Our Blog

Overcoming Adversity on the Road: Stories Behind the Liquid Galaxy

By Mark Johnson
June 14, 2012

I recall receiving a call from Ben Goldstein about an early LG install in Washington, DC (near my home). After a short discussion about the general project, the gist of the call: “Can Kiel and I use your garage to store and assemble the LG display? It’ll just be for a few days.”

As it turned out, they didn’t need my garage (even though they were welcome to it), but it was a glimpse into some of the obstacles the End Point team faces when we take remote work, outside the familiar trappings of our own environment.

Gerard Drazba provided an introduction of the scope of LG installations in 2012. For the current year alone, through Q3, travel to deliver the sizable LG equipment will approach 60,000 miles to dozens of different destinations, from across the street (and up 5 floors) in NYC to destinations as far away as Singapore and South Korea.

The equipment is bulky, complicated to deliver—​and heavy! Each shipment is approximately 1800 lbs. Fully 44% of these different installations have been, or will have been, delivered to international locations. The global presence for demand of LG installations is only growing—​and has its own challenges beyond the domestic destinations.

Kiel …

RailsAdmin & Django

By Jeff Boes
June 14, 2012

Steph Skardal and Greg Davidson presented on RailsAdmin and Django (in the context of two of our clients, Musica Russica and Providence Plan).

Clients need a browser interface to administrate their Rails apps’ assets and configuration. RailsAdmin is an “engine” (an embedded miniature Rails app) for developing an admin interface, and a relatively young open-source project. It offers a CRUD-capable interface. It provides data export, filtering, pagination, and support for file attachments and a popular plug-in called “PaperTrail”. Musica Russica uses this as their site administration. This admin interface can be configured with many different customizable options: formatting, help text, sorting, etc.

RailsAdmin also provides authorization to limit certain actions (“delete”, “read”, “manage”) to objects (“User”, “Order”) by user.

In contrast, Django, written in Python, dates back to 2005 and is aimed at complex web applications. It provides an automatic admin interface which of course you can extend and customize, and mostly the same feature set (pagination, filtering, etc). Several high-profile web applications (Instagram, Pinterest, and Mozilla’s add-ons site) are powered by …

Security review with Kiel: Time to be paranoid.

By Josh Williams
June 14, 2012

Interesting! From storing encrypted documents and occasionally signing email, to its usage in pgcrypto in Postgres, I’ve done a bit with PGP keys and public key cryptography. But Kiel’s been running through a quick tutorial on security topics, and some of the PKI components are more important than I originally realized. For instance, part of the security that the public key infrastructure provides is the web of trust, which defines how identities can be automatically trusted based on which keys have signed and trusted other keys. In fact, we’re about to have a key signing party…

In the mean time Kiel reminded us of some of the concerns surrounding other forms of PKI cryptography. The SSL infrastructure, for instance, relies on a set of provided certificate authorities which are assumed to be trusted, but may not be reliable. Plug-ins like Certificate Patrol can help, though. Of course also, as indicated by the recent collission attack, MD5 is no longer secure, and a number of CA’s still use it.

More generally, the security ninja reminded us of where security breaches can occur and how they can affect us, even if they happen in a space far outside our control. But there are …

You shall not pass! Preventing SQL injection

By Marina Lohova
June 14, 2012

Greg Sabino Mullane presented a few extremely useful techniques for preventing SQL injection. His advice was mostly based on his recent real-world experience.

The chunk of simple code was causing a potentially very dangerous security breach to the system:

[query … where order_number='[scratch order_number] and username='[session username]']

This code can generate this SQL query:

select * from orders where order_number = '12345' and username = 'alice';

Or this SQL query:

select * from orders where order_number=' ';  delete from orders where id IS NOT NULL;

This is a vulnerability, and you certainly do not want any random stranger to delete records from the “orders” table in your database.

The problem was solved in no time by escaping user input.

Here is Greg’s list of recommendations to make SQL injection impossible:

1. Escape all user input passed to the database.
2. Log extensively. If this system hadn’t logged SQL queries, they would have never noticed anything strange. They used tail_n_mail that tracks PostgreSQL logs and sends out emails whenever SQL exception occurs.
3. Introduce fine-grained control for accessing and manipulating the database. …

Chef and Puppet Overview

By Josh Tolley
June 13, 2012

I started a job several years ago as a “configuration manager”, but had to admit when I started that I didn’t have any idea what “configuration management” really meant. The idea, as I soon learned, was to make sure all the servers, configurations, accounts, and other components of a system work together systematically. I’m not sure “configuration management” tools as such existed at the time, but we certainly never used them, though they’d begun to have a presence online before leaving that job for another opportunity.

In systems we run at End Point, whether for ourselves or other clients, such configuration management tools have become critical, in particular for our Liquid Galaxy systems, which require a great deal of repetitive configuration.  So Kiel and Josh Williams have a fair bit of experience with these tools, and I was glad to hear their discussion of Chef and Puppet specifically.

These tools have a common heritage, and are both Ruby-based. Ruby is a particularly good language for writing domain-specific languages (DSLs) like the one Puppet uses, so it’s interesting that Chef’s developers apparently abandoned the DSL idea, so Chef instructs its users run Ruby directly. …

End Point’s Ruby Slippers

By Kiel Christofferson
June 13, 2012

The next presentation of the day was Brian Dillon’s, entitled “End Point’s Ruby Slippers”.

Even as a relatively new End Point employee (3 months now), Brian has been assisting the growth of End Point in pursuit of sales and marketing. Brian started out by letting his fellow employees know that he finds himself very fortunate to have such a gold mine of unsung talent, expertise, and marketable skill at his disposal. Tortured with the thought of not fully representing that talent, Brian has been boiling a pot of ideas that might help him tell the world who End Point is and what we really do in an accurate and concise way.

After reading aloud each employee’s “one sentence” (written upon note cards) attempting to describe End Point, Brian took us all through a little bit of company history he had dug up from the archives. We received an overview of what End Point has done since 1995. A pattern emerged; End Point is not afraid to take interesting chances. End Point is not afraid to venture into the unusual projects that result from discussion between innovative minds. End Point is not afraid to increase the breadth of their knowledge while sharing that knowledge internally in order to …

Git Workflows

By Mike Farmer
June 13, 2012

David Christensen is talking today about Git workflows.

There are different ways that you can work with Git. Git doesn’t dictate a certain workflow so you are free to implement one that works best for you. Understanding git and how it works will help you develop an effective workflow.

The Git object model provides Git’s flexibility and is as follows:

• trees, blobs
• commits
• named commits: tags, branches

Branch flexibility comes through combining of branches (merges, rebase).

Good commits are key to flexibility/tools and should encapsulate the smallest logical change and a good log message describing the commit. It’s important to provide the why in your commit message in addition to what was fixed so that it’s clear to future developers.

Branches contain all the magic of Git in that it’s just a pointer to a commit.

Topic branches are convention driven branches that are merged off the master branch. They usually deal with a single topic and can be rebased onto master to provide a clean history. They can also be thrown away later so they don’t clutter up the repository.

Integration branches are usually for different levels of the application integration, for example, staging and …

Integration Experiences

By David Christensen
June 13, 2012

Szymon Guz gave a talk which covered his experiences working for a large client on integrating an acquired business’ website and fulfillment processes into their existing backend and fulfillment systems.

He gave us a detailed overview of their existing shipping fulfillment infrastructure, along with specific technical issues he encountered when integrating with the fulfillment models of the additional website.

He also detailed some of the non-technical/project management challenges inherent when working with a large number of people on a project.