news

November 6, 2012

Tips and Tricks - Pure CSS Sticky Footers

By now, if you've seen my other blog posts, you know that I'm fascinated with how much JavaScript has evolved and how much you can do with jQuery these days. I'm an advocate of working smarter, not harder, and that maxim knows no coding language limits. In this post, I want to share a pure CSS solution that allows for "sticky" footers on a web page. In comparing several different techniques to present this functionality, I found that all of the other routes were overkill when it came to processing time and resource usage.

Our objective is simple: Make the footer of our web page stay at the bottom even if the page's content area is shorter than the user's browser window.

This, by far, is one of my *favorite* things to do. It makes the web layout so much more appealing and creates a very professional feel. I ended up kicking myself the very first time I tried to add this functionality to a project early in my career (ten years ago ... already!?) when I found out just how easy it was. I take solace in knowing that I'm not alone, though ... A quick search for "footer stick bottom" still yields quite a few results from fellow developers who are wrestling with the same frustrating experience I did. If you're in that boat, fear no more! We're going to your footers in shape in a snap.

Here's a diagram of the problem:

CSS Footer

Unfortunately, a lot of people try to handle it with setting a fixed height to the content which would push the footer down. This may work when YOU view it, but there are several different browser window heights, resolutions and variables that make this an *extremely* unreliable solution (notice the emphasis on the word "extremely" ... this basically means "don't do it").

We need a dynamic solution that is able to adapt on the fly to the height of a user's browser window regardless if the resize it, have Firebug open, use a unique resolution or just have a really, really weird browser!

Let's take a look at what the end results should look like:

CSS Footer

To make this happen, let's get our HTML structure in place first:

<div id="page">
 
      <div id="header"> </div>
 
      <div id="main"> </div>
 
      <div id="footer"> </div>
 
</div>

It's pretty simple so far ... Just a skeleton of a web page. The page div contains ALL elements and is immediately below the

tags in the page code hierarchy. The header div is going to be our top content, the main div will include all of our content, and the footer div is all of our copyrights and footer links.

Let's start by coding the CSS for the full page:

Html, body {
      Padding: 0;
      Margin: 0;
      Height: 100%;
}

Adding a 100% height allows us to set the height of the main div later. The height of a div can only be as tall as the parent element encasing it. Now let's see how the rest of our ids are styled:

#page {
      Min-height: 100%;
      position:relative;
}
 
#main {
      Padding-bottom: 75px;   /* This value is the height of your footer */
}
 
#footer {
      Position: absolute;
      Width: 100%;
      Bottom: 0;
      Height: 75px;  /* This value is the height of your footer */
}

These rules position the footer "absolutely" at the bottom of the page, and because we set #page to min-height: 100%, it ensures that #main is exactly the height of the browser's viewing space. One of the best things about this little trick is that it's compliant with all major current browsers — including Firefox, Chrome, Safari *AND* Internet Explorer (after a little tweak). For Internet Explorer to not throw a fit, we need concede that IE doesn't recognize min-height as a valid property, so we have to add Height: 100%; to #page:

#page {
      Min-height: 100%;  /* for all other browsers */
      height: 100%;  /* for IE */
      position:relative;
}

If the user does not have a modern, popular browser, it's still okay! Though their old browser won't detect the magic we've done here, it'll fail gracefully, and the footer will be positioned directly under the content, as it would have been without our little CSS trick.

I can't finish this blog without mentioning my FAVORITE perk of this trick: Should you not have a specially designed mobile version of your site, this trick even works on smart phones!

-Cassandra

November 5, 2012

O Canada! - Catalyst, Startups and "Coming Home"

I was born and raised in Brockville, Ontario, and I've always been a proud Canadian. In 2000, I decided to leave my homeland to pursue career options south of the 49th parallel, so I became an active participant in Canada's so-called "brain drain." It's never easy starting over, but I felt that my options were limited in Canada and that I wouldn't find many opportunities to make an impact on a global stage.

