Friday, June 10, 2011

Being force fed Ektron CSS

I am currently working on an Ektron site. We had the home page looking good, but wanted to add a news feed. After being given the required HTML, I created a new blog in the workarea, made the required XSLT (tweaked from a previous project) and dropped a BlogEntries control onto the page. This completely broke the page – the fonts had changed, spacing was completely out.
The culprit was the Ektron blog CSS. Ektron is smart enough to only load the CSS required for a particular page. So when the BlogEntries control was added, the Ektron CSS URL changed from something like-
workarea/csslib/ektronCss.ashx?id=EkOneCss+EkTwoCss
to
workarea/csslib/ektronCss.ashx?id=EkOneCss+EkTwoCss+EkBlogsCss

Whilst it is admirable of Ektron to try to reduce your page load, the problem with this is twofold-
  • Using XSLT, I have no requirement of the Ektron CSS.
  • The Ektron CSS is at times terrible.

Here, in particular, is the offensive piece of CSS in the \Workarea\csslib\blogs.css
p, li, div    
    {
    margin:0in;
    margin-bottom:.0001pt;
    font-size:10.0pt;
    font-family:Verdana, Geneva, Arial, Helvetica, sans-serif;
    }

Dear CSS designers of the world, imagine for a second that you had the following CSS forced upon you by a developer. You would go spare trying to override it. Maybe you could use “inherit” and “!important” to work around it, but either way it’s a lot of work.
So, we had a previously fine page suddenly rendered ugly by the choice of Ektron server control. Our options to solve this are-
  • Workaround the CSS. As mentioned above, this is quite laborious, and be sure to budget for rehab for your CSS developers.
  • Delete the offending code. Main problem with this is to remember to re-delete upon upgrading Ektron. If it’s just one bad CSS snippet that’s not too bad. Also, you need to take responsibility for any side-effects of deleting this. For a blog control, this will be minimal, but overriding some of the horrible widget and Page Builder CSS will make the in-page editing ugly or unusable.
  • Nuke the Ektron CSS via JavaScript.
  • Rebuild the control without using the blog control. This may mean re-implementing functionality which is normally out-of-the-box from Ektron.
Ektron could solve this by-
  • Improving their CSS. Mainly by removing loosely scoped selectors.
  • Add a DisableCSS property to server controls, effectively giving the developer the chance to say “Leave it Ektron, I’ll take care of the CSS for this control”.
  • The improved framework API and MVC/MVP style controls would offer viable alternatives, though there is nothing stopping Ektron injecting CSS for these controls.

We’re still weighing up our options, but it looks like we’ll rebuild the control without using the BlogEntries control. A half-hour implementation has become a four-hour implementation, and CSS that I do not want nor need has been force feed to my site visitors.

Monday, May 23, 2011

The Case of the Cold Call AV Expert

TL;DR- Indian scammer showed me an error in my event log, tried to get me to give him remote access.

 

A call out of the blue…

On Saturday, about noon, I got a phone call at home. Unusually, this is actually quite unusual. Only our parent’s ever call us on our home phone, and since signing up to the Do Not Call register, the telemarketers have stopped.

After the familiar delayed “hello”, I was introduced to a polite, if somewhat quick-speaking, Indian named “Roony Takar” from the Windows Support Centre.

Oh boy! My very first live scam attempt! My girlfriend had received a similar call a couple of months back, so I was aware of the general outline of the scam. What intrigued me was the strategy. Also, I figured the longer I took up his time, the less oportunity he had to scam others.

Roony told me that they had detected a virus on my computer, and that my computer was infected. I expressed my horror at this, and agreed to go to my computer and turn it on. Roony asked me if it was a laptop or desktop. I replied laptop. There was no questions about version of Windows (or even if I had Windows) or brand of computer.

I told Roony that I was pleasantly surprised by this amazing level of service from Microsoft. It appeared that he didn’t hear me…

Breaking News: Event Log Has Errors!

