This is what "Chemo Day" is for me

This is what "Chemo Day" is for me. I am on a three week chemo cycle. I have chemo one day in week one and one day in week two. The third week I have off to let my body recover some.

* Show up god awful early. (note my work schedule in the IT field has always had me working late, nights, over nights etc. but never early AM's.)

* A nurse accesses the chemo port in my chest. I had to have surgery back in December to place a Power Port in my chest that provides direct access to the vein leading into my heart. This allows the chemo drugs to be pumped in faster. As well as saving my arm from having track marks. (https://www.verywellhealth.com/chemotherapy-port-definition-2249312)

* The nurse draws blood from the port for lab work. If my results are not good I will not get chemo. So far I have passed all my blood tests.

* Then I wait to get placed in the infusion center.

* Once in, they start with an anti-nausea IV and they start a 1 liter bag of fluids to make sure I am hydrated. Half of the bag has to be completed and I have to pee to prove I am hydrated before they can start the chemo.

* After the lab results come in showing my blood work in good, they can start the first bag of chemo. This infusion takes an hour to complete. The chemo drug is Cisplatin (https://en.wikipedia.org/wiki/Cisplatin)

* After the first bag of chemo is done, they start a second bag of a different chemo med. This one takes thirty minutes to complete. This chemo drug is Gemcitabine. (http://chemocare.com/chemotherapy/drug-info/gemcitabine.aspx)

Now I am done. Total time is 3 to 4 hours.

A short time later I start falling asleep as if I had not slept for days. This is the fatigue from the chemo. It leaves me dead tired. I've tried to work after having chemo only to fall asleep at my desk. Thankfully I don't really have any other side effects. The fatigue slowly gets better but stays with me continuously. No matter how much I sleep I feel fatigued. It never goes away.

Because cholangiocarcinoma isn't "curable" (mainly because it has no symptoms until it reaches stage 4 like mine did.) the best the doctors hope for is to control the cancer or to slow/stop it's progression. In some cases the tumors shrink, like mine are. But it, never goes away. So this is my routine for the rest of my life. Or at least as long as the chemo keeps working. Which ever happens first. So far it's working in that it's shrinking the tumors. Fighting this is tiring, it leaves me feeling wiped out, but I'm not dead. Yet.

Diagnosis cancer: Treatment

I want to thank everyone for all the support, prayers, thoughts that so many have been sending me. This really helps with my spirits. For a while I had zero hope. My hope is elevated some. I'm still alive 5 months into this and I feel fine. The chemo is being kind to me. I don't have any nausea, I have some fatigue, and I'm slowly losing my hair.

Back in January I went to the Mayo Clinic for a second opinion. They did an MRI on my chest and abdomen in order to get a better look at the tumors and see how many there were. The hope was to see that there wasn't much spread in the cancer and that I would be a viable candidate for surgery to remove the tumors. Instead what they found was that the cancer has already spread to my liver. There are many large tumors through out my entire liver. This removes all options for surgery including the possibility of a liver transplant. It seems like every time I go in for an exam the news gets worse. The only option for me at this point it is chemotherapy. I've been doing chemo since the middle of January.

[More]

Diagnosis Cancer: Second Opinion

First of all I want to thank everyone for all the support, prayers, thoughts that so many have been sending me. This really helps with my spirits. For a while I had zero hope. Next, I am in the process of getting a second opinion. It takes several visits, new sets of tests, scans, and meeting with multiple doctors. So it is a process and takes time.

I live in Minnesota and I'm just over an hour away from the Mayo Clinic. I was able to get a referral to the Mayo where their oncology department has doctors and surgeons that specialize in this exact form of cancer. So far the oncologist that I've seen knows nothing about this form of cancer. The surgeon I saw does specialize in this cancer, but the doctor at the Mayo wasn't impressed. More on that in a bit. This past week I was seen at the Mayo and got newer information. I was there for the whole day and I spent hours in their cancer research center where I was able to read medical journal articles that I cannot get online without expensive subscriptions. The staff made copies of these articles for me to take home. They really are awesome here and I found some wonderful information.

