Cardiff Tourist Stuff

This is an initial list of Cardiff Tourist Stuff. Assume most places here, except the really remote ones, have cafés, and even some of the remote ones have pubs close by. It’s also biased towards the West of Cardiff because that’s where I live. Look on Google maps for interesting green spaces and interesting (hopefully free) things to do.

Do check opening times, things are currently higgledy-piggledy because of the plague. If you want to do many of these, it’s worth getting Cadw or National Trust membership, depending on where you want to go.

Bear in mind you can always do a Google search and get the information I’ve left out, like the official sites for these attractions.

Main Attractions

Cardiff Castle

Cardiff Castle

If you only see one thing in Cardiff, let it be Cardiff castle. The original Norman keep is impressive in itself and it’s well worth climbing up to take in the view over the city. Cardiff uses the castle periodically to host other concerts or Welsh language events. It’s well worth a trip to see.

Cardiff Castle Apartments

Obviously, the castle got taken over by a rich mining family who took it upon themselves to build apartments. These are well worth a guided tour, through bedrooms, offices, sitting areas and at the end, the library which, like many places in Cardiff, has starred in Dr Who. There are also leftover WWII bomb shelters set in the walls that are well worth a look.

The castle and Bute park were given to the City after WWII to avoid death duties and are well worth a look. Again, events take place here from theatre to horticultural events to street food. At the top end are sports fields.

Insole Court

Owned, built and extended by another mining family, this house, this little gem in the Fairwater/Llandaff borders is well worth a visit. You can look in the house into the kitchen and various drawing rooms. You can pay to go upstairs to see a history exhibition. The gardens are lovely and they have a nice allotment at the side.

St. Fagans

St. Fagans, owned by the Earl of Plymouth after whom Plymouth Great Woods is named, is the bane of any Welsh schoolchild’s life. Set in 100 acres, it encompasses Welsh life from Iron age roundhouses to more recent prefabs with a visitor centre and museum rooms packed with Welsh history.

The house/castle itself is worth a viewing and the Italian gardens are pretty. This place is worth a day of anyone’s time. Beautiful gardens, interesting reconstructed buildings and a decent pub in the village.

Cardiff Museum

The main museum in Cardiff is well worth a look, filled with fossils and art and so much more.

Llandaff Cathedral

Llandaff Cathedral in the heart of Llandaff village heading down to the Taff is impressive. It’s been there since 500AD or so, fell into disrepair and was rebuilt into the form we see today. If you can get it on a Cadw open day get the guided tour and have your mind blown. Like much CofE it has military connections. There are cafés in the village. And pubs. One of which is very good.

It also has a Rosetti. With it comes a story.

The Bay

Senedd

The seat of Welsh democracy, important for making decisions that don’t matter when the real stuff happens in Westminster. Still, it’s how a modern parliament should look.

Norwegian Church Arts Centre

Another historic little building built for sailors back in the day when Cardiff was a throbbing port. It usually has arts and crafts displays and a café obviously.

Pierhead

Another Bute building, this was once the beating heart of the docks. Currently home to some historic exhibitions and the occasional conference.

Cardiff Bay Wetlands Reserve

A little patch of land tucked away in the docks, supposedly home to rare birds and even most recently a seal. I’ve never seen more than pigeons, ducks and swans. Oh, well.

Parks

Cefn Onn Park

To the north of Cardiff in Lisvane, straddling the M4 and reassuringly close to Ty Mawr a good pub, this is a lovely garden heading towards Caerphilly founded by Ernest Prosser, Director of the adjacent Rhymney Valley Railway.

It’s lovely when the rhododendrons are out. Also good for collecting golf balls apparently.

Llanishen Reservoir

There’s not a lot to say about this. It’s a reservoir and probably good for walking the dog. I’ve heard mutterings about building a visitor centre and having boating of some sort on it, but we’ll see.

Grangemoor Park, Cardiff

Despite this being practically on my doorstep, I’ve never been. The river Ely here used to be a lot twiddlier but there was a landfill and now it’s an IKEA and a trading estate.

