033 The Impact Of Unexpected Load and How To Counter It with Charlie Arehart- Transcript

You can listen to the podcast and read the shownotes here

Michael:          Welcome back to the show. I'm here with Charlie Arehart and he's a veteran ColdFusion troubleshooter. He has been doing I.T. stuff for so long. We don't even want to talk about that until the second half of the show when we will talk about how long we've been doing things and the benefits of that.

But first of all, we're going to talk about unexpected load and how you can counter it and how they may be spiders or other things you didn't even know about. In fact, could you even get to expecting unexpected load? So, lots of crazy stuff there. Charlie’s going to be talking about that at cf.Objective which is coming up soon. So, we'll talk a little bit about that.

So welcome back to the show Charlie.

Charlie:            Thank you for having me Michael. Good to see you.

Michael:          Yeah, yeah good to see you too coming to us from beautiful downtown Kentucky.

Charlie:            Not downtown, beautiful rural out.

Michael:          rural?

Charlie:            Yes, you're out in the sticks. You escape from the sick city town that's got fifteen hundred people in it.

Michael:          Goodness me!

Charlie:            That was from a city that's got you know, fifty thousand people in it. I love it.

Michael:          You’re quite a way away from dizziness.

Charlie:            And it’s beautiful here.

Michael:          You know your land used to have…

Charlie:            Right the land and then D.C. grown up in D.C.

Michael:          yeah

Charlie:            Forty's and then moving to Atlanta from my forties and now here and working from here. And that's why we came here because with the work that I do, it's all remote. I can connect to people and log you know, as long as I got a decent internet connection. I can work from here and I'm looking out at the beautiful vista of trees and sometimes turkeys and deer and all kinds of fun stuff.

Michael:          That’s amazing, it's incredible what technology has allowed people to do and I’m sure some of the listeners are working with remote as well.

Charlie:            And we can 01:50 [crosstalk] You, I mean you're in Peru and so your days you can work from pretty much anywhere. Obviously, people work for companies where they won't let them. But if you know…

Michael:          Oh! I think that's going. I think that trend is going away even though I.B.M. tried to get all their remote workers to come back to the office. Though all the good ones I think left.

Charlie:            But for those that do work independently and feel like they can work it's just wonderful because it frees you up to consider going to places that you might have always thought nice to live elsewhere and you don't have to you know, put up with the rat race.

I just had for the first time in two years. I've actually got a picture on my phone of my first traffic jam. It was like six hours in front of me and six car traffic jam was there because there was like somebody doing construction on the road and that was the first time in two years I've been stopped on these roads here.

Michael:          Wow!

Charlie:            Usually, a traffic jam is a couple cars at a stop sign and you're waiting for a tractor to pass that's life in the country, it’s wonderful.

Michael:          Well speaking of traffic jams, if your server is having an unexpected load situation and it's kind of jammed up and running slow, that could really cool some problems I imagine.

Charlie:            Yes sir, and so the title the talk was are spiders eating your server. And when I say spiders, I don't just mean generically what people or I don't mean specifically what people think of as spiders as search engines spiders for instance. But just generally, there's all kinds of stuff that sends automated traffic. And the point is again that it's often unexpected because of all of that traffic.

I mean it could be search engine spiders from Google and being in Yahoo and by doing China and Yandex and Russia. But it could also be your load balancer. People don't often think about this but they'll have their load balancer, if they have one; sending requests to their server every let's say five seconds.

Well, we'll talk later about what the impact of that is because what page you call might be doing a lot more work than you think it's doing. But let's just go even further and say even if you think you've just got your load balancer checking your server every five seconds. I often go digging in and find out well they're doing a call to H.T.T.P. and a call to H.T.T.P.S. So that's really two every five seconds and then they'll actually be sending it to this domain and that domain.

Let's just say you had two domains on your server where the load balancer doesn't really know that those two domains are served let's say by cold fusion or Lucy or whatever you might be using. Again, this is not even unique to see if 04:25 [Melaka] be P.H.P. I thought it doesn't matter.

But the point is the load balancer it doesn't know so, it might be sending four requests every five seconds. And you know, you maybe aren't even involved in setting that up somebody else is and they don't know that what is being called is your single C.F. or whatever applications you're running. And yeah, it's not unusual to find just load bouncers alone causing potentially dozens of requests every ten days.

Michael:          Wow!