Fast-forward to 2012. Early in the year, we were introduced to GrowLab — a leading Vancouver based accelerator — by our friends at East Side Games Studio. They seemed to have a lot of incredible stuff going on, so I planned an exploratory mission of sorts ... In June, I'd visit a few Canadian cities with an open mind to see what, if anything, had changed. With the Catalyst Program's amazing success in the US, I hoped we could hunt down one or two Canadian startups and accelerators to help out.

I was very pleasantly surprised at what I found: A vibrant, thriving Canadian community of entrepreneurs that seemed to match or exceed the startup activity I've seen in Silicon Valley, Boulder, Boston, New York, Amsterdam, Hong Kong, and Dubai. How times have changed! Investing in the Canadian startup scene was a no-brainer.

Canada Approved

The Catalyst team hit the ground running and immediately started working with GrowLab and several other incredible organizations like Communitech, Ryerson University Digital Media Zone (DMZ), Innovation Factory, Extreme Startups and the Ontario Network of Excellence (ONE).

We'll enroll startups participating in those organizations into the Catalyst Program, and we'll provide infrastructure credits (for servers, storage and networking), executive mentoring, engineering resources and limited financial support. SoftLayer wants to become the de facto Infrastructure as a Service (IaaS) provider for Canadian startups and startups worldwide, so this is a huge first step onto the international stage. More importantly — and on a personal level — I'm excited that we get to help new companies in Canada make a global impact with us.

As a Canadian expat, having the opportunity to give something back means a great deal to me. I see an incredible opportunity to nurture and help some of these Canadian startups take flight. SoftLayer is still an entrepreneurial company at heart, and we have a unique perspective on what it takes to build and scale the next killer app or game, so we feel especially suited to the task.

One of the Canadian entrepreneurs we've been working with sent us this great video produced by the Vancouver-based GROW Conference about entrepreneurship, and it immediately resonated with me, so I wanted to be sure to include it in this post:

We've already started working with dozens entrepreneurs in Vancouver, Toronto, Hamilton and Waterloo who embody that video and have kindred spirits to my own. SoftLayer has a few Canadian ex-pats on our team, and as Catalyst moves into Canada officially, we're all extremely proud of our heritage and the opportunity we have to help.

Some have called our foray into the Canadian market an "international expansion" of sorts, I think of it more as a "coming home party."

-@gkdog

Canada Approved

November 2, 2012

The Trouble with Open DNS Resolvers

In the last couple of days, there's been a bit of buzz about "open DNS resolvers" and DNS amplification DDoS attacks, and SoftLayer's name has been brought up a few times. In a blog post on October 30, CloudFlare explained DNS Amplification DDoS attacks and reported the geographic and network sources of open DNS resolvers that were contributing to a 20Gbps attack on their network. SoftLayer's AS numbers (SOFTLAYER and the legacy THEPLANET-AS number) show up on the top ten "worst offenders" list, and Dan Goodin contacted us to get a comment for a follow-up piece on Ars Technica — Meet the network operators helping to fuel the spike in big DDoS attacks.

While the content of that article is less sensationalized than the title, there are still a few gaps to fill about when it comes to how SoftLayer is actually involved in the big picture (*SPOILER ALERT* We aren't "helping to fuel the spike in big DDoS attacks"). The CloudFlare blog and the Ars Technica post presuppose that the presence of open recursive DNS resolvers is a sign of negligence on the part of the network provider at best and maliciousness at worst, and that's not the case.

The majority of SoftLayer's infrastructure is made up of self-managed dedicated and cloud servers. Customers who rent those servers on a monthly basis have unrestricted access to operate their servers in any way they'd like as long as that activity meets our acceptable use policy. Some of our largest customers are hosting resellers who provide that control to their customers who can then provide that control to their own customers. And if 23 million hostnames reside on the SoftLayer network, you can bet that we've got a lot of users hosting their DNS on SoftLayer infrastructure. Unfortunately, it's easier for those customers and customers-of-customers and customers-of-customers-of-customers to use "defaults" instead of looking for, learning and implementing "best practices."