FForest Farm/Radyr Hydro Scheme/Melingriffith Water Pump

Supposedly this is one of the more radioactive areas of Cardiff (there were metalworks here back in the day), this is one of my favourite places in Cardiff, on the Taff. Park your car in Radyr railway station for free, go under the railway and over the Taff then turn left and walk up to the weir.

There are birdwatching hides here and the old canal water pump.

Roath Park

Opened in 1894, it’s well worth a circumnavigation. You can even go boating on it if you’re brave. There’s a café there and some more locally if you fancy a stretch.

Caerau Fort

Set on top of a hill in unromantic Ely, bordered by the A4232 with a commanding view of the City lies an Iron Age hill fort that was in use until Roman times and beyond. Having had Time Team do geophys and had several archaeological digs, it’s recently acquired a visitor’s centre. The story of the church ruins is a sad one.

Tongwynlais

Castell Coch/Fforest Fawr Car Park

Another Bute property, this time North of the M4 and close to Taff’s Well railway station. There might be a café, but Tongwynlais has one or more pubs and maybe some cafés. Further up the hill is a car park with a nice walk and a sculpture trail.

And the sculpture trail…

Canton/Pontcanna

Chapter Arts Centre

Previously a secondary school, it became an arts centre showing films, live performances and so on. There’s a decent café with a well-stocked bar. I’ve been to various meetups there. Canton is a throbbing little village.

Thompson’s Park

An oasis at the back of Canton opened to the public in 1891 with ponds, birds and set on two levels. Nice. Take a coffee and peruse.

Penarth

Penarth Pier Pavilion

The Esplanade, Penarth – Wales, United Kingdom

Penarth is lush. It has a pier, a pavilion with a café and a theatre/cinema. The estuary front is nice for a stroll with shops and cafés.

Not Quite Cardiff

Caerphilly Castle

Another one of South Wales’ great castles, this is well worth a visit. Pay Cadw and go inside and wander around. Caerphilly has a rail station.

Cowbridge Physic Garden, The Butts, Cowbridge CF71 7BD

Cowbridge is a cute little town just a short bus hop or a drive from Cardiff. This picture is of the physic garden, but there are lots more things to see. Cowbridge has a ruined castle and a Waitrose. What more do you need?

Cosmeston Country Park

Cosmeston is a former quarry now turned into lakes and a wildlife refuge. It has a visitor centre with a café (obviously) and is good for a wander.

Dyffryn Gardens

Though dating back to the seventh century it was bought by the wealthy John Cory in 1891 whose son collaborated in making the gardens. The house itself is well worth a look. Again, easy access by bus or car, it’s halfway to Cowbridge.

National Trust – Lanlay

Out in Peterson-super-Ely, there’s very little to say about this except it’s nice to walk there and there are a couple of decent pubs in the village. There are even occasional buses.

Pysgodlyn Mawr

In the vicinity of Hensol or the A48, you can park up and take a nice walk to this fishing lake. Take a thermos and some chocolate.

Tredegar House

Situated towards Newport, this was the home of the Morgan family since the 17C. Lovely rooms, amazing gardens. This one is another National Trust property.

Nash Point

This one is definitely a drive although there might be a weekly bus. Actually hourly to either Llantwit or Bridgend. It’s nice to see the lighthouse buildings, the sheep and maybe clamber down the cliffs to the estuary.

There is potentially more to come!

Selenium: “Failed to decode response from marionette.”

“Failed to decode response from marionette.”

We were trying to move our Selenium tests into a docker container and were getting the above error response. First Google suggested increasing the memory of the container to 2G. We increased it to 3G to no effect. Deeper Googling then suggested increasing shared memory. Initially, it was 64m. We raised it to 256m and it magically worked! Our script for creating the container:

docker build . -f docker/Dockerfile --label cdx_selenium -t cdx_selenium
docker run --shm-size=256m -m3000m --cpus=4 --privileged -d  --name  cdx_selenium cdx_selenium 
docker exec cdx_selenium bash -c 'systemctl daemon-reload && systemctl enable xvfb.service && systemctl start xvfb.service'

We also needed to install dbus-x11. In theory we shouldn’t need to do the systemctl outside the Dockerfile.

MacOS Big Sur 11.5 update failed.

This repeated MacOS upgrade fail annoyed me. I saw stuff on the internet about Apple’s servers being overwhelmed. That wasn’t it. It turns out I only had 4G of free disk space left.