Charlie:            Yeah you know, I guess that men are spiders and bots and or spiders of all kinds. And then, there's knuckle heads sending in requests trying to break into your server all the time.

Michael:          And all these being more of that happening these years.

Charlie:            Sorry, say that again.

Michael:          Seems to be more of that happening this year the knuckleheads generally don't try to break in.

Sure because they're finding out that you know, there's also automated tools that make it so easy. I mean I just saw something the other day about a new tool that have been discovered and it's being sold on the black market for about five hundred dollars. And it is apparently very, very, very good at quickly and easily automating the process of digging in and finding out servers that are exposed and easily broken into. And then, also rating them and ranking them in terms of their value. The bad guys can decide which ones do they want to go after.

So yeah, we're just going to be hit by more and more of this stuff and that's you know, this isn't a discussion on security and protecting against vulnerabilities, that's its own topic. But the point is that those bad guys or script kiddies as people refer to it are just. Generally people try and stuff but sometimes really bad guys are all trying and trying and trying to get in. And when you look at your web server logs or if you have a tool like fusion reactor and you can see it logging every request, you'll be stunned to see the rate of requests coming in that you might have presumed were legitimate traffic.

And that's the thing that I want people to stop and realize is that sometimes, they're judging their traffic by let's say certain means that they think… Let's say it's log ins or let's say it's purchases or let's say it's Google analytics and they think they're getting… Let's just pick a number. I mean everybody's numbers are different. Let's just say it was ten thousand requests an hour. You might get ten thousand a day, somebody might can ten thousand a minute. It doesn't matter the rate. The ratio’s not… the actual value is not important.

But my point is let's just say it was ten thousand an hour and you thought that's what you're serving and you feel good and you've got your server properly. You know, you think adequate lease sized for what you think is ten thousand requests an hour. And you're judging that let's say by Google analytics.

Well, something to be aware of is that Google analytics tracking of your request is only done by the client running the java script that you provide in your page. So first of all, to provide that stuff in a page, Google analytics isn’t going to see that hit.

But second and as important is that some clients are going to execute that Java Script. They just want the result. They're not going to run the result. They're just going to save the result. So, spiders work that search engine spiders. They're not generally interested in running your java script. They just want the H.T.M.L. or whatever it is you send; P.D.F’s, excel sheets whatever and even archive that.

Well my point is they're not going to execute the java script necessarily. No, I'm not going to say that no spiders do as well. I don't want people to take these as firm rules. But I'm saying just stop and think about this stuff is that you might find that. You know my point is that Google analytics may say you've got let's say ten thousand an hour. But let's say a fusion reactor logs are watching. Well and let's say you could break out in that page is there really you know, your quote web pages you know images and C.S.S. and J.S., that sort of stuff.

But you might say that from some analysis you've seen that you've got ten thousand is it's per hour to your site as judged by something like Google analytics. But if you could look at a tool that actually tracks the every request, you might find out you're getting twenty thousand an hour, fifty thousand an hour. You know again it doesn't today it's fifty thousand a day. But the point is you might get far more traffic than you think because the tools you're using to measure it aren't watching every request.

So that's where there's real value in having tools that do watch every request. Tools like the coffee and server monitor, fusion reactor, C-fusion. Those are all tools that can really show you the true request per second being executed in your engine whether it's cold fusion or loose 08:59 [inaudible] low, blue dragon; different tools support different engines. But the point is we find traffic you might be surprised that the rate is much higher than you thought.

Michael:          It's like there’s a hierarchy of several 09:12 [inaudible] It’s the well-formed request from actual uses and then you've got you know, possibly well-formed requests from obedient spiders and then you've got somewhat more naughty spiders who just come in and get what they can.

And then, you have hackers through may not even be sending a complete H.T.T.P. request. You know, some of these do not a service things. They deliberately send malformed requests.

Charlie:            Sure and that's where you see this can become a big subject and more than we’ll possibly be able to cover in the time we have here. But and really more than I can cover adequately in the hour of the presentation. But I'll touch on these things so that people give them thought and pursue them on their own because yeah, I'm mean even if we take out the malformed request and just talk about what looks legitimate.

My point is that you could get requests that look totally legitimate and they might even show what's called a user agent. You know some of you know that browsers identified to the server a header called the user agent and that user agent header typically says what kind of browser it is. And spiders and bots that are good spiders and bots tend to present a user agent that is who they are. So, Google has Google bot and being says being and Yahoo says slurp and there's a bunch of other user agents.