It's all too common to find those DNS resolvers open and ultimately vulnerable to DNS amplification attacks, and whenever our team is alerted to that vulnerability on our network, we make our customers aware of it. In turn, they may pass the word down the customer-of-customer chain to get to the DNS owner. It's usually not a philosophical question about whether DNS resolvers should be open for the greater good of the Internet ... It's a question of whether the DNS owner has any idea that their "configuration" is vulnerable to be abused in this way.

SoftLayer's network operations, abuse and support teams have tools that flag irregular and potentially abusive traffic coming from any server on our network, and we take immediate action when we find a problem or are alerted to one by someone who sends details to abuse@softlayer.com. The challenge we run into is that flagging obvious abusive behavior from an active DNS server is a bit of a cat-and-mouse game ... Attackers cloak their activity in normal traffic. Instead of sending a huge amount of traffic from a single domain, they send a marginal amount of traffic from a large number of machines, and the "abusive" traffic is nearly impossible for even the DNS owner to differentiate from "regular" traffic.

CloudFlare effectively became a honeypot, and they caught a distributed DNS amplification DoS attack. The results they gathered are extremely valuable to teams like mine at SoftLayer, so if they go the next step to actively contact the abuse channel for each of the network providers in their list, I hope that each of the other providers will jump on that information as I know my team will.

If you have a DNS server on the SoftLayer network, and you're not sure whether it's configured to prevent it from being used for these types of attacks, our support team is happy to help you out. For those of you interested in doing a little DNS homework to learn more, Google's Developer Network has an awesome overview of DNS security threats and mitigations which gives an overview of potential attacks and preventative measures you can take. If you're just looking for an easy way to close an open recursor, scroll to the bottom of CloudFlare's post, and follow their quick guide.

If, on the other hand, you have your own DNS server and you don't want to worry about all of this configuration or administration, SoftLayer operates private DNS resolvers that are limited to our announced IP space. Feel free to use ours instead!

-Ryan

October 30, 2012

Startup Series: YouNoodle

In the startup world, the resources you have are almost as important as your vision and your ability to execute. That simple idea fueled the creation of Catalyst, and it's a big component of our incredible success. We're taking the complexity (and cost) out of the hosting decision for the coolest startups we meet, and by doing so, those startups have the freedom to focus on their applications. But that's only the beginning.

In addition to providing infrastructure, my team and I also try to introduce Catalyst participants to investors, incubators, accelerators and other startup founders. By building a strong network of experienced peers, entrepreneurs have a HUGE advantage as they're building their businesses. The difficulty in making those introductions is that it's such a labor-intensive process ... Or I guess I should say that it *was* a labor-intensive process. Then we found YouNoodle.

YouNoodle is an online network for entrepreneurs that was founded in 2010 in San Francisco, California. The 18-person startup is built to connect entrepreneurs with people, startups, competitions and groups based on what's relevant to each entrepreneur's mission. What the Catalyst team has been doing in a labor-intensive fashion, YouNoodle has automated and streamlined! We had to meet these folks.

YouNoodle

We heard that YouNoodle was putting together a start-up crawl during one of their immersion programs — they bring international entrepreneurs to Silicon Valley to learn best practices and make connections in the US market — and we jumped at an opportunity to provide the beer and sandwiches at one of the stops. If you've ever worked at a startup before, you know that the way to an entrepreneur's heart is through his/her stomach, so we hoped it would be "love at first bite."

We chatted with the YouNoodle team, and they showed us the recently released 2.0 version of Podium, the SaaS platform they built to manage the selection process for entrepreneurial competitions and challenges from organizations like Start-Up Chile, The Next Web, Intel, NASA and seven out of the top ten universities around the world. Basically, Podium enables the most talented individuals and innovative startups to rise to the top and get the opportunities they deserve.

YouNoodle was an obvious fit for Catalyst, and Catalyst was an obvious fit for YouNoodle. Other Catalyst participants could join the thriving community of entrepreneurs that YouNoodle has built, and YouNoodle could take advantage of the power of SoftLayer's hosting platform. And by helping support YouNoodle, Catalyst gets to indirectly help even more entrepreneurs and startups ... Very "meta!"