I’m never getting only 128G of SSD again. Deleting 8G of Spotify cache, and it worked smoothly, if slowly.

Simples!

Edit: had a major fail going to 12.4. The system locked, unbootably so. I took it to the Apple store and the very nice man poked it with some electrons and the update completed.

2021 – Climate change and Welsh independence.

Cefn Onn

2021 has been an odd year.

Despite the supermarkets staying open during the lockdown, we’ve been getting far more food delivered; not just supermarket food but heat-at-home restaurant meals and fruit and veg from Wellocks, suppliers to Michelin-starred restaurants.

That said, two things have been standout in the last 12 months: climate change and Welsh independence.

Climate change podcasts

I don’t know whether it’s that I’ve been listening to many more podcasts and been adding scientists to my Twitter feed (thanks @robinince), such as Helen Czerski, Brian Cox, Alice Roberts, Katie Mack, Mya Rose Craig, Hugh Warwick and podcasts from the likes of 5×15, The Science and Media Museum and many more. It seems to me that scientists and amateurs are getting much noisier about climate change. Of course, it’s turned out that Greta Thunberg was right all along. Also maybe it’s just awareness but there seems to be so MANY more podcasts too.

Living in a country that contributed hugely to the increase of CO2 into the atmosphere helps concentrate the mind. Because of the lockdown, we’ve been taking that car out only once or twice a week and I see an electric car in our future. As it is, we live in a wood-clad “green” flat and are surrounded by trees in a borderline countryside area. Wales is 3rd in the world for recycling. I’m not sure what more we could do for the environment.

Welsh Independence

On the subject of Wales, in the last year, the subject of Welsh independence has started to gain traction. The non-political group yes.cymru have gone from nothing to nearly 20,000 paying members and 50,000 Twitter followers. Welsh Labour and Plaid Cymru supporters are behind the idea too. The electorate polls at 25%-40% in favour.

As I’ve said before, Wales has a GDP per head which puts it on a par with Spain. We’re shy between £5-£10 billion pounds a year but hey, with European support we can claw our way back as Ireland did. I’ve blogged about Wales’ potential before. Also, accounting properly for water, electricity and HS2 would help by a few billion in our favour. Oh, and we pay a disproportionate amount for defence, another £1.9 billion. It doesn’t help their case that we appear to have a bunch of incompetents in Westminster.

So there you have it. These are two things that are now occupying much more news space, internet space and headspace.

MySQL 8.0 oddity – passwords and password policy

These are all things you can find elsewhere but a couple of password issues came as a surprise to me

MySQL
These are all things you can find elsewhere but a couple of password issues came as a surprise to me when a legacy system got the MySQL 5.7 upgraded to 8.0.

Firstly, password policies are much tighter. There’s a plugin that by default demands an uppercase letter, a number and a punctuation character. That foxes our legacy system whose installer just generates lowercase letters and numbers. Uninstall it.

UNINSTALL COMPONENT 'file://component_validate_password';

Another good one was the the library I was using, and didn’t want to upgrade, didn’t know the default authentication to connect to MySQL. That was easily fixed:

mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'xxxxxx';
Query OK, 0 rows affected (0.03 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Having gone from a Centos 7 MySQL accidentally to MySQL 8.0 and back again, that’s a world of pain involving the recompiling of the Perl DBD::MySQL and finding the correct .so library.

Green Wales

Being green is all the natural resource we’ve got left in Wales pretty much.

Insole Court

Being green is all the natural resource we’ve got left in Wales pretty much since the rich folks and the English took our coal, tin, copper and so on.

This blog is also going to come from an Indy viewpoint. Welsh independence has gone from nothing to 40% in the last few years. Independence is worth bearing in mind whichever side you fall on. I’ve fallen foul of people who think the world revolves around Westminster on Reddit. We got annexed in 1284 and made a union in 1536, not on the same basis as Scotland.

Independence polling

40%. It’s only time.