But there are some bad guys that will lie about their user agents. They look legitimate, they look like a regular browser and they look like a regular well-formed request. But maybe if you feel look closely, you'll find out holy smokes, we're getting let's say in one minute span five hundred requests to our products page and it's getting product idea after product idea after product idea. And that's not a real person, right. I mean maybe not five hundred in a minute you know and you might find that either they are all from the same IP address.

But let me tell you, these guys are getting so savvy they'll often spoof the IP address. And you might see that it's five hundred requests in a minute from different IP addresses. But if you look, you'll see that the pattern of the U.R.L. is always the same and all it's varying is this product ID will then you know it may not be real people despite that being different IP address. May be a bad guy varying his IP address because it can tell you whatever it wants to tell you and your servers just tracking what it's being told. But you might find there's these weird patterns of traffic and that's people trying to grab your content and whatever. They might sell it, they might use it to build their own site to mimic what your site does. They might use it to develop intelligence against you. So, we'll touch on each of these things in the course of the presentation. But it's amazing when you start to look into this. Either just thinking about it or looking literally of what you're getting you find out that there's a lot more traffic coming to your server.

And you mentioned the legitimate people let's just back up and one of my primary point here is that I work with a lot of people because you mentioned I do troubleshooting that's what I do for a living. I do server troubleshooting primarily focused on C.F. and all servers. And sometimes, I'm helping solve a problem for people whether it's high memory or high C.P.U. or request taking too long or whatever they perceive to be the problem. Sometimes, the root of it we find out there is this tremendous amount of traffic that they didn't expect and they are fighting to keep the server up and running thinking that they're having trouble serving their legitimate… Let's say they think they have you know five hundred users logged on at a time. You know I’m just throwing out random numbers. You might have fifty thousand users log on a time, it's not the point.

Whatever you think is your number of users that you're really serving and I find out the know you're really serving five times that, ten times that and my point is you might be thinking, ‘man our box can't handle this load, cold fusion can't handle this load’. That's not the issue. It's not that either your box or your environment or cold fusion can't handle the load. It's that you didn't realize that there's much more load than you think and so people are often up in through hoops to make their environment quote capable of handling their quote load. They might go to clustered instances, multiple instances, clustered databases. I've seen people jumping through incredible hoops and spending a lot of money to do these things when it turns out they didn't realize that a lot of their traffic was this automated traffic. And they're really not meeting all that stuff for their real people. But the problem is they're real people are a tiny subset of the traffic.

So now, what are we talking or what you do? That's the premise of all this is that there is an impact. So, what do you do about it? And we'll talk in the presentation about more specific things that for instance, let me just throw out. If you're got a load balancer calling your front page. You might think well come on, I just want the load balancer to confirm that cold fusion is up, our website is being served. That's what we've got to do, right. And maybe it is but for instance, if you just want to confirm that C.F. is up no, you don't need to call your front page you could call a test page that just runs a single C.F. mil line of code. And as long as it works, that tells you C.F.’s up.

But somebody will say well, we want to test that our website responds, our application responds. Will just keep in mind that when you call it say your front page or website, it's going to run everything that's on that page and you C.F. developers, you know that what goes on is not just what goes on on your page, but the application C.F.C. or C.F.M. if you use those either in that directory, in a directory above that. Cold fusion finds and 14:34 [inaudible] Lucy, Blue dragon they all find an application C.F.M. or C.F.C.

Well then in that code you might have on session start an application C.S.C. or you might have a set of coding application C.F.M. that says, if not is defined in session some variable.

Michael:          yeah

Charlie:            You some stuff. Well, here's my point. You're these calls from these automated requests, they tend to execute that session startup code on every request.

Michael:          That might be loading a whole bunch of information. You want to cash for the real users but you don't really want to be caching for these ball.

Charlie:            And you’re overwhelming let's say could be caching or let’s look at aquarium and you might in your session start a code, do some query that you think I'll do this query for these people upfront, it good guy on the result and all stored in a session variable.

Well, that's fine for a real person. You'll do it once and they'll reuse that over the course of their next fifty or one hundred or thousand visits over the next hour or whatever it is your session timeout is. But the bad guys, the spiders; when I say bad guys, your load balancer ping. He's not going to send any cookies so, cold fusion is going to think that's a new session. Every request to on page from your load in five seconds.

