Oh Heroku, Why?

In a sad turn of events, I managed to get a test app running using Java, added it to Git and uploaded to Heroku. It was only then that I realized I need to “Verify” my account before being able to run my application.

Fair enough. Google app engine sends a text message to your phone in order to verify an account. When I originally set it up, I was unable to get the text message to work, so I filled out a form and received access the next day. I liked this - no need to provide any payment information for a service I have no plans to pay for.

Heroku takes a different approach. Verifying your account must be done by handing over a credit card. If you don’t want to provide payment information to a company you don’t plan on paying, then you can consult the FAQ:

Can I verify my account without a credit card?

Currently, you need a credit card to verify. We continue to research other means of verification and will announce if other methods are made available.

Hmm, not with the amount of credit card breaches that have been happening in the last few year. Especially if you are providing a free service, I don’t see why you need to verify via credit card, which will be kept on file in order to provide an easy way to upgrade services in the future.

Of course, credit card verification for free accounts is their call, and it isn’t like I can complain as I would be using their resources and not paying for it anyway. They do look like they have a good setup: free limited account, a lot of languages to choose from and a slick, easy to use UI.

If I ever want to do some serious cloud hosting, they will be on the top of the list, but for free, I’ll stick with places that don’t need the credit information.

Let Set Up Heroku

Now that we have a cloud platform to use, how do we get started? Well, signing up is easy, just enter your email and confirm, but what’s in the Terms of Service?

  • Must be 13 years or older - really? Why 13?
  • Your account gets shut down once it reaches the hard or soft limit. Good, they won’t be charging me for going over
  • I get to own all my content, hooray
Otherwise, pretty standard stuff. Interestingly, it is an adapted version of the Google App Engine terms.

Anyway, setup time. Registering brings you to a link with quick start guide. Set up is a simple as download, install and run some command line utilities. After logging in with the command line tool, you have a plethora of tutorials for all sorts of languages.

Even better, Heroku’s GitHub page has a lot more examples, including a Grails example that I plan on looking into next.

Which Cloud Provider Should I Use?

Recently, I read through Code in the Cloud - Programming Google App Engine and decided to start a new project with cloud computing. Overall, it was quite good with an decent introduction to cloud computing as long as you already know Python and Java with a smattering of server side web development.

Now that I’ve had a taste of cloud computing, lets get started building something. First, we need to decide where to host the application, and to do that we need to set some requirements. This is just for fun, so price should be exactly free, and it needs to support Java (I’d like to stick Grails or some other Groovy framework, as that is what I am most comfortable with right now), but other options would be nice as well.

What are the popular platforms out there? A quick search gives the following: * Windows Azure: Supports Java, Node.js, .NET and PHP, so there are plenty of options, but it is only free for 90 days. * Google App Engine: Supports Java, Python and Go. I don’t care for Python, but Go is interesting. The fist thing I tried after getting the basics was trying to use Grails, but it looks like the App Engine plugin is currently broken and not being maintained. There is Gaelyk however, a Groovy framework specifically for the App Engine. App Engine also gives us free instance hours and backend data stores. * Heroku: Looks great with support for Java, Ruby, Python, Clojure, Scala and Node.js, but the free account seems very limited with many restrictions. * Amazon EC2: Very flexible with support for many languages and customization, but I’m not really interested in supporting the backend installs myself. * … and plenty of others.

Since I’ve already used Google App Engine and seen some of its limitations, lets start this project with Heroku. Limited storage may not be too big of a setback as this is just for fun, and the list of supported languages really beats the competition in other free cloud offerings.g

In Search of Vulnerabilities

Pro tip: When looking for examples of web site attacks, use private browsing mode.

In a search for examples of CSRF attacks, I found some lovely vulnerabilities in Facebook and Netflix. What makes for a good example? Well, real-life vulnerabilities in known web sites, or of known companies, preferably with known exposure or losses; examples along the lines of “if this was your bank account…” just don’t have the same impact as “so many contacts were stolen from Facebook.” Even better is when they show the code for the attack.