I was then laboriously instructed to open the event viewer (“presss window + r, type in e for echo, v for…”). I was then instructed to open the Application log and asked to scroll through and report how many yellow warnings and red errors I saw. For shame, I lied and stated that I had but 7 warnings and no errors out of 2,000 messages. I was intrigued as to their backup plan should my computer have no errors, but I was then instructed to open the System log. It is probably stretching the bounds of credulity to have no errors here, so reported that I had some errors.

I was then instructed to open the error. I chose a benign DHCP error, and reported it’s message[1], type (error) and category (none). I was told that my computer was infected and that software was causing DHCP server to be blocked, and that the category of none meant that my computer was broken. I asked what my DHCP server thing was, I don’t use any programs called that. I was told that it was a program inside my computer.

Gimme Remote Access

Roony then told me that as my computer was infected, I would need to have it reviewed by a Microsoft certified technician[2]. Now I was asked if I had Windows Internet Explorer, and if so, to open it. I was then painstakingly directed to go to the website “www.logmein.com”[3]. By coincidence, my internet connection had dropped out at that time, so I was instructed to also try “www.ammyy.com”[4].

Upon having both these sites unavailable, I was then instructed to restart my modem.

With the internet back up, I went to “www.logmein.com”. I noted to Roony the lack of Microsoft logos on the page. “Surely”, I said, “Microsoft would have their logo on this site?”

I was then told the scripted disclaimer “We are PC Solutions, I am calling you from the Windows Support Centre, we are contracted to provide software maintenance”.

“So Microsoft has contracted you?”

A Bridge Too Far

And with that, *click*, Roony had hung up. I was slightly disappointed to not obtain the log-in details that he was using for “logmein.com” in order to report it to logmein.com, but pleased to at least take up some of his time.

Speaking with friends later, it appears I’m not the only one to have gotten one of these phone calls. Most people report that their initial thoughts were that the call came from Microsoft. Some told the scammer “I don’t have a computer” (only to be scolded “But everyone has a computer!”) or “I have an Apple”, which resulted in quick hang-up. Maybe we’ll start seeing fake Apple calls soon.

Reap What You Sow

From research, it appears that there 3 general pay-offs for these scammers, in order of increasing illegality-

1) Use the remote admin access to install a useless “anti-virus” program, and charge you either for it or for the heavily promoted upgrade. As a product has been sold, there is little recourse for victims.

2) Install a botnet client onto your machine, and use your computer for spam, DDOS, etc.

3) Install a keylogger and obtain passwords in order to defraud, blackmail or steal identity.

My guess is that the first one is their main M.O. By not directly saying that they are from Microsoft, they merely mislead rather than misrepresent, suggesting a desire to stay within the letter of the law, if not the spirit.

How do we stop this scam?

Looking at the critical points in this attempt-

The phone call – You could ask for their number and insist on calling back. This is good practise, but not foolproof. You should additionally google the phone number and company name, and still be wary. Ask how did you get my number? Don’t give out any additional personal information.

Event log – You could lock down the event log, but there are million ways a scammer could convince you that your computer had an error.

Remote admin tools – Again, there a million different remote access tools, with legitimate purposes. There are even open source options like VNC.

The best means of stopping this is to make people aware of it. This scam has been mentioned a couple of times in the news, but is still not listed on Scam Watch. I recommend letting your friends and family know about this (especially grandparents and those more likely to be scared by  shouts of “VIRUSES!!”).

 

And leave you with a final question…

Why get remote access, when you could get the user to install a virus-ridden program via the browser?

 

Footnotes

[1] “The IP address lease 192.168.1.2 for the Network Card with network address XXXXXX has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).” I took care to spell out DHCPNACK very slowly. 

[2] This was the only time he mentioned “Microsoft”. I was specifically listening to see if he would misrepresent, but his script appeared to be big on implication.

[3] An online remote admin tool, appears legitimate and not directly associated with the scammers.

[4] A remote admin program, again appears legitimate and not directly associated with the scammers.