Every five seconds I remember it may not be just every five seconds. It might be two for H.T.D.P. and a C.B.S. and then it might be four because you serve two domains and they're both on the same server. So it could be full…

Michael:          And you may have some Ajax calls on the page.

Charlie:            And you might but those Ajax calls tend to come from your browser making the request and then the browser tends to send the cookie with those requests. But when you think about the load balancer paying, he doesn't send in cookies.

When bad guys send their crap against your server, they don't tend to send in cookies. If you run a low testing tool, if you don't stop and think about this a lot of low testing tools by default, won't send cookies. And so when you are quote testing your server for its ability to handle your load, you might not realize that because your load testing tools not sending cookies. Every request is creating a new session we've said this. But it's not just the creating the new session, it's what goes on in your session startup code. You might do nothing or you might do lots and that's where people sometimes are being burned. So now, bring this all back to this you know, if ten percent of your traffic is real people and ninety percent is automated stuff of whatever sort, you might have tremendous load doing things that if you reconsider what you did in the app and on startup, session start up, you might not have as much load.

Now, somebody I'm sure along the way here is wondering well wait Charlie you haven't talked about it. Can't you block some requests with robots dot text? And we'll talk about that. Yes, there is a concept of robots text. It's a file. And you could just Google robots dot text and there's a website called robots text.org.

And it's a general concept that all web servers and application servers support where if you put such a file in place. Let's say in your Webroot, you can identify whether you want spiders to go into your site at all or whether they should only go to certain folders or they shouldn't go to certain folders. All that's controllable and you can set it up for different use 17:48 [inaudible] I want to let Google do things but I don't want to let … do things; whatever makes sense for you.

And all that that's better than nothing. You could perhaps dramatically reduce impact by putting such robots text file in place. But it's a bit of a game a whack a mole because you can only [inaudible] Ones that you want to allow in and then they change their user agent or you say what you want to block and you don't realize there's other ones you aren’t thinking of it you want to block. So, it's tough to do that. So now…

Michael:          It's not only the well behaved robots that even pay attention to it.

Charlie:            That's why if you could hear my tone of my voice I was trying to get that right. That’s the second point and everybody needs to understand this is that the bad guys can lie and they'll say they're Firefox. You know and the string that looks like Firefox and your robots text is going to you know, not if it's not it's going to the user agent and it's going to say oh, they're not a spider. Or let me tell you, it's up to the thing making the request to say whether to honor that robot’s text. And the bad guy could just go aren’t you cute, robots text.

I appreciate that you think that will protect you. I'm coming anyway, open the door let me in and it just comes in and sends the requests because bad guys will tend to ignore that. It's just a standard that they are supposed to follow. And legit ones will but you know, bad guys will go yeah, cute nice try.

Michael:          I just want to share a metaphor that you shared into the box conference with me. It's almost like your web server is like a fast food restaurant and you're serving up hamburgers and fries and shakes to real customers but then, they're all these robots who are kind of crowding into your restaurant. And some of them are moderately well behaved robots who read the robots dot techs notice in the front door. But others are just kind of busting in there. And then, you’ve got internal robots coming from inside the restaurant to check if your customer service quality is good every five seconds. Can I get a burger? Can I get a burger? And it's like crowding out the real customer room 19:57 [inaudible] you are. And what you believe to do. Shopping and on shoppers. They want to check out how you're doing on customer service, right. There's all kind of all the things like that the analogies do really map to that and so analyzed it.

And because you're a considerate you know, restaurant owner you decide every time someone comes in the door, you're going to get a burger ready just in case they want to order it because you want to give it to him quick right. So now, all your staff are rushing around getting these buggers ready for these fans some robot customers who never really actually pay and consume.

Charlie:            They may consume but they don't pay exactly or you're doing this work and you don't care about them, right. So, there's all those analogies and so that set the table for the problem and then in the remainder of the presentation, I talk about some possibilities for preventing that. And so, we've got already given a hint at one of them which is you might want to revisit what you do in your session start up code. You might want to end up robots text.

There are also tools out there that address this problem and try to look out for even the illegitimate ones or they look for patterns of traffic that don't look or they keep track heuristically  across many servers that use a service. And they see that there's this common pattern and they just say hey, if we see this pattern, it's been identified as being a bad buy these people, we’ll assume it's bad for you.

