DOJ, Dreamhost, and DisruptJ20

The government has no interest in records relating to the 1.3 million IP addresses that are mentioned in DreamHost’s numerous press releases and opposition brief.

Basically, the Department of Justice served Dreamhost this warrant asking for

  1. the code backing the web site,
  2. the HTTP request and error logs,
  3. logs about backend connections to upload files to the server
  4. databases
  5. email account metadata and contents
  6. account information for the site owner

Dreamhost resisted the warrant as overly broad. The DOJ is backing off the HTTP logs and unpublished draft posts.

If the site is using certain WordPress plugins to track visitors, then it is possible that the IPs for visitors are in the database. Or if the DOJ looked at the public HTML and noticed a Google Analytics JavaScript, then they know they can issue a warrant to Google to get the visitor information. Would Google resist handing it over as hard as Dreamhost?

 

Host Hopping Cookies

It started with a tweet on Saturday morning.

@MsIngalls: When I go to the Checklist in @Desire2Learn -when I am logged in – I get an error message that says my log in has expired – ideas? #d2l

This sounded like an issue we had in WebCT Vista product I called Failed Sessions. FSes occur when the user is actively working in the product and suddenly gets dumped to the login page. Not to be confused with Login Loop which is providing the correct username and password but never getting a valid session. I hated working either issue because they were never repeatable. The problem could involve any piece of software that could somehow touch a cookie on the user’s computer. Occasionally they were the fault of Weblogic too.

I recommended Amy open a Desire2Learn ticket through our portal on behalf of the professor. I also started my own investigation.

First, I poked around in the logging database for errors involving checklist. I found different courses not the one involved.

Second, I pulled out of our load balancer logs the id number for the course. That yielded plenty of data showing the problem.

These, I added to the ticket and suggested capturing the HTTP headers should the issue not be repeatable by others. Of course, the support agent was not able to repeat it. The headers clearly showed the cookies were not sent.

The professor of course poked holes all through my suggestions of tracking down which of the many software is involved. Different software, hardware, networks, and browsers meant the cause was probably not something residing on the computers. But the issue definitely was still all of these browsers in a wide variety of places all chose not to send the cookies. This is also when he dropped the next bomb that the problem only occurs on links in a specific widget.

Checking the code behind the widget, I only saw simple absolute URLs. Which made me shudder because earlier this week absolute URLs in the login page for a development site put me in production without me being aware for several minutes.

PSA: Only use absolute URLs when sending a visitor to another web server. Say you are here, at www.ezrasf.com and you want someone to see another of my blog entries. Drop http://www.ezrasf.com from the URL and start the path with / (a relative URL). Should I change the host name to blog.ezrasf.com or www.ezrafreelove.com, then the link has better success of working.

It turns out the problem is the professor used the pre-production host name for the web application. The widget absolute URL links used a different host name for production. Both resolve to the same servers. But cookies are tied to a specific host name. So being logged into one of host and getting a link to the variant means the session is not valid at the variant.

At least the workaround and fix are easy.

The workaround for the professor is to stop using the pre-production URL.

The fix is for the widget designer to turn the absolute URLs to relative URLs since they point to same location.

Also, it would be nice for a better error message than:

No Login

Either you have failed to login, or your login has expired.

First the comma is bad grammar. Second, if I am a normal user who encounters this problem, then what can I do to fix it myself? This is not an error someone sees if their password or username are wrong. This is also not what a user normally sees when they are idle too long. But then again, there are lots and lots of potential causes and solutions.

Useful User Agents

Rather than depend on end users to accurately report the browser used, I look for the user-agent in the web server logs. (Yes, I know it can be spoofed. Power users would be trying different things to resolve their own issues not coming to us.)

Followers of this blog may recall I changed the Weblogic config.xml to record user agents to the webserver.log.

One trick I use is the double quotes in awk to identify just the user agent. This information is then sorting by name to count (uniq -c) how many of each is present. Finally, I sort again by number with the largest at the top to see which are the most common.

grep <term> webserver.log | awk -F\” ‘{print $2}’ | sort | uniq -c | sort -n -r

This is what I will use looking for a specific user. If I am looking at a wider range, such as the user age for hits on a page, then I probably will use the head command to look at the top 20.

A “feature” of this is getting the build (Firefox 3.011) rather than just the version (Firefox 3). For getting the version, I tend to use something more like this to count the found version out of the log.

grep <term> webserver.log | awk -F\” ‘{print $2}’ | grep -c ‘<version>’

I have yet to see many CE/Vista URIs with the names of web browsers. So these are the most common versions one would likely find (what to grep – name – notes):

  1. MSIE # – Microsoft Internet Explorer – I’ve seen 5 through 8 in the last few months.
  2. Firefox # – Mozilla Firefox – I’ve seen 2 through 3.5. There is enough difference between 3 and 3.5 (also 2 and 2.5) I would count them separately.
  3. Safari – Apple/WebKit – In searching for this one, I would add to the search a ‘grep -v Chrome’ or to eliminate Google Chrome user agents.
  4. Chrome # – Google Chrome – Only versions 1 and 2.

Naturally there many, many others. It surprised me to see iPhone and Android on the list.

Students First

Yesterday Gina, a coworker, joined me for lunch. She asked about where GeorgiaVIEW‘s attention is focussed since we recently completed our upgrade to Blackboard Learning System Vista Enterprise 8.

She pointed out students are the most affected by and most important constituent for any decisions we make. Yet the student point of view is almost never considered. Capturing what is good for students might mean installing all the possibilities where students and faculty could compare. It might mean surveys, however, I think self-reporting provides so much erroneous data we could do without it.

My job’s focus is more toward what is the most efficient, least problematic system for me to start/stop, install, upgrade, and review logs. I am still mulling what job position we have who would focus on ensuring whatever we do will provide for the best student experience. Guess really that should be all of us.

Turn the Tables

CrossRoads Newsletter and Career Development Center:

With corporate recruiters and executive search firms now using blogs as a prescreening tool for candidates, Whitcomb advises people to create online journals to demonstrate their skills, share their expertise, and lend potential employers insight into their personality.

“You can write about projects you are working on, industry events, ongoing research, current trends, new products, and evaluations. You can also include articles or papers you have written, a bio, project histories, a downloadable résumé, and even audio or video presentations,” says Whitcomb.