Over the past two years, YouNoodle has managed over 400 competitions which have received entries from more than 28,000 entrepreneurs around the world. They're a key player in the acceleration of global entrepreneurship, and they share our vision of breaking down the geographic barriers to innovation. And with the momentum they've got now, it's clear that they're just getting started.

If you have a second, head over to YouNoodle.com to check out the fresh, easy-to-use interface they launched to help users discover, get inspired by and connect with like-minded individuals on a global scale.

-@PaulFord

October 25, 2012

Tips from the Abuse Department: Save Your Sinking Ship

I often find that the easiest way to present a complex process is with a relatable analogy. By replacing esoteric technical details with a less intimidating real-world illustration, smart people don't have to be technically savvy to understand what's going on. When it comes to explaining abuse-related topics, I find analogies especially helpful. One that I'm particularly keen on in explaining Abuse tickets in the context of a sinking ship.

How many times have you received an Abuse ticket and responded to the issue by suspending what appears to be the culprit account? You provide an update in the ticket, letting our team know that you've "taken care of the problem," and you consider it resolved. A few moments later, the ticket is updated on our end, and an abuse administrator is asking follow-up questions: "How did the issue occur?" "What did you do to resolve the issue?" "What steps are being taken to secure the server in order to prevent further abuse?"

Who cares how the issue happened if it's resolved now, right? Didn't I respond quickly and address the problem in the ticket? What gives? Well, dear readers, it's analogy time:

You're sailing along in a boat filled with important goods, and the craft suddenly begins to take on water. It's not readily apparent where the water is coming from, but you have a trusty bucket that you fill with the water in the boat and toss over the side. When you toss out all the water onboard, is the problem fixed? Perhaps. Perhaps not.

You don't see evidence of the problem anymore, but as you continue along your way, your vessel might start riding lower and lower in the water — jeopardizing yourself and your shipment. If you were to search for the cause of the water intake and take steps to patch it, the boat would be in a much better condition to deliver you and your cargo safely to your destination.

In the same way that a hull breach can sink a ship, so too can a security hole on your server cause problems for your (and your clients') data. In the last installment of "Tips from the Abuse Department," Andrew explained some of the extremely common (and often overlooked) ways servers are compromised and used maliciously. As he mentioned in his post, Abuse tickets are, in many cases, the first notification for many of our customers that "something's wrong."

At a crucial point like this, it's important to get the water out of the boat AND prevent the vessel from taking on any more water. You won't be sailing smoothly unless both are done as quickly as possible.

Let's look at an example of what thorough response to an Abuse ticket might look like:

A long-time client of yours hosts their small business site on one of your servers. You are notified by Abuse that malware is being distributed from a random folder on their domain. You could suspend the domain and be "done" with the issue, but that long-time client (who's not in the business of malware distribution) would suffer. You decide to dig deeper.

After temporarily suspending the account to stop any further malware distribution, you log into the server and track down the file and what permissions it has. You look through access logs and discover that the file was uploaded via FTP just yesterday from an IP in another country. With this IP information, you search your logs and find several other instances where suspicious files were uploaded around the same time, and you see that several FTP brute force attempts were made against the server.

You know what happened: Someone (or something) scanned the server and attempted to break into the domain. When the server was breached, malware was uploaded to an obscure directory on the domain where the domain owners might not notice it.

With this information in hand, you can take steps to protect your clients and the server itself. The first step might be to implement a password policy that would make guessing passwords very difficult. Next, you might add a rule within your FTP configuration to block continued access after a certain number of failed logins. Finally, you would clean the malicious content from the server, reset the compromised passwords, and unsuspend the now-clean site.

While it's quite a bit more work than simply identifying the domain and account responsible for the abuse and suspending it, the extra time you spent investigating the cause of the issue will prevent the same issue from happening after your client "fixes" the problem by deleting the files/directories. Invariably, they'd get compromised again in the same way when the domain is restored, and you'd hear from the Abuse department again.

Server security goes hand in hand with systems administration, and even though it's not a very fun part of the job, it is a 24/7 responsibility that requires diligence and vigilance. By investing time and effort into securing your servers and fixing your hull breach rather than just bailing water overboard, your customers will see less downtime, you'll be using your server resources more efficiently, and (best of all) you won't have the Abuse team hounding you about more issues!

