So you know I am going to eventually be able to figure out how to get the latest JRE downloaded and installed. I pity the poor average computer user who has to deal with this. Perhaps this is an opportunity for my company to get some more work with this client. It is time to turn these lemons into lemonade.

Fun With Security

Our application suite logs debug information to a file on the local disk drive. A security audit found that we were capturing sensitive information to this file. The fix was to stop doing that. However we also got dinged for allowing free access to this log file. I thought we could address this concern by encrypting the file. This gave me all kinds of ideas of interesting security encryption code to write.

The software development manager said we had to use the approved encryption method that the client advocated. Still being excited over this project, I poured through the mounds of security requirements that our client has. This was a dry exercise. I thought I found a section on encrypting files like ours. It pointed to another standard. I read a little bit about this standard. It seemed a bit involved. There was a lot of math used. But that’s ok.

I found an example of the algorithm written in the C programming language. However I still wanted to roll my own implementation. It is fun to write code. As a precaution, I went and told the software development manager what my intentions were. He told me we could not write our own implementation of the encryption. The security guys would not go for that. Instead I had to get the source code from our client.

This task keeps getting more and more boring by the second. Now my plan is to dump this onto a subcontractor. Perhaps instead I can work on a rule based engine that parses the audit information and suppresses the sensitive information. Hey. I am a company man. And although the overall mission is to solve problems for our customers, I got to have some fun while I am at it. Life is too short to do otherwise.

Commercial Example

Our project has been having numerous problems with our install packages. I downloaded what I consider to be a commercial software application this weekend. It seemed to have a moderately complex install process that went through without a hitch. Perhaps our project can learn something from this team’s choices.

Let’s start with a review of our project’s install process. We control our release builds with scripts written in Ant. The Ant calls Visual Studio to perform the compilation. Then the results are packaged up with Installshield Professional. The results are zipped up using Ant. And finally they are turned into an executable with Winzip Self Extractor.

The commercial software I tried out this weekend did a number of things at the time of install. It seemed to install and configure a Sybase database on my machine. It also installed an application server, as well as at least one Microsoft Windows service. That is a tall order. However it did so seamlessly.

I was able to see that this commercial software used IzPack. Now I have heard about other installer software. But I have never heard of this one. Apparently it is an open source package. It seems to support features we need such as an uninstaller and an unattended installer. This looks promising. You can’t beat the price of open source.

Perhaps I will give this package a try. Right now it is not my job to fix the install problems with our project. However in the end, the problems affect the whole team. And the boss comes to me frequently when other developers on the team can’t cut it. It is best to be prepared.

Self Extractor

Install problems continue to plague my project. The development lead has taken on the task of resolving these problems. I took over some of the work he was doing. The dev lead called me up and explained what he had found out. Our install executable is unpacking the compressed files. However it is then deleting those files before installation is complete. The install program is then unable to access the files needed for installation. He asked me to research whether it was possible to turn off the delete of temporary install files.

Our build process uses the Winzip Self Extractor program. First we create a zip file which contains all of the installation files. Then we use the Self Extractor program to change the zip file into a self extracting archive which automatically launches the setup program. Unfortunately I did not have my development machine with me. However I did have a computer. I tried to research the Self Extractor options using Google. But I did not have any luck.

I decided to download Winzip Self Extractor itself to see if there was any documentation that came with it. Winzip has an evaluation download copy for free. I did clarify that we were using the self extractor for software installations. This product always deletes the temporary files when it is done. However is does have a wait option that delays the temp file deletion until your setup program is done. By default it waits until setup is complete. Out setup program is called something else. So we need to pass the name of our program to the Self Extractor as an option.

Having done the necessary research, I passed the information on to the dev lead. He commented that we already use the wait option with Self Extractor. However it seemed like we only wait until our setup program removes the old version of our application before Winzip deletes the temporary files. That was surely not correct. I hope this latest bit of information helps our lead solve this problem. It is embarrassing when we release software to the customer and the darn thing just won’t install.

Laptop Lock

I currently have two laptops at work. One of them was provided by the client. It came with its own security cable and lock. This lock works fine. I dial up the combination and unlock it whenever I need to be on the go. The other laptop I have is the company one. At first I received no security cable or lock with it. So I kept it safe at home. Then I got a lock handed down through the chain to me. I proceeded to bring my laptop in to work. There was only one problem. The lock did not seem to work.
This lock was a Kensington lock. The documentation said it was supposed to work with Kensington security devices. The instructions said to insert the lock into the laptop, turn it 90 degrees, then change the combination. I did this. However I was able to rotate the lock 90 degrees back even when the combination had been changed. Not much security there.

I emailed the big boss and said this lock was not cutting it. He replied that nobody else was reporting any trouble. So the problem must be with me. I went to my direct manager. He could not figure out how to use the lock. He said he asked the customer to supply him with an extra good lock. Another guy on the team overheard this. He said the locks the company gives out are hard to work with. He proceeded to jam the lock into my laptop hard. Now it was stuck in place. I thanked him for his help.

It came to the day when I needed to go on travel. I still had a lot of work to do. So I needed to take my company laptop with me. Wouldn’t you know it? I could not unlock the lock that was jammed into the back of it. I tried and tried. Finally I gave up and left without my laptop. There is definitely something wrong with this situation. I should not have to fight with this lock. How much could a new working lock cost?