Monday, April 18, 2011

Coding in non-sequential order

In the latest episode of Talking Shop Down Under, Xerxes Battiwalla brings up an interesting tatic he uses when tutoring university students in computer science. Firstly, unsurprisingly, he encourages problem decomposition, walking the students through breaking the problem down into smaller parts. But he then encourages students to complete the problems in a random order.

I like this approach for a couple of reasons-

Firstly, it weakens the opportunity of making your various inputs/outputs/DTOs too specific. I remember my code becoming more and more interconnected and bespoke, as I resisted refactoring previous code in order to keep soldiering on.

Secondly, it gives a leg-up to testing. If you start in the middle of a problem, with no GUI or input, then the value of unit testing becomes obvious.

And lastly, it’s a neat piece of reference framing. It shows students that each component in a coding chain has value. It also shows that if they are unsure on one part of the problem that they can still start on a different part.

Thursday, March 24, 2011

Ektron Groups-au-go-go

I asked the Ektron twitter crowd - what's the difference between User Groups, Membership->User Groups and Community Groups? When to use which?

The replies from @billcava, @ajmarsland and @gandalf can be summed up in the table below.

User Group Membership Group Community Group
Type of members CMS users
(content editors)
Membership users
(site visitors)
Both CMS users and Membership users
Content / Folder permissions? Yes Yes No
Useful for- Workarea authorisation Site authorisation Blogs, forums, wikis, collaboration.
Where found in workarea Settings –>
User Groups
Settings –>
Community Management -> Memberships –>
User Groups
Settings –>
Community Management –>
Community Groups

Wednesday, March 9, 2011

Ektron and Webforms.MVP

I am currently in the finishing stages of an Ektron project that utilised the Webforms.MVP framwork. About 18 months ago, I saw Tatham Oddie talk at a Redify Developer Day, he introduced Webforms.MVP as a project created by himself and Damian Edwards, the culmination of working on several webforms projects.
There have been several other attempts to integrate Webforms.MVP into other CMS’s, including EpiServer, Umbraco and DotNetNuke.
We work with complex HTML/JS/CSS, so one of the goals was to have maximum control over markup, traditionally a hard task with both Asp.Net and Ektron controls, whilst still being able to leverage out-of-the-box Ektron controls.
Advantages
  • Testability. Views can be mocked, presenters hit, and the simple models asserted against.
  • Separation of presentation logic from business logic. The constraint of aiming to keep the code behind spare really helps to achieve simple and pleasant controls. The separation also helped conceptualise and enforce a business logic layer.
  • Ability to use mix and match any combination of MVP, Asp.Net  and Ektron controls within a page.
  • Simple to use Pub/Sub messaging bus.
  • Easier to avoid amorphous View State blobs.

Disadvantages
  • Documentation is a little light There is a couple of good screencasts, and the sample code is great to start with, but a little lightweight (I’m hoping to add some sample code when I get some time).
  • Development is slower, though I believe this could be mitigated by creating code templates or using a code generator.
  • Fair bit of left-hand/right-hand code, though this could be mitigated by AutoMapper and refactoring some of the view-models.
  • Medium learning curve, not a typical Webforms project.

With regards to testability, unfortunately, the number of tests on this project is one (and that test is nowhere near the MVP stuff). Our dev shop is, like many web forms developers, naively unaware of testing. IOC is the group in charge of the Olympics, and mocking is a type of song bird. Between this and the tight deadline, TDD was abandoned and unit-tests were moved into 2.0.

Against all the militant cries of “untested code is broken code”, this was the right business decision, and it highlights a common problem faced by one striving to improve coding standards – time. The fresh effort of learning TDD practises would have made an already late project even later, and there is no requirement that you ship perfect code (this isn’t a web interface for a Therac-25). I want to strive for quality, but need to either learn to settle for a little less, or improve efficiency. The latter takes time, so I would need to be more efficient at being more efficient. It’s turtles all the way down.