The oncologist I saw at the Mayo is the head of the department and specializes in this form of cancer. He was not impressed with the previous diagnosis and thinks that this is treatable with both chemo and surgery. Thats right, he thinks this might be operable and he has already set me up to see their surgeon. He also scheduled a MRI because the CT and PET scans are not clear and he cannot tell from them the exact details of this tumor. The Mayo also has a different chemo formula that they have found to be effective on this type of cancer. I was not getting this option from the first oncologist that I saw. This chemo mix is known to actually shrink the cancer tumor. I was told before that this was not possible. I was also told that even if the tumor did shrink that surgery was not an option. The oncologist at the Mayo said that was wrong too. He's expecting the cancer tumor to shrink and making surgery easier to do.

What this means is there is now a silver of hope where I had none before. I'm still half way through the process of getting my second opinion. But I already have one viable chemo treatment option that I will be starting ASAP. This is critical to start. I already have a chemo port installed in my chest. Google it if you don't know that that is.

As they say in Monty Python "I'm not dead yet!"

Diagnosis Cancer

Cholangiocarcinoma, also known as bile duct cancer, is a type of cancer that forms in the bile ducts. Symptoms of cholangiocarcinoma may include abdominal pain, yellowish skin, weight loss, generalized itching, and fever. Light colored stool or dark urine may also occur.

That's the diagnosis I've been given. I have stage 4 bile duct cancer. The first I knew something was wrong was a week before Thanksgiving when my urine turned dark brown, my stool was ghost white, and a few days later my eyes and skin started turning yellow. I'm figuring gallstones at this point. I spent the weekend of 23rd through the 26th in the hospital having tests done including a CT scan and an ERCP in which they did a biopsy and placed a stent to open my blocked bile duct. On December 5th they did an endoscopic ultrasound to further diagnose the cancer and to check a nearby lymph node for cancer. The biopsy tests shows that the cancer has spread into that one lymph node. Today the oncologist said that with or without treatment I will most likely die in 12 to 16 months or sooner. Well fuck. This sucks.

So Long, and Thanks for All the Fish

UPDATE: 12/16/19 Today after another CT scan and meeting with one of the best surgeons that specializes in this exact type of cancer, I found out it's actually stage 4 not stage 2 and its non-operable.

Adobe Coldfusion Vulnerability - CVE-2019-7838, CVE-2019-7839, CVE-2019-7840/ APSB19-27

DataBank has issued a Security Bulletin to all of their ColdFusion clients about the recent Adobe ColdFusion Vulnerability. Databank has partnered with CF Webtools to do the patching for all of their ColdFusion client's servers.

CF Webtools is a full service ColdFusion consulting company provided high quality development services and specializing in the ColdFusion stack. If it has to do with ColdFusion we will be able to help!

Both CF Webtools and DataBank are highly engaged in helping their customers maintain secure environments. Patching and regular maintenance are part of that process. If you haven't yet patched your server – whether you host with a high quality provider like DataBank or host it yourself – give us a call at (402) 408-3733 and we will take the worry out of ColdFusion security.

ColdFusion and Java 8 and Java 11 Updates

As many of you are aware Oracle has changed their licensing for Java 1.8 and making it a pay to play for all commercial purposes. Here's a link to the licensing announcement. I'm not a lawyer and I'm not going to pretend that I understand these licensing agreements. But Oracle and Adobe (or their lawyers I presume) do understand these and as such there are changes to note. On January 24th Adobe announced that Adobe will maintain support. via a Long-Term Support Agreement with Oracle, for Java 8 and Java 11. Thank you Adobe!

I have questions as I'm sure everyone else does. I've been asking representatives at Adobe these questions.

What does this mean for us?
ColdFusion Server runs on Java from Oracle, and as such the new Oracle license affects all of our ColdFusion servers. To this point Adobe has secured licensing from Oracle that allows all ColdFusion Server owners continue running Java. It is very important to note that you now need to download Java from Adobe and NOT Oracle. Get your Adobe Licensed Oracle Java downloads HERE!