-Garrett

P.S. I came up with a brilliant analogy about DNS and the postal service, so that might be a topic for my next post ...

October 23, 2012

Tips from the Abuse Department: Know Spam. Stop Spam.

As an abuse administrator, I'm surrounded by spam on a daily basis. When someone sends an abuse-related complaint to our abuse@softlayer.com contact address, it gets added to our ticket queue, and our Abuse SLayers take time to investigate and follow up with the customers whose servers violate our acceptable use policy. The majority of those abuse-related submissions are reporting spam coming from our network, and in my interaction with customers, I've noticed that spam (and the source of spam) is widely misunderstood.

Most spam tickets we create on customer accounts pinpoint spam sent from a compromised or exploited server. Our direct customer didn't send the phishing email, malware distribution, pharmacy advertisement or pornographic spam, but that activity came from their account. While they're accountable for the abusive behavior coming from their server, in many cases, they don't know that there's a problem until we post an abuse ticket on their account. These servers are targeted and compromised by common techniques and exploits that could have been easily avoided, but they aren't very well known outside the world of abuse.

To protect yourself from a spammer, you need to think like a spammer. You need to understand how someone might try to exploit your environment so that you can prevent them from doing so. As you're looking at ways to secure your server proactively, make sure you target these five exploits in particular:

1. User Auth Login

This is by far the most common exploit to used to send spam. This method involves a person or script using the credentials of a user to send spam through a domain's mail server. The majority of these incidences are caused by malware on a client PC that obtains the login and password for a domain user and uses that information to log on and send mail from the client PC through the server. Often, these spam messages are sent through a botnet command structure.

When an account is compromised, simply changing the password for the compromised user on the server usually won't stop the abuse. We see quite a few accounts that continue to send spam after an initial abuse ticket results in a password change. Most servers that are sending spam with this method are found to only be sending a small amount of spam at any given time to avoid detection. The low volume of spam that is being sent per server is made up for by the fact that there are thousands of servers being used for the same spamming campaigns.

In order to stop the User Auth Login exploit, a customer needs to clean all of the malicious software (malware) from their environments. To prevent future User Auth Login compromises, users should be made aware of the potential dangers of untrusted software, and if they believe their machines are infected, they need to know what to do.

2. Tell-a-friend Exploitation

The User Auth Login technique is the most common method employed by spammers, but the "tell-a-friend" script exploitation isn't far behind when it comes to volume of affected servers. This spamming method find websites that use scripts to invite users to refer friends to a page or product. Spammers will use the 'Your Message' field in one of these scripts to input their own content and links, and they'll push the actual page referral link to the bottom of the message. When these site scripts aren't secure, the spammer will use them to send hundreds or thousands of messages.

To avoid having your website fall victim to this type of spam, be very wary of any widget or script you add. If you need to add Facebook, Twitter and email "share" functionality to your site, make sure you incorporate a tell-a-friend script that does not allow for customizable messages or does not accept input of more than one email address. Also, users won't need the "cc" or "bcc" fields, so you can be sure those are axed as well. If you can't find a good "share" script that you're comfortable with from a security perspective, it might be a good idea to remove that functionality to avoid exploitation.

3. Uploaded Mailers

Spam sent via an uploaded third party mailer can sometimes prove difficult for admins to locate. An uploaded third party mailer could be capable of creating it's own outbound SMTP connection, and that would allow a program to bypass the existing MTA on the server and render any legitimate mail logs useless for investigation. Another challenge is that a php mailer can be uploaded to a location within a user's web content, and that mailer is run by the user 'nobody' (the default Apache user).

We strongly suggest configuring your server to have the mail headers show the script's user (that's not the Apache default user) and the location the script is running from on the server. Many times, these kinds of mailers are maliciously uploaded after a user's FTP password is been compromised, so be sure your FTP login information is secure.