The messaging system was also a revelation. It is a breeze to pub/sub objects, and makes for simple code. We went with using page presenters that would do authentication and publish a user object. Possibly not the best pattern, but a nice way to avoid setting flags etc. in complicated master pages.

Probably the biggest mistake of my current project was that we only used Asp.Net and Ektron controls sparingly. This gave us wonderfully bespoke markup, but at the cost of time. For example, our hand-rolled forms meant that we couldn’t easily use server side controls, and therefore we also had to hand-roll our validation. This was also exacerbated as I wasn’t able to get the ‘convention over configuration’ quite working, so each view had to be attribute decorated (on the plus side, this made it easier to jump to the present/model via F12). Maybe some of the smaller pieces could have been done without MVP, but in some ways this is when MVP shines- I really like close-to-the-road feel of <span><%= Model.FirstName %></span>.

One thing not explored was getting our frontend developers, who usually design in PHP and pure HTML, to directly update templates. The new-found simplicity of the templates makes this possible, but the increased setup time and system load for a local Ektron dev instance rules it out for now.

When I first mentioned the idea of combining Ektron and Webforms.MVP on Twitter, Martin Jarvis’s response was “You can certainly use MVP/MVVM/MVC pattern with Ektron API as a repository. I don't know about the UI components.” This was very prescient, apart from occasional ContentBlock controls, all other markup is handmade, with API calls pulling the data. We’ll probably even remove the ContentBlocks in order to add templating functionality for the CMS user. This is partly due to the nature of the project, and partly due to a preference of using MVP over XSLT.

Martin has a great series of articles on using Web Application Projects with Ektron, which partly inspired this look at MVP. What if we could gain some of the advantages of everyone’s new best friend MVC, whilst still stuck in the webforms world of Ektron (note- the 8.5 release on the horizon appears to offer a lot of overdue goodness which may make Ektron MVP mute. There is talk of a pre-compliable workarea and the tautological MVC controls, which hopefully are actually MVP-ish).

So, for now, if I had my time over, would I do it the same? Maybe, maybe not. The schedule has gone horribly over time, but the site does look good and functions well. I am hopeful, though not necessarily confident, that future maintenance will be easier (alas, a goal that cannot be measured).


Edit 11-Mar- "there is requirement" should be "there is no requirement"

Monday, February 28, 2011

Deploying an Ektron site via the PackageSite utility

This process was little known to me. Rokib from Ektron support pointed me towards this.
Basic method-
  1. On your UAT server, run C:\Program Files\Ektron\CMS400v80\Utilities\PackageSite\PackageSite.exe and follow the instructions
    • When asked to provide a folder to store the package, create a new, empty folder. The package is not zipped, its a collection of folders
    • The package contains 3 folders – assetlibrary, content, setup
  2. Zip up your package and upload to your production server
  3. Run the Ektron setup, but don’t setup a site. Just install the Ektron program files.
  4. Unzip the package into the C:\Program Files\Ektron\CMS400v80\StarterSites
  5. Run site setup and you should be able to select your site from the starter site drop down.
Some caveats-
  • The content folder included all the .svn Subversion folders and eSync certificates. So on the plus side it didn’t miss anything.
  • Any thing you’ve added to web.config will be lost. Consider putting it into Application.config, or add it yourself.

Thursday, January 27, 2011

Separating your code from Ektrons’

Similar to my last post, this post is about creating a DLL which will access the Ektron repository. However, this time the DLL will be included as a reference in the website. This allows you to separate out your logic code from the presentation layer.

(Initially, I thought I would be restricted to using the Webservice API. However, as the DLL will be run within the context of the Ektron site, you are able to use the framework and controls).

 

  1. Add a new code project project to your Ektron site solution
  2. Add the following references to the code, by browsing to /Path/To/Site/bin-
    1. Ektron.Cms.Common
    2. Ektron.Cms.Framework
    3. Ektron.Cms.ObjectFactory
  3. Add your new project as a reference to the Ektron website.