Is the Java version from Adobe Different that the same version from Oracle?
Great Question and I asked Adobe about this. Here is the answer "Wil, installers are same but license attached to them are different and this is for both Java 8 and 11".

What about my existing ColdFusion Servers?
Another great question! There are tens of thousands (or more) ColdFusion servers running and the vast majority of them are running on Java from Oracle. I know that the CF Webtools Operations Group maintains a very large number of servers for a large number of clients. Over time we have been upgrading the Java version on the servers to keep up with the security updates from Oracle. This means that most if not all of these servers are on Oracle Java from Oracle and not from Adobe. What do we have to do to remain compliant? I really hope we do not have to visit all of these servers and replace the Java with the one from Adobe simply because there is a different license agreement attached. I have submitted this question to Adobe and I'm awaiting anxiously for the answer. What I do know is that all servers that we need to update are going to get the Adobe Licensed version of Oracle Java to stay safe.

I received an answer today from Adobe on this.

Wil, to answer your question, if the JDK/JRE were downloaded before Oracle came up with Licensing change, it should not be an issue. Otherwise we recommend using the Adobe provided download as soon as possible, although we don't see a deadline around this.
This means that all the servers that I have recently updated will need to be re-updated with the Java from Adobe that has a different license agreement.

What about my New ColdFusion Servers?
This question has a simple answer. To install a new ColdFusion Server you need to use the ColdFusion installer from Adobe which comes with an Adobe licensed version of Oracle Java. If you want to use a newer version of Oracle Java then you need to download the Adobe Licensed vision of Oracle Java from Adobe. Download Here!

Do I have to use Oracle Java?
Awesome question and the answer is yes, no, maybe. There is OpenJDK that may work just fine to run ColdFusion servers. There is also a new player in the Java game and that is Amazon. "Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK)." Currently their version 8 is production ready and they version 11 is in the Release Candidate stage. I have run ColdFusion 11 an dColdFusion 2016 on Amazon Corretto 8 and it ran fine for the very limited testing that I did. For now there isn't official support from Adobe for these two Java versions.

As I get more information from Adobe I will provide updates above. I'm sure there will be more questions that people will want answered.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

It's Up To Us To Stop Hackers

The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.

It's been a banner year for the hackers.

[More]

ColdFusion Bug Introduced In Newest Update

UPDATE: Adobe has released updates for the last update.
  • ColdFusion 11 Update 17 was released that supersedes Update 16.
  • ColdFusion 2016 Update 9 that supersedes Update 8.
Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

This is a very quick note to alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

view plain print about
1component output="false"
2{
3    public query function getRoles() {
4        var userRoles ='';
5        var sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
6        userRoles = queryExecute(sql);
7        return userRoles;
8    }
9}

Example two is a cfscript block in a CFML file.

view plain print about
1<cfscript>
2userRoles = '';
3sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
4userRoles = queryExecute(sql);
5
6writeDump(userRoles);
7
</cfscript>

The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

New ColdFusion 2018 and ColdFusion 2016 Updates and Patches

Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.

Some New Features

  • This update includes adding support for Java 11 to ColdFusion 2018 and ColdFusion 2016. ColdFusion 11 did NOT get this update most likely due to ColdFusion 11 nearing end of life.
  • ColdFusion 2018: Server Auto-lockdown includes a new installer for Mac OS.
  • ColdFusion 2018 and ColdFusion 2016: Updated the following OEMs:
    1. Jetty 9.4.12
    2. ExtJS 6.6
    3. JPedal 8.4.31
  • ColdFusion 2018 and ColdFusion 2016: You can use cfloop as script for arrays, lists, structs, or queries.
  • ColdFusion 2018: New platform support matrix for the following:

Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

Using CDN for Entire Website and Country Blocking - Part 3

This is Part 3 in a short series of articles about blocking entire countries from a website. Parts one and two cover CloudFlare and CloudFront.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In my previous two articles I wrote about using CloudFlare and AWS CloudFront. In this article I'm writing about using a slightly better hammer in the Whack-A-Mole method to block entire countries. This is one of the simplest but also least effective methods.