A poll suggesting that backing for independence among Welsh citizens is at a record high should serve as a warning for the UK government and prompt it to work harder at its relationship with the devolved nations, supporters of the union have said.

https://www.theguardian.com/uk-news/2021/mar/04/westminster-warned-as-poll-shows-record-backing-for-welsh-independence

GDP

We have a higher GDP per capita (£23,866 in 2018) than Spain (£22,000) and Solvenia (£20,000) and many other European countries.

GDP per head in Wales in 2018 was £23,866, an increase of 2.9% on 2017. This compares to Italy’s GDP/capita of £25,000, Spain £22,000, Slovenia £20,000 and New Zealand £30,000.

https://en.wikipedia.org/wiki/Economy_of_Wales

In the 1950s Wales’ GDP was twice as big as Ireland’s; by the 2020s the economy of the Irish Republic was four times the size of Wales’. Thanks EU.

Energy

Wind turbines

We export water and electricity to England. We are not short of water here. I even have a twitter feed of our local river to tell me how deep it is. Yes, it floods.

By one calculation Wales’ present export of water to England, from the Elan Valley to Birmingham and from Lake Vyrnwy and Tryweryn to Liverpool, could be worth as much as £4.5 billion a year.

https://www.iwa.wales/agenda/2012/04/when-white-water-could-become-white-gold/

Wales is a net exporter of the electricity it generates.

Wales energy

https://www.bbc.co.uk/news/uk-wales-29799716

We could do better at both of these.

Put energy creating lagoons around the harbours. This has come and gone but apparently is back again.

“Providing low-carbon, predictable renewable energy, tidal lagoons will deliver reliable and flexible electricity whatever the wind conditions or time of day – ensuring grid security and stability. Moreover, tidal lagoons have an exceptional operating life, at over 120 years, over three times a wind farm and twice a nuclear plant, and significant co-benefits that other schemes do not bring, such as protecting communities and businesses from rising sea levels.

https://www.offshore-energy.biz/industry-welcomes-welsh-governments-tidal-lagoon-challenge/

We could do more wind and solar energy too.

Forestry

North/South forest? Go for it. The “national forest”. We have expanses of temperate rainforest.

https://gov.wales/national-forest-wales-woodland-sites

Rewilding

Reintroduce lynx and bears into that forest? Yep. We recently got beavers back:.

Naturalist and television presenter Iolo Williams welcomed the pair to the reserve near Machynlleth and said it was a “big day”.

“They [beavers] used to be here, they should be here and I would like to see them back on Welsh rivers,” he added.

“They can help tackle important issues like flooding, creation of new habitats – they’re an important part of that as environmental engineers.”

https://www.bbc.co.uk/news/uk-wales-56565050

Eurasian lynx

Five landowners in Wales have shown interest in hosting the reintroduction of lynx, a conservation group has said.

In 2015, the Lynx UK Trust put out a plea for anyone who would be willing to allow their land to be used.

Its chief scientific advisor, Dr Paul O’Donoghue, said five sites in mid Wales came forward and it would consider their merits in future.

https://www.bbc.co.uk/news/uk-wales-41024161

Wolves would be nice. Bears are sadly an April fool:

https://nation.cymru/news/bears-return-to-deserted-welsh-village-during-lockdown

Getting eels back would be good. We’re 70% down.

But the rapid disappearance of eels from the nation’s waterways – dropping by an alarming 70% in a generation – is now a major cause for concern among naturalists.

https://www.walesonline.co.uk/news/wales-news/wales-declining-eel-population-1884407

Replace pines with deciduous trees? Yes.

https://naturalresources.wales/media/681031/gpg7_forest-resilience-2_species-diversity.pdf

Bogs

Restore the bogs? This is happening.

Healthy peatland and raised bogs in good condition absorb carbon from the atmosphere which means they are important in the fight against climate change. If raised bogs are not in good condition they release harmful carbon into the atmosphere.

https://naturalresources.wales/about-us/our-projects/nature-projects/new-life-for-welsh-raised-bogs/

Public transport

Treble public transport in Cardiff? No brainier. Fuck all has happened with this in the seven years I’ve been in Cardiff. Allegedly some things are happening. In all that time there’s been a “Metro Plan”. Maybe we’ll move on from horse-drawn open-topped trains.