The problem with doing this sort of research is that “showing the code” typically means “live demo”, and a “live demo” of a security vulnerability means “here’s an actual attack”. The only difference between an attack and a demo, is that the demo gives you some warning.

And so it was, that I found an interesting CSRF attack on Netflix which places a rather embarrassing movie in your queue and moves it to the top. Luckily, it looks like Netflix has addressed this vulnerability, even though I never looked into the attack further. It was at this point that I realized that I was currently logged into Netflix on this computer, and if the attack was still possible, I would have some explaining to do to my wife.


I almost made it halfway through, but I couldn’t stand it anymore. One year ago, I made a challenge to myself: Play all the numbered Final Fantasy games. No time limit, just play them. One year later, I’ve failed; and all because of Final Fantasy VIII being so awful.

Events leading up to this pledge started in 2002 with the release of Kingdom Hearts. At the time, the only thing I knew about Final Fantasy was that guys tended to have spiky hair for some reason. By brother gave me the game as a Christmas present, fully expecting me to return it and get something I would actually play. Instead, I gave it a shot and played through the game without paying much attention. The most I got out of the game was being amused that the main characters were a perfect meld of spiky haired, stereotypical Final Fantasy characters and big shoe’d Disney cartoons.

Jump ahead 3 years and a friend of mine started getting giddy about the upcoming release of Final Fantasy XII. He’s been playing Final Fanasty games for years and won’t stop talking about it. So I finally get interested enough to get a used copy of Final Fantasy X. It was interesting enough - the first time I’ve watched a movie with the occasional game-like interaction. I stopped playing near the end of the game since I kept dying.

Well, it got me interested in Kingdom Hearts again. So I started playing through again, but this time I start paying attention. I was absorbed by the story and the characters. It felt like a completely different game, and I was amused by seeing a young Tidus and Wakka in the first area. From then on, I tried playing through Final Fantasy XII, but only made it a dozen hours in, but I played every Kingdom Hearts game I could since then.

Now, as I anxiously await some news of Kingdom Hearts 3, I think to myself, “Maybe I should play through those Final Fantasy games.” With a PSP and a GBA, I have access to all of the numbered games (well, except for III, but that was eventually released on iPhone). Over the course of a year I managed to play (not necessarily in order) I, II, IV, VI, VII and IX - even XIII, and that isn’t easy on a console with a new kid in the house (took about 11 months). I loved all of them (VII was so-so, but still playable), so I start up VIII with high expectations, but now I’ve quit.

Where to start? The boring, yet inexplicable story; the impossible to understand battle system; how about the dungeons which literally repeat the same room multiple times? No, I think I’ll start with the annoying characters and their dialog.

I don’t expect much from the dialog in a Final Fantasy games. Just enough to explain your next location with maybe a dumb joke thrown in occasionally. For some reason, the lead character Squall rarely speaks aloud; instead, we are treated to his innermost thoughts for half the conversation. Most of the time he thinks about “Why am I here?”, “What is he talking about”, and of course, the riveting “…”, “……”, and “………”.

Squall is also surrounded by clingy women, ditsy goof offs and annoying frenemies. At no time do I care about any of these people, nor do I ever understand their motivations. Seifer, the rival, decides to disobey orders and join with the baddies early on while he drags his friends along, reluctantly; Quistis, the teacher-turned-coworker starts off apparently attracted to Squall, but that gets dropped suddenly and without explanation; and Selphie and Irvine are just impossible to stand.

Eventually we learn that our rag-tag, randomly assembled from across the continent, spunky group of youngsters just happened (with only Irvine having any recollection of) to have been raised together in the same orphanage with Squall’s rival and being taught right from wrong by the eventual semi-antagonist. I say semi-antagonist, because she is apparently possessed by a sorceress from the future. I won’t get into the random jumping time jumping by the main characters that apparently happens “just because”.