Yeah I can probably get somebody to get the lock off my laptop. But if I cannot do it, it defeats the purpose. Sometimes my company is very generous. At now it seems sometimes it is stingy. Unfortunately the security of my company laptop is my responsibility. If somebody steals it, my head is on the chopping block. I guess it is time to go and buy a new lock myself. I have some other ideas on how to deal with this. However there are just too risky.

Security Pie

About a year ago, our system had a security audit. We failed in quite a few areas. The client directed us to plug these security holes. One of the weak areas was logging. We write a log file to the local disk on the workstation. It contains sensitive information. And the file itself has no protection.

Our boss thought it might be prohibitive to plug these gaps. He thought we might have to go through every place in all our applications where we do logging. Then after analyzing all that code, we could find the places where we log sensitive data. Finally we could change that code. This would take forever since we log stuff all over the place in the code.

There is a simpler way I thought. So I pitched an idea. We could make some modifications to the common routine that write the log information to the disk. We code add a parser at this layer. The parser could scan the text being logged for sensitive information. It could then strip out this information prior to writing to the log file.
This technique has a number of benefits. First of all, this sounds like a fun project. More practically, it cuts down on the time for analysis versus the manual method. We actually don’t need the sensitive information in the logs. We are pretty sure we know most of the patterns where the log information contains sensitive info. It should be a snap to write a parser that strips this information out.

My other idea was to encrypt the file. The security folks would love that. This helps us lock down the logs pretty easily. I envisioned another fun software project where we could invent and implement a new encryption method. However the boss said the security guys would not go for that. Ok. We can take whatever algorithm they recommend, and implement that. Not as fun. But it is still easy to do.

There are many instances where the right outlook on a problem can reel the cost estimates in significantly without increasing risk. Isn’t that why they pay us designers the big bucks? I will let you know as soon as my company starts paying me them

Install Resolved

Our team has had some lingering problems with our installations not working. We have a total of four applications which each have their own install program. Two of them work all the time for me. The other two were recently just not working on my workstation. I would run the install executable. It would do nothing. There would be no error messages. The only thing I saw were some partial temporary files left behind.

This got escalated when our test team could not install all of our applications. The problem was especially troublesome because the installs worked sometimes. It was an intermittent problem. One developer thought it would work for them if they tried to run the install program twice. However that did nothing for me. And it seemed that it did not always work for that developer either.

I took a look at the Ant script that builds the install executable. However I did not see anything unique about the scripts for the problematic install programs. Another developer concluded that this must have something to do with the VPN software we use to connect from remote locations. I noted that I would encounter the problem both on my laptop, and also on my virtual machine. This was a double whammy.

The problem became ultra high priority when the customer confirmed they also could not install the problem. I tried to do a little more research. However I had my own normal work to attend to. One of our install script developers had left the project. So the onus fell on the other install script developer to figure out what was going on.

Finally the install guy came back with the cause. Apparently the install program was trying unsuccessfully to overwrite a system DLL that was sometimes in use by another program. This was shameful. Why are we trying to put this in the system directory? We have our own directory on the local hard drive. Furthermore, analysis showed that this DLL was not even required by our application.

At least we had somebody figure out this troubling problem. We are not out of the water just yet. There are some other strange install behaviors that people are starting to complain about. Our install guy better get busy again.

Business Travel

This week I am returning to some company training. The commute to the training location is evil because I live near a big city. So I told my company I needed a hotel room close to the training facility. To my surprise they said ok.

We are always busy at work. I need to be in training a couple days this week. Therefore I need to find a way to do a whole week’s worth of work in a couple days. Part of this involves saying no to requests for help. However I have to pick up the phone when the customer calls. I also have to do the work that the boss says needs to get done.

On the day that I need to travel, I still have a lot of work to do. That’s ok. I figure I can take my computer with me and do some work on the road. There is just one problem. I can’t get the darn security lock off my computer. And the guy that knew the trick and locked it in the first place is no longer on the project. Hey. They pay me to deal with situations like this. So I get another computer and bolt on travel.

I check into what I thought would be a luxury establishment. However this hotel seems to be all show and no substance. There is no fridge in my room. And the high speed Internet is no speed. What a crock. I guess I am going to have to go into the training facility in the middle of the night, or real early tomorrow to get on the network. Life sucks. Then you die.

My company considers this local travel I think. They will pay me to drive to the site. But I don’t get any money for food. Lucky for me I made a killing in the stock market this week. So I ordered up some room service. The sky is the limit. I might even leave a good tip for the delivery guy. Life throws you curve balls. And you need to roll with the punches. I have been beaten up this week.

SharePoint Communications

The development team updated the design docs for the latest changes to the applications. I did most of this work. Then we presented the updates to all the stakeholders. This presentation spanned two meetings. There was a lot of feedback.

My team lead made a comment that I needed to update the design docs based on stakeholder feedback. I figured I could do that. I did most of the writing, and also most of the speaking.

I called up my manager and asked him how he wanted me to handle the updates. He said to make the changes, hold a peer review internally, then publish the updates to SharePoint. I did all of this.

Before sending out the big message to everybody that an updates was available, I called my manager one last time. I told him I was done and was about to broadcast that the update was available. I am glad I called him. He said I was not supposed to publish the changes until a lot more things were done. I was about to grill him as to why he did not mention this before. However he is the boss. And it would also serve no good purpose.

So I deleted the docs off the SharePoint site. Then I passed my updated copies to him. I figure I am done here. The moral of the story is that it is important to confirm communications when you are about to share information with the world. The best way to conduct such communications is face to face. If that is not possible, you should pick up the phone and make a call.