The South Wales Metro is an integrated public transport network that will make it easier for people to travel across the Cardiff Capital Region, transforming rail and bus services as well as cycling and walking. 

https://tfwrail.wales/metro/south-wales/

Energy efficient houses

Build energy efficient houses. I’m lucky enough to live in a B rated place. All places should be this efficient.

Seafood

Our seafood is amazing. Shame Westminster fucked that up.

Seafood

Sheep

There’s 3x as many as there are people. We should probably have more, within their environmental impact.

Sheep

Dead zone

Restore the Cambrian mountains. There’s a 300km2 dead zone.

In the southern Cambrian Mountains, in central Wales, there’s a Terrestrial Dead Zone of around 300 km². It’s composed of degraded blanket mires, entirely dominated by a coarse grass called Molinia, in which other lifeforms, such as birds and insects, are scarcely to be found.

https://threadreaderapp.com/thread/1365217257111

Cardiff

Cardiff is nice and green, there’s plenty of woods, open fields and so on to just go hang in. Sadly a few green spaces are under threat. That’s not surprising in a growing city. The rivers could do with cleaning up. We used to have eels and way more fish. I’ll blog about this at another time. I’ve exported all my saved pins from Google maps.

Summary

There’s so much potential but nothing will happen while we’re under Westminster’s thumb. In EU terms, we are by no means the smallest country in Europe and our GDP is OK. I’d like to see more action. In the last year of lockdown green issues have come more to the forefront. I want a green future for Wales.

Web site (and server) security

These are the top ten potential security holes in your site.

security camerasThese are the top ten potential security holes in your site. Your site is probably WordPress which is a major source of hacks.

OWASP recommendations

  1. SQL injection – could someone get at your database remotely? Escape your SQL!
  2. Broken auth – is your login system safe?
  3. Data exposure – is your web server locked down? -Indexes in the Apache world.
  4. XML External entities – XML can execute files. Don’t do that!
  5. Broken access control – are important files inaccessible?
  6. Security misconfiguration – is your security software properly configured
  7. XSS – has someone uploaded a malicious JS script?
  8. Using components with known vulnerabilities – keep up to date!
  9. Insufficient logging and monitoring – know what’s going in and out of your system
  10. Insecure deserialisation – be careful of the serialised data you accept

Make sure you have DDoS protection. I use Cloudflare. Is has the added bonus of running my DNS. I trust them.
Snort or equivalent. This is part of your monitoring. Snort is an IDS or Intrusion Detection System.
On WordPress use a security plugin. I use Wordfence.

Site attackers can:

  • Inject SEO spam on the page
  • Drop a backdoor to maintain access
  • Collect visitor information or credit card data
  • Run exploits on the server to escalate access level
  • Use visitors’ computers to mine cryptocurrencies
  • Store botnets command & control scripts
  • Show unwanted ads, redirect visitors to scam sites
  • Host malicious downloads
  • Launch attacks against other sites

Asset inventory and management can be taken one step further into the following subcategories:

  • Web properties
  • Web servers and infrastructure
  • Plugins, extensions, themes, and modules
  • Third-party integrations and services
  • Access points/nodes

Monitoring should be in place to verify the security state of:

  • DNS records
  • SSL certificates
  • Webserver configuration
  • Application updates
  • User access
  • File integrity – monitor file modification times of plugins and themes

A proper incident response plan includes:

  • Selecting an incident response team or person
  • Reporting of incident to review findings
  • Mitigating the event

The incident response process, as defined by NIST, is broken down into four broad phases:

  • Preparation & planning
  • Detection & analysis
  • Containment, eradication & recovery
  • Post incident activities

You can base all further actions on the following tips:

  • Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
  • Update directory and file permissions to ensure the read/write access is properly set.
  • Update or remove outdated software/themes/plugins.
  • Reset your passwords immediately with a strong password policy.
  • Activate 2FA/MFA wherever possible to add an extra layer of authentication.

TODO list:

  1. Update everything
  2. Have strong passwords – I use lastpass.
  3. Use a password cracker (eg. John the Ripper)
  4. Limit user access
  5. File permissions
  6. Have backups
  7. Audit server configuration files
  8. Use SSL everywhere
  9. Install scanning and monitoring tools
  10. Ensure PCs are secure
  11. Have a WAF
  12. Monitor search engine blacklists (esp. Google)

The best practices for you to have a strong password are:

  • Use a password manager,
  • Do not reuse your passwords: Every single password you have should be unique.
  • Have long passwords: Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
  • Use random passwords: Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing the letter O with the number 0) is not enough. There are several helpful password managers out there, such as LastPass (online) and KeePass 2 (offline). These tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.