4. Software Exploits

The "software exploits" category casts a huge shadow. Every piece of software on a server — from mail servers, content management systems and control panels to the operating system itself — can be targeted by hackers. They probe servers to find security vulnerabilities and weak coding, and when they find a vulnerability, they take control.

The hacker who found the software vulnerability might not actually take advantage of the exploit immediately. That user may sell access to other entities for their use, and that use often ends up being spam. In addition to having strong firewall rules and access restrictions, you should update and maintain the current stable versions of all software on your servers.

5. WordPress Exploits

WordPress exploits would technically fall under the "Software Exploits" category, but I'm breaking it out into its own category simply due to the volume of spam issues that are the result of exploiting this particular piece of software. The first step to protecting against spam being sent through this source is to make sure you have the latest version of WordPress installed. With that done, be sure to research the latest security plugins for that version and install any that are applicable to your environment.

These five techniques are not the only ones used by spammers to take advantage of your environment, but they are some of the most common. To protect yourself from becoming a source of spam, make your servers a more difficult target to exploit. To stop spam, you need to know spam. Now that you know spam, it's time to stop it. Ask questions, test your environment regularly and watch your logs for any unexplained usage.

-Andrew

October 17, 2012

Tips and Tricks - jQuery Select2 Plugin

Web developers have the unique challenge of marrying coding logic and visual presentation to create an amazing user experience. Trying to find a balance between those two is pretty difficult, and it's easy to follow one or the other down the rabbit hole. What's a web developer to do?

I've always tried to go the "work smarter, not harder" route, and when it comes to balancing functionality and aesthetics, that usually means that I look around for plugins and open source projects that meet my needs. In the process of sprucing up an form, I came across jQuery Select2, and it quickly became one of my favorite plugins for form formatting. With minimal scripting and little modification, you get some pretty phenomenal results.

We've all encountered drop-down selection menus on web forms, and they usually look like this:

Option Select

Those basic drop-downs meet a developer's need for functionality, but they aren't winning any beauty pageants. Beyond the pure aesthetic concerns, when a menu contains dozens (or hundreds) of selectable options, it becomes a little unwieldy. That's why I was so excited to find Select2.

With Select2, you can turn the old, plain, boring-looking select boxes into beautiful, graceful and more-than-functional select widgets:

Pretty Option Select

Not only is the overall presentation of the data improved, Select2 also includes an auto-complete box. A user can narrow down the results quickly ad easily, and if you've got some of those endlessly scrolling select boxes of country names or currencies, your users will absolutely notice the change (and love you for it).

What's even sexier than the form facelift is that you can add the plugin to your form in a matter of minutes.

After we download Select2 and upload it to our box, we add our the jQuery library and scripts to the <head> of our document:

<script src="jquery.js" type="text/javascript"></script> 
<script src="select2.js" type="text/javascript"></script>

For the gorgeous styling, we'll also add Select2's included style sheet:

<link href="select2.css" rel="stylesheet"/>

Before we close our <head> tag, we invoke the Select2 function:

<script>
$(document).ready(function() { $("#selectPretty").select2(); });
</script>

At this point, Select2 is locked and load, and we just have to add the #selectPretty ID to the select element we want to improve:

<select id="selectPretty">
<option value="Option1">Option 1</option>
<option value="Option2">Option 2</option>
<option value="Option3">Option 3</option>
<option value="Option4">Option 4</option>
</select>

Notice: the selectPretty ID is what we defined when we invoked the Select2 function in our <head> tag.

With miniscule coding effort, we've made huge improvements to the presentation of our usually-boring select menu. It's so easy to implement that even the most black-and-white coding-minded web developers can add some pizzazz to their next form without having to get wrapped up in styling!

-Cassandra

October 16, 2012

An Introduction to Risk Management

Whether you're managing a SaaS solution for thousands of large clients around the world or you're running a small mail server for a few mom-and-pop businesses in your neighborhood, you're providing IT service for a fee — and your customers expect you to deliver. It's easy to get caught up in focusing your attention and energy on day-to-day operations, and in doing so, you might neglect some of the looming risks that threaten the continuity of your business. You need to prioritize risk assessment and management.