So, there are products like that and they're implemented… The ones I'm thinking of right now are implemented as software as a service. So basically, you would you know I mean there's different implementations. Some you implement in your physical environment, some you implement as a hardware device just like a load balancer, fire wall can be on a hardware device. But then, there's these others that for some people it might make sense to consider. You don't change anything in your code, you don't change anything in your web server, you don't change, you don't put a physical device into your environment.

Instead, you just modify your D.N.S. and you route your traffic to go through these services first. Think of as like it's washing the traffic coming in to you before it comes to you. So there are sub-services, woops! I'm not hearing you speak. So either you've got…

Michael:          I muted myself because there's like a process band going down the street. And that’s seeking of unexpected load. It's almost like you… I was saying is if you're using that restaurant analogy, the service is like a bouncer out the front door. Checks whether people are real people or robots or naughty people and decides who to let in before you even get overwhelmed by them.

Charlie:            Yep and it's a bit you know, hard to think about how to stress that analogy to this. You know because we it's the way to think of what I'm just talking about would be like they've got to get on a bus and go through Border Patrol before they come into your restaurant. And it can sound like that. But these things are all done very fast. So, we're not talking about something that would be like that would obviously take minutes or hours.

Michael:          What one of the some of these tools that do this?

Charlie:            And let me just say before I list them specifically that I'll mention this in the presentation. I'll tell you now that I have a page on my site that lists all these things. It's called CF411.com for us old folks that used to remember using 411 as the way you called a phone to get information. But we talk about being old in a moment.

Anyway so, CF411.com is a page I have that I've been keeping for fifteen years. And it's got a couple thousand tools and resources and I break it into categories and one of the categories is security protection tools. And within that category, I break it down at cold fusion code level protection tools and then web server level protection tools and then fire wall level protection tools and then the service level protection tools.

And so, I have this categories of these service tools, software is a service protection tools. And there's several of them: Cloud Flare, Incapsule, Distil networks, Security. So, these are all in that space and there's free versions of them and then there's paid version. Then usually to get the web application firewall capabilities, you need a them.

But they can some of them will help with Niall service for free, they'll watch for that kind of traffic and block it. Some will provide content delivery network capability, caching, static images and stuff like that for free. So, check them out and again go to that CF411. Just do a find on security from the top down and you'll find the section on security tools and they have security testing tools as well; two different sections. But anyway, so that's a possibility to implement such firewalls.

Michael:          Some of these and not just protecting like cloud sphere isn’t that speeding up your site too.

Charlie:            But doing that C.D.N. capability right.

Michael:          yeah

Charlie:            They stop traffic from really coming to your server by serving it up as a C.D.N. Yes, that's an implication of them. But I was going to say is that they also do protect you from many of these tools they try to protect you from what might look like legitimate traffic but it's attempts to break in. So, sequel injection, cross-eyed scripting you know, all those different variations of vulnerabilities these tools are also watching for that and they will try to block that even from what looks to be legitimate people.

But if they're trying to do naughty things, these tools will block those as well. And different tools offer different capabilities at different price points and some are crazy expensive. But hey, some people might have important enough stuff that this is worth them paying; thousand dollars a month. Some of them might be a thousand dollars a month.

You might have important enough stuff, that's worth it to get the protections that these things offer. So, just check them out. That's my point is that I can't help people know what's going to make sense for them unless we work interactively and really think it through. But I'm saying generically everybody ought to look into these tools, be aware of them, be aware of the impact of this unexpected impact and put in place any of the range of tools that either I talk about outside or that I'll highlight in the presentation. And also just come to the presentation and you'll hear a little bit more about each of these.

 

Michael:          I'll add that link into the show notes for this episode so people can find it. I do appreciate you having that CF411 set of resources. It's like Wikipedia of cold fusions.

Charlie:            Directory and again it's an old school thing that people used to do years ago and I started it years ago and it just kept it going. And I just updated all the time. I mean another very popular one as people are often asking me where to find jobs or they want to find people to do work and rather than try to broker individuals I just instead point people to a category. They're on the CF411 about jobs.

So, if you just go to CF411/CFjobs, it takes you right to this category I have of resources for finding C.F. jobs. And what I was going to say is that I know some people would go on yeah, that something you created ten years ago on this thing doesn't work anymore, right. No, I keep up on how does the ones that are very popular, I keep up on them.