By the time I quit, I had to play through two dungeons: a maze where each screen is nearly the same as the last, and a prison, where each floor is identical (and that you need to climb up and down repeatedly. At least with the maze it made some sense to confuse the player, but the prison was painful and tedious. You start at the top and need to fight your way down about 10 floors, only to to find out that the exit is at the top of the prison, so you have to go all the way back up with nothing to differentiate or hold your interest.

Then the battle system. In most Final Fantasy games, the characters have specific classes: mages are the only ones casting magic, one character has the highest strength and can focus on attacks. Other games have the characters starting off fairly similar, but let you focus each character on a specific role. FFVIII however uses the “Junction” system. Each summon that you collect throughout the game grants increased abilities (link increase attack) by junctioning the summon to a character. You then junction magic (like water) to the abilities. The more magic spells you junction to the ability, the more the ability increases.

But, how do you acquire the magic spells. In other games, you level up or purchase the spells. In order to cast the spell, you use up MP. In FFVIII however, enemies have the spells, and you must “draw” the spells out instead of using your turn to actually attack the monsters trying to kill you. Now, each battle consists of inspecting the spells that the enemy has, comparing them with your stock as you can only carry 99 of each spell type, then drawing.

This sets up a certain dynamic for each battle. Instead of focusing on fighting, the typical fight starts with casting sleep spells to stop the enemies from attacking, then spending 10 minutes drawing as many spells as possible from the enemy. The more spells you have, the higher your stats become, so you want to draw as much as possible. Once you’ve drawn as much as possible, the actual fighting can begin, but you don’t want to cast any of that magic you just obtained. Casting magic that is junctioned to an ability will lower your stats.

Battles are tedious, repetitive and boring. Maybe that describes every Final Fantasy, but other games feel like accomplishing something while this seems like work. All stat increases happen via junctioning; this makes leveling up and gathering experience points - um - pointless. Even when you level up and increase your stats by junctioning, the enemies level up with you. You can’t go out and grind to make your life a little easier because your life will be just as difficult. My typical Final Fantasy experience involves a few hours of being lost and not knowing where to go next. By the time I get to the next narrative location, I’ve battled enough to make the dungeon a bit easier than it would have otherwise. Not with FFVIII.

And now I’ve stopped, given up, failed. I must admit that this is an emotional blow. I thought I could commit, but not in the face of this game. In time, I’ll play FFV and maybe have a good time; I hear that it has an excellent job system.


Kinect is creeping me out. I’ve had it for only a few days, and it won’t stop staring at me with its dead eyes.

How Embarrassing

Oops. I was hacked.

And only a few months after I was put in charge of application security at work. I’m sure this would inspire confidence with all our developers.

Since I don’t actually pay attention to my blog, I had no idea that I was hacked until a month later when I went to look at some photos I uploaded. After some research I found that the attacker managed to infect all PHP files on my site. At this point I contacted my host as my account was locked down. The conversation went something like this (not actual quotes):

Me to Support Help, I’ve been hacked!

Support to Me Yes. Yes you have. We told you about this a month ago. Respond to the email our Security Team sent.

Me to Support Um, looks like I lost the email, can you send it to me again?

Support to Me Just talk to the Security Team, leave me out of this.

To be fair to the host, they most likely did contact me and I just deleted the email. My fault, I admit it. To be fair to me, I get two or three marketing emails from them a week and immediately delete the messages to prevent my inbox from filling up within a month.

I sent an email to their security folks and they gave me the details. Wordpress’ TinyMCE install was attacked via a known vulnerability. They asked that I update my applications, which I did once they figured out how to do that.

In short, I failed at one of the basic tenets of security: Keep your infrastructure updated. I let my blog sit idle for too long and failed to upgrade when a new patch was released. Some script kiddie came by and hacked my site, and my host did the right thing by locking everything down until I could respond. Now I’m back up and starting from scratch.

« 3/3