Just reading that you need to invest in "Risk Management" probably makes you shudder. Admittedly, when a business owner has to start quantifying and qualifying potential areas of business risk, the process can seem daunting and full of questions ... "What kinds of risks should I be concerned with?" "Once I find a potential risk, should I mitigate it? Avoid it? Accept it?" "How much do I need to spend on risk management?"

When it comes to risk management in hosting, the biggest topics are information security, backups and disaster recovery. While those general topics are common, each business's needs will differ greatly in each area. Because risk management isn't a very "cookie-cutter" process, it's intimidating. It's important to understand that protecting your business from risks isn't a destination ... it's a journey, and whatever you do, you'll be better off than you were before you did it.

Because there's not a "100% Complete" moment in the process of risk management, some people think it's futile — a gross waste of time and resources. History would suggest that risk management can save companies millions of dollars, and that's just when you look at failures. You don't see headlines when businesses effectively protect themselves from attempted hacks or when sites automatically fail over to a new server after a hardware failure.

It's unfortunate how often confidential customer data is unintentionally released by employees or breached by malicious attackers. Especially because those instances are often so easily preventable. When you understand the potential risks of your business's confidential data in the hands of the wrong people (whether malicious attackers or careless employees), you'll usually take action to avoid quantifiable losses like monetary fines and unquantifiable ones like the loss of your reputation.

More and more, regulations are being put in place to holding companies accountable for protecting their sensitive information. In the healthcare industry businesses have to meet the strict Health Insurance Portability and Accountability Act (HIPAA) regulations. Sites that accept credit card payments online are required to operate in Payment Card Industry (PCI) Compliance. Data centers will spend hours (and hours and hours) achieving and maintaining their SSAE 16 certification. These rules and requirements are not arbitrarily designed to be restrictive (though they can feel that way sometimes) ... They are based on best practices to ultimately protect businesses in those industries from risks that are common throughout the respective industry.

Over the coming months, I'll discuss ways that you as a SoftLayer customer can mitigate and manage your risk. We'll talk about security and backup plans that will incrementally protect your business and your customers. While we won't get to the destination of 100% risk-mitigated operations, we'll get you walking down the path of continuous risk assessment, identification and mitigation.

Stay tuned!

-Matthew

October 10, 2012

On-Call for Dev Support AND a New Baby

I began working at SoftLayer in May of 2010 as a customer support administrator. When I signed on, I was issued a BlackBerry to help me follow tickets and answer questions from my coworkers when I was out of the office. In August of 2011, that sparingly used BlackBerry started getting a lot more use. I became a systems engineer in development support, and I was tasked to provide first-tier support for development-related escalations, and I joined the on-call rotation.

In the Dev Support group, each systems engineer works a seven-day period each month as the on-call engineer to monitor and respond to off-hours issues. I enjoy tackling challenging problems, and my Blackberry became an integral tool in keeping me connected and alerting me to new escalations. To give you an idea of what kinds of issues get escalated to development support, let me walk you through one particularly busy on-call night:

I leave the office and get home just in time to receive a call about an escalation. An automated transaction is throwing an error, and I need to check it out. I unload my things, VPN into the SoftLayer network and begin investigating. I find the fix and I get it implemented. I go about my evening, and before I get in bed, I make sure my BlackBerry is set to alert me if a call comes in the middle of the night. Escalations to development support typically slow down after around 11 p.m., but with international presences in Amsterdam and Singapore, it's always good to be ready for a call 2:30 a.m. to make sure their issues are resolved with the same speed as issues found in the middle of the day in one of our US facilities.

Little did I know, my SoftLayer experience was actually preparing me for a different kind of "on-call" rotation ... One that's 24x7x365.

In June 2012, my wife and I adopted an infant from El Paso, Texas. We'd been trying to adopt for almost two years, and through lots of patience and persistence, we were finally selected to be the parents of a brand new baby boy. When we brought him home, he woke up every 3 hours for his feeding, and my on-call work experience paid off. I didn't have a problem waking up when it was my turn to feed him, and once he was fed, I hopped back in bed to get back to sleep. After taking a little time off to spend with the new baby, I returned to my job, and that first week back was also my turn on the on-call rotation.