 

The advantages of this are-

  • Re-usability – you can create a helper function DLL of common actions, which can be dropped into new projects
  • Testability – You can write and run tests directly against your DLL using nUnit Test Runner or similar. Ektron objects won’t be available, but can be mocked.
  • Reduces JIT-compilation load, though this can be mitigated by pre-compilation. However, this in turn is trumped by the fact that the Ektron workarea does not currently compile (high hopes are held for version 8.5)

 

In the end, I returned to putting all my logic code back in App_Code. The main reason was the tight deadline which was not allowing me the time to get past a couple of problems, namely-

  • Permissions issue on Logic.DLL. Visual Studio was unable to automatically update the DLL in the website, and i was forced to manually delete it from the bin folder.
  • Dev process is slower as Logic.DLL needs to be recompiled with every change.
  • Our standard helper functions have not yet been moved to a DLL, but have been used and tested in App_Code.

Monday, January 24, 2011

Accessing Ektron from a DLL or console app

As part of trying to use Webforms.MVP with Ektron, I have created a DLL that contains my business logic, which is referenced by the Ektron site. However, this DLL needs to access the Ektron webservice, in order to get/update content and members.

Note: wsdl and csc are part of the .Net SDK. You will need to have this installed. Once installed, you can access them via the SDK Cmd Shell, or, if your path is correctly configured, via cmd.exe.

 

  1. Create a proxy object for the web service
    1. Run .Net tool wsdl.exe against your webservice address, e.g. http://localhost:/Workarea/webservices/ContentWS.asmx
    2. Compile into DLL by running “csc /t:library ContentWS.cs”
  2. Add the DLL as a reference to your DLL or console app
    1. Copy the DLL to a Lib folder in your project
    2. Right click “Add reference” and browse to your created proxy DLL.
  3. Add System.Web.Services as a reference to your DLL or console app
  4. Call the proxy DLL from the code

      ContentWS cApi = new ContentWS();
      ShowContentResult response = cApi.GetContentBlock(contentId);
       

 

That’s enough if your DLL or console app needs access. However, if, like me, you wish to have your Ektron site reference your DLL (in my case, for testability via Webforms.MVP) then you get a DLL conflict. The next post will be on how to overcome this.

 

References-

Great little tutorial on access web services from a console

MSDN article on Wsdl.exe

Sunday, January 16, 2011

Improving Ektron eSync

For a feature with so much upside as eSync, why do I always dread having to use it?

 

I mean, who wouldn’t want an easy way to push your development changes seamlessly into production? Or easily recreate the client’s bug report by pulling down all the production content?

In order of priority, I think the following would make eSync better-

  • Better error messages – The errors messages are arcane. There seem to be a couple of common causes of problems - license, certificates, web service path - yet there are not standard errors for these causes.
  • Better tooling/support – The current tooling is sufficient, but could be much, much better. The tools should automate as much of setup process as possible, and do some simple checks of common problems.
  • Support for or integration with source control systemsI’ve learnt the hard way that eSync and Subversion don’t play nicely together. My current method is to keep the two apart as much as possible. There is a lack of documentation on best practises with eSync and source control.
  • More fine-grained control – The main problem we get is with the users being synchronised. It would be able to bring across the content but keep the users. Or just eSync certain folders (there are filters, which, as mentioned above, I’ve never had much luck with).
  • More than just master/slave – eSync relationships are limited to two parties, and anything complicated must be modelled as a series of two party relationships. Support for many slaves to one master would be nice for a multi-developer, single UAT server environment.
  • Support for continuous integration – This is partly mitigated by the ability to set a schedule. It would still be nice to be able to kick off an eSync from the command line.
  • Ability to change port used – I’m a little concerned about this, if a vulnerability is found, then attackers know exactly which port to knock on.

Lastly, no eSync blog post is complete without a link to Martin’s eSync Trouble Shooting Guide. Whenever I have to set up eSync, this page gets opened up before I even start, and takes away just a little of that aforementioned dread.

 

(the eSync that prompted this post went rather painlessly, with only 1 (firewall-related) error)