The principle of least privilege centers around a principle that looks to accomplish two things:

  • Using the minimal set of privileges on a system in order to perform an action
  • Granting those privileges only for the time the action is necessary

Here are the things to look for when deciding which extensions to use:

  • When the extension was last updated: If the last update was more than a year ago, it’s possible the author has stopped working on it. Use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if security issues are discovered. Furthermore, if an extension is not supported by the author, then it may stop working if core updates cause conflicts.
  • The age of the extension and the number of installs: An extension developed by an established author that has numerous installs is more trustworthy than one with a few number of installs released by a first-time developer. Not only do experienced developers have a better idea about best security practices, but they are also far less likely to damage their reputation by inserting malicious code into their extension.
  • Legitimate and trusted sources: Download your plugins, extensions, and themes from legitimate sources. Watch out for free versions that might be pirated and infected with malware. There are some extensions whose only objective is to infect as many websites as possible with malware.

A good backup solution should fulfil the following requirements:

  • First, they have to be off site. If your backups are stored in your website’s server, they are as vulnerable to attacks as anything else in there. You should keep your backups off-site because you want your stored data to be protected from hackers and hardware failure. Storing backups on your web server is also a major security risk. These backups invariably contain unpatched versions of your CMS and extensions, giving hackers easy access to your server.
  • Second, your backups should be automatic. You do so many things every day that having to remember to backup your website might be unthinkable. Use a backup solution that can be scheduled to meet your website needs.
  • To finish, have reliable recovery. This means having backups of your backups and testing them to make sure they actually work. You will want multiple backups for redundancy. By doing this, you can recover files from a point before the hack occurred.

Here are a few best practices to add for a particular web server:

  • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. Use -Indexes in Apache.
  • Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
  • Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. Other locations, like admin areas, can be locked down. You can also restrict PHP execution in directories that hold images or allow uploads.

Here are some free website security tools:

  • SiteCheck – Free website security check and malware scanner
  • Sucuri Load Time Tester – Check and compare website speed
  • Sucuri WordPress Security Plugin – Auditing, malware scanner, and security hardening for WordPress websites
  • Google Search Console – Security notifications and tools to measure websites search traffic and performance
  • Bing Webmaster Tools – Search engine diagnostics and security reports
  • Yandex Webmaster – Web search and security violation notifications
  • Unmaskparasites – Check pages for hidden illicit content
  • Best website security software – Comparison of paid website security services
  • Best WAF – Comparison of the best cloud-based web application firewalls
  • Netsparker – (Free community edition and trial version available). Good for testing SQL injection and XSS
  • OpenVAS – Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product.
  • SecurityHeaders.io – (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework – A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

Interview questions for your new employer

Hacking

Following on from my previous post about how to avoid major development speedbumps, here’s a list of interview questions to ask when they think they’re interviewing you and you’re actually interviewing them. You want your employer to help you do your job, right?