The first night of that week, I got a 1 a.m. call from Amsterdam to check out a cloud template transfer that was stuck, and I got that resolved quickly. About 30 minutes later, our son cried because he was hungry, so I volunteered to get up and feed him. After 45 minutes, he'd eaten and fallen asleep again, so I went back to bed. An hour later, I got a call from our San Jose to investigate a cloud reload transaction that was stalling with an error. I worked that escalation and made it back to bed. An hour and a half later, the little baby was hungry again. My wife graciously took the feeding responsibilities this time, and I tried to get back to sleep after waking up to the baby's cries. About an hour later, another data center had an issue for me to investigate. At this point, I was red-eyed and very sleepy. When my teammates got up the next morning, they generously took the on-call phone number so I could try to get some rest.

This pattern continued for the next six days. By the end of that first week, I got a call from work at about 3 a.m., and I picked up the Baby Monitor from the night stand and answered, "Dev support, this is Greg." My wife just laughed at me.

I've come to realize that being on-call for a baby is a lot more difficult than being on-call for development support. In dev support, I can usually documentation on how to resolve a given issue. I can search my email for the same error or behavior, and my coworkers are faithful to document how they resolve any unique issues they come across. If I get to a point where I need help, I can enlist the assistance of an SME/Developer that commonly works on a given piece of code. When you're on-call with a baby, all the documentation in the world won't help you get your newborn to stop crying faster, you don't get any clear "error messages" to guide you to the most effective response, and you can't pass the baby off to another person if you can't figure out what's wrong.

And when you're on-call for development support, you get some much-needed rest and relaxation after your seven days of work. When you're on-call for a new baby, you've got at least a few months of duty before you're sleeping through the night.

As I look back at those long nights early on, I laugh and appreciate important things in my life: My wife, my son, my job and my coworkers.

– Greg

October 9, 2012

Server Challenge II - The Retro Upgrade of a Fan Favorite

Wakka wakka wakka wakka. All your base are belong to us. I'm sorry Mario, but our princess is in another castle. It's dangerous to go alone. Do a barrel roll.

If you can place any of those quotes from the video games of yore, you'll probably love the Server Challenge II. Taking cues from classic arcade games, we've teamed up with Supermicro to build a worthy sequel to our original Server Challenge:

Server Challenge II

If you come across Server Challenge II at a conference, your task is clear. You step up to the full-sized server rack and perform three simple tasks:

  1. Load the data.
  2. Connect the network.
  3. Save the world.

You've got two attempts per day to install twenty-four drive trays into two 2U Supermicro servers and plug eighteen network cables into their correct switches. Get all of that done in the fastest time at the conference, and you walk away with a brand new Macbook Air. During booth setup at GDC Online, we shot a quick video of what that looks like:

The new challenge is sure to garner a lot of attention, and we're excited to see the competition heat up as the show progresses. Beyond being a fun game, the Server Challenge II is also a great visual for what SoftLayer does. When you get to touch servers in a server hosting company's booth, you're probably going to remember us the next time you need to order a new server. You also get to see the Cisco and Supermicro switches that you'd see in all of our thirteen data centers around the world ... It's a tech geek's dream come true.

In honor of the launch of Server Challenge II, we're going to offer some "live" coverage of the competition at GDC Online this week. If you want to watch the Server Challenge II GDC Online 2012 remotely via "challenge-cast," bookmark this blog post and refresh frequently. We'll update the leader board every hour or two so that you can keep track of how the times are progressing throughout the show:

Server Challenge II Leader Board - GDC Online 2012

Game on.

**UPDATE** GDC Online has officially wrapped, and after some last-minute heroics, Derek Manns grabbed the top spot (and the MacBook Air) for his Server Challenge II efforts! If you've been watching the leader board throughout the conference, you saw the top attendee time fall from 1:59.30 all the way down to 1:09.48. We hope you've enjoyed the "challenge-cast" ... Keep an eye on SoftLayer's event schedule to prepare for your next chance to take on the Server Challenge II.

-@khazard

Pages

Subscribe to news