And so just last month, I went through every one of the job resources and I identified how recently they had stuff and how many jobs they had that were C.F. jobs. And so, there's about seven or eight different sites there that each total in total there's at least a couple hundred jobs. So don't let anybody tell you that there's no work. And then conversely, if you need help, don't believe that you know, you have to put it out on Monster or cross your fingers or Career Builder because you know, CF people may not be looking there. At CF, people are looking at these other resources and some of them are even Facebook groups where you know you're getting more of a community feel and people will be helping each other out. And so yeah, there's plenty of work and there are people out there looking.

And then you know I had a blog post recently on how if you're looking for people, you can of course find a good developer in any language and generally would not be difficult to get them to be able to quickly be capable at C F M L. I realize some will say, but who's going to want to? Well, some people would be desperate enough to take the time to learn something like that because maybe you can offer them a good pay or you can offer them the work where they want to be were there just burned out on P.H.P. and they want to do something different. And hey, if they can pick it up quickly and easily they'd be willing to try and you might often find that sometimes you get better results from skilled developers that come from another platform because they bring better…

Michael:          Yeah and I know you know, I was talking to the Louis and they have all the dissolutions and they do some of that. They find great develop as you know, the truth is you know if you can program in one or two languages, you can program in a third.

 

Charlie:            And of course people often bring out 29:12 [crosstalk] that we shared. It's always in our interest to be can more than one thing.

Michael:          sure

Charlie:            I mean so we don't want to go down that road. You know, fortunate this isn’t a blog post we're going to have that big set of questions in the chat. These are things that have been discussed over and over. And that leads to good well to our point that we're going to talk about perhaps in conclusion was how you know, what goes around comes around and there's nothing new under the sun.

There are things that folks like Michael and I and several others in the community they're still here that have been here for a long time. This is my twentieth year. I started with C.F. in ninety seven. And we were talking a bit before we got started about how… I know Michael for years has had resources he's put out. I've had resources I've put out and it's lamentable that sometimes folks that are relatively new; whether we’re talking about within a year or even perhaps five years or even ten years.

They sometimes don't think of looking at these old resources that might exist out there that someone like Michael or myself or any number of people for instance in the C.F. community or other technologies too. I see classic old Sequel Server posts from years ago. And these days, most people learn stuff by having a particular problem and googling it and hoping that Google finds them an answer.

And sometimes, you'll find if you look closely hey man, that's an old answer. But Google says well enough people kept picking that they were going to keep sending people to it because it seems to provide the answer. But what I was getting at and talking with Michael was that there are things that sometimes we who can use it for a while presume everybody knows because it was talked about a lot back when we got started.

And now these days, a lot of the stuff isn't talked about anymore and there's a lot of knowledge that is out there. But unless you are looking for it specifically, you don't find it and the bummer is that we often do presume well, doesn't everybody know X? And the truth is no, everybody doesn't know X because they're so focused on solving a particular problem that they're often not leveraging these resources that it used to be we all saw.

And it's all like another example is and one of my… the next interview we’ll do next week is on another talk I’ll be doing on and the title was what's new in C.F. ten, eleven and twenty sixteen that you might have missed. And you know, some people I've even got some comments people saying what's new in ten we talk about, that's from 2012.

Yeah, I get it. It's what's new we can say what is new or what was new. Let's not get caught up in 31:43 [inaudible].The point is there's a lot of people who go let's say from nine to twenty sixteen, nine to eleven, ten to twenty sixteen and to bring it back to what we're talking about now, I find that often people were not paying attention to the discussions that were taking place when a particular version came out.

So let's say one ten came out in 2012. For the half a year before it came out and for the year after it came out, there were lots of discussions about the specific changes, that compatibility issues, new features of ten. But if you were heads down working on nine or eight or seven back then, you weren't paying attention to what was new in ten so, you didn't catch any of that stuff. And maybe you don't upgrade until eleven or twenty sixteen which is now five years later.

Well, you often then I don't know things that were introduced in that new release. And again, I’m not trying to get into the talking I'm going to do separately. But it's just another facet of this thing that we who are around for a long time think well, everybody heard that was a change in ten for instance or change in nine or eight or seven or six.