  1. Are you using GitHub or similar? I’ve used Gitlab most recently, and I especially like Docker in Docker. Within that, how close to GitFlow are you? Having experienced an awful version control system, this is key. GitHub is really flexible and gives you enough rope to hang yourself in the foot. A fun thing is commenting commits correctly.
  2. What’s your branching strategy? How long do you expect a branch to live? Branch lifetime should be of the order of a day. Any longer than that, have a quiet word with your SCRUM master.
  3. How automated are your deployments? Do you create .rpms/.debs? Packages make deployments and rollbacks so much easier. Add YYYYMMddhhmmss to the name so you can keep track of them, or a build number so you can identify them.
  4. Which CI system do you use? If not Jenkins, GitHub or Gitlab, why not?
  5. Test automation is great. It builds, runs tests and creates modules. And anything else that makes your life easier. It’s also the ultimate in QA. If you have good test coverage and your tests pass, you’re good to go. It’s part of CI, right? Do you measure test coverage?
  6. CI is also a good time to run code hygiene tests like pylint or perlcritic even if you have them on your commit hook. OWASP recommend some code security scanners and Snyk seems quite plausible.
  7. How is your test data managed? Do you create a temporary database and populate it or do you have one database and run your tests within a transaction?
  8. Security? How close to the developers is this managed? Separate security departments are often understaffed. Do you keep an eye on the OWASP top ten? Are you religious about escaping strings when composing SQL queries?
  9. How close to continuous delivery are you? How long do rollbacks take? Do you use something like Ansible or puppet to manage your systems? Bonus points for terraform or docker. How fungible are your live servers?
  10. How loosely coupled is your architecture or is it a big ball of mud? This is another thing that burned me recently. With mod_perl potentially going away in some form, parts of the system should have been moved to a new framework.
  11. What other tools do you have and who chose them? Are you running popular systems for monitoring or code review or some open-source system that might wither on the vine?
  12. Are you agile? Do you do SCRUM or KANBAN? Do you have a SCRUM master and a product owner? So many teams think they are agile when they’re merely doing some agile type things sandwiched in a blob of waterfall.
  13. Who authorises changes? Do the developers do it or do you have a separate approvals board? It’s so much better to have decisions made at the lowest level by team members than to be farmed out to some remote change approvers.
  14. What system monitoring do you have? What is your average time to fix?
  15. What is your ticketing system, and why isn’t it JIRA, GitHub or Gitlab? Does your SCRUM master visualise progress and use all the tools to measure the team performance. Does your SCRUM master measure project velocity?
  16. Has management bought into the k8s kool-aid? Are you using kompose and rancher to help manage it?

So there you have it. How to extend an interview beyond the allotted time.

Did I miss anything? Comments, as always, welcome.

Efficient programming

Coming out of a job where I was working on a 20-year old Perl codebase, I’ve got some burns to get off my chest. I’m reading “Accelerate” by Forsgren, Humble and Kim which claims to have scientific backing for what makes for efficient development in a team. In my recent experience:

  1. Use decent version control. To me, that means GitHub. Use a branching strategy to code each branch to a JIRA. Make the branches short-lived, preferably a day. GitHub is stateless. Diffs are resolved at merge-time when pull requests are made. Under NO circumstances use something like Perforce. That is like putting a large speed bump under a low slung car. It’s stateful. Mapping a repo into your filesystem is a pain. Rewinding commits is a royal pain. Ugh.
  2. Release often, releases should be easy. A marker of a high performing team is how frequently they release software. A release should not be confined to one person on the team and take half a day.
  3. Great balls of mud are hopeless. We’ve been writing new software as microservices for a while now, and more recently bundling them up in Docker containers (and if you’re really advanced then using Kubernetes). In the Perl world that means using a framework such as Mojolicious, Catalyst or Dancer with excellent modules like the Template Toolkit for the view and DBIx::Class for the model and not v1 of view software that’s barely been touched for years and v2 exists. It also highly bound to Apache and hard to use elsewhere.
  4. Ongoing support for mod_perl in Apache 2.x is ongoing. It’s already been abandoned in Apache 1.x so I would note that software is doomed at some point.
  5. Be very careful layering software upon software. Or using features that make things opaque. Oh, and having magic variables and not documenting them. For example, you have Puppet. That’s great. Why not layer Heira on top and render most of the puppet documentation useless. Or use a templating system that magically calls in a hierarchy of other templates. Oh, and where does that database handle come from? Somewhere in the bowels of that page startup. Not sure which module.

In summary, I’d say be aware of the speedbumps. How can you improve them?

Ron Weasley’s worst Australian spider nightmare

spiders

Macksville resident Melanie Williams was also shocked by a swarm of spiders climbing the outer wall of her home as they fled for higher ground. “I occasionally see spiders around the place but never anything like that, it was just insane,” she told the ABC.

The spiders outside her home were “horrific” but her neighbour told her there were twice as many inside his garage, she told Guardian Australia.

https://www.theguardian.com/environment/2021/mar/22/horrific-swarms-of-spiders-flee-into-homes-and-up-legs-to-escape-nsw-floods

Poor Ronald.