The option many of us have traditionally done is blocking problematic IP's on a case by case basis and in extreme cases blocking entire IP ranges. I've often referred to this as the Whack-A-Mole method. It's reactive and not proactive. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user. Normally I do not block an IP because bad stuff happened from that IP once. However, I have noticed the same IP or IP ranges launching attacks on multiple unrelated, hosted at different locations, and different client's servers. That's when I start pounding the IP with the ol' Ban Hammer! Also, blocking an entire country with this method would mean being able to know all the possible IP addresses or address blocks assigned to a particular country. This is knowable!

I did some research on this and found a few very helpful resources. Resources like this http://ipdeny.com/ipblocks/ and this https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/. These sites keep an updated list of IP addresses assigned to every country in the world. These are made available in the form of individual text files per country. And in the case of the SitePoint page, you can download a pre-scripted config file for many versions of web servers and firewalls. Hammer Time!

In the case of the country our client wants to block there are over 130 IP entries. These are in the form of CIDR IP ranges. This is the good news. The harder part here is that means there would have to be 130 plus entries manually added into IIS or a firewall. And this is for a smaller country. Larger countries, including countries that are known for hacking, have many thousands of CIDR IP ranges. But at least I can download the scripts for Apache and IIS from the SitePoint page and paste them into the respective config files.

What are the downsides to this method? First off I do not know if there would be any performance hit to IIS or Apache if we were to start entering thousands of IP restrictions. I do know that AWS restricts Network ACL's to an absolute max of 40 rules in their VPC's due to "performance issues" if more were added. We're still whacking at moles. IP assignments for countries can change thus you would need to update your static list of IP bans in your web server.

This is an example of how Apache 2.4 is configured.

view plain print about
1<RequireAll>
2 Require all granted
3 Require not ip 5.11.40.0/21
4 Require not ip 5.34.160.0/21
5 Require not ip 5.43.192.0/19
6 Require not ip 5.102.96.0/19
7.....
8 Require not ip 217.78.48.0/20
9</RequireAll>

This is an example of how Apache 2.2 is configured.

view plain print about
1<RequireAll>
2 Order Allow,Deny
3 Allow from all
4 Deny from 5.11.40.0/21
5 Deny from 5.34.160.0/21
6 Deny from 5.43.192.0/19
7 Deny from 5.102.96.0/19
8.....
9 Deny from 217.78.48.0/20
10</RequireAll>

This is an example of how the IIS XML web.config is configured. The CIRD notation needs to be converted to IP and network mask format.

view plain print about
1<?xml version="1.0"?>
2<configuration>
3<system.webServer>
4<security>
5<ipSecurity allowUnlisted="true">
6<clear/>
7<add ipAddress="5.11.40.0" subnetMask="255.255.248.0"/>
8<add ipAddress="5.34.160.0" subnetMask="255.255.248.0"/>
9<add ipAddress="5.43.192.0" subnetMask="255.255.224.0"/>
10<add ipAddress="5.102.96.0" subnetMask="255.255.224.0"/>
11.....
12<add ipAddress="217.78.48.0" subnetMask="255.255.240.0"/>
13</ipSecurity>
14</security>
15<modules runAllManagedModulesForAllRequests="true"/>
16</system.webServer>
17</configuration>

In conclusion each option; CloudFlare, CloudFront, and IP Banning, each have their benefits and costs. CloudFront was the easiest of the three to setup and if the downsides of the IP address masking isn't an issue then it is likely the most viable solution. The AWS CloudFront solution may be best if you are already on AWS and you have an understanding of AWS Solutions Architecting. Both CDN options have country restrictions (and rate limiting) that will help in preventing potential credit card scammers from misusing your shopping carts. IP Banning is simplistic, it has no additional dollar costs. But it may be a performance hit to your web server if you have a very large number of IP restrictions. You may also have to update the IP lists if IP assignments to a country change. It's also worth noting that all methods can be bypassed via proxies.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

More Entries