And no, I sometimes find I'm pointing out things to people that I wrote back in 2001, 2002 and they're just as relevant now because that core capability is only moderately changed. But they're not going to go looking for stuff fifteen years ago. They're not going to go through a blog and try to identify. Let me go back and read stuff from that. I do that, that's how I learned stuff.

Let me tell you, I do learn a lot of great stuff by looking at people's blog posts from years ago because they thought it was important to share then and they don't think it's important to reshare. And so, Michael and I were talking about the value of republishing such old content. You know, updating it of course to make more sense because things do change. But boy, substantial percentage of posts I share from fifteen years ago, I would only need to modify five or ten percent for some of them to be just as relevant today.

So, don't dismiss old content, don't dismiss old people. That's what they were talking about is that were now the old guy. Mike Brown is always the oldest. Sorry Mike, you tend to be the oldest in the crowd. But we …

Michael:          Is he really the oldest C.F.R. out there? I think there are some older ones actually.

Charlie:            Definitely, he is not. I'm sure. But you know, as we all get older maybe they're retiring. But typically, when we go to conferences, Mike seems to be about the oldest guy there. But you and I are catching up with him and what we were talking about is that …

Michael:          Well, I get younger every year, Charlie.

Charlie:            That's right, you mentioned that, that's right and you are getting softer skin looking and…

Michael:          That's right

Charlie:            The good living down in Peru but…

Michael:          yes

Charlie:            And I'm just letting it go and sit white as is that is what it is. But back to the point is that you know, younger folks do often look at older folks and go oh man, you guys are just dinosaurs. You're stuck in your old ways and there is probably some truth to that which is why it's believed. But the other part of it is that…

Michael:          Can’t you teach an old dinosaur a new tricks?

Charlie:            You could and the old dinosaur can teach young folks new tricks. That’s where I was going is that there are things that we learned that we just you know, have always had in our head and we assume that others already know it. But often no, they don't because they didn't learn it over the years like we did or they didn't learn it when it was discussed in vigor.

That's really the point is that things were discussed in vigor at some point and if you weren't paying attention to that discussion, you missed it and kind of took it on board and accepted it's a reality that has to influence what we're doing.

But sometimes, folks who missed out on that they just don't even know and it just stuns me sometimes to find out because I work with several people a day; different customers every day. And a great percentage of them there's a lot of gaps. And it's not just the troubleshooting gaps like that I do. You know, administration stuff, server configuration stuff. Obviously, people that don't do that for a living are going to have those gaps.

But I mean even when we sometimes talk about things that I would regard as pretty fundamental, I'm surprised to find that they just didn't even know some capability existed in C.F. Either in the admin or in. C F M L or in the web server or in the database server. I mean even things like indexes in a database server. They don't they just assume the database server is something that somebody else handles and they don't need to worry about it.

No, they need to worry about it because it's often not being well managed in news somebody's got to tend that garden. It's got weeds in it and there's an interesting guy, I think it's called scary D.B.A. I believe that's the domain name and he's… I believe it's him who is now the president of the pass for professional association of sickle server.

Anyway, they run the Annual Pass conference. But he's now just recently done a series of blog posts on database fundamentals. And you might think oh c'mon, do we really need to read that? May be you don't but some of you really do because you really didn't learn those fundamentals. And so, look for that scary D.B.A. database fundamentals. And I think he's talking about sickle server specifically but there's concepts that apply regardless of the database use.

But I think it's there's probably opportunity for some revisiting some C.F. fundamentals. And I don't just mean how to use C.F. output and C.F. of query. I'm not talking about that but for instance, error handling. There's a lot of people that don't implement error handling or they don't implement it well or mail handling.

People who don't understand how the mail directory and cold fusion works and what the undelivered folder means. How you can put stuff back in the 37:28 [inaudible] and what the pros and cons of that are. And where to find out why things ended up undelivered. Things that you know, some are admin stuff, some are developer specific stuff. There's a lot of things that people just don't seem to know and it's time to revisit some of those.

Michael:          Well and you know, I did an interview with Mary Jo Sminkey on Error handling. And we talked for an hour about all of things the you can do with Error handling that can make your life easier and all the clever tricks. And you know, there’s another one I did with 38:02 [inaudible].

You know from the last association and he was doing custom era handling templates which a lot of people don't even realize your do that at cold fusion. You know, you don't like the way it displays the errors, you can come up with your own stuff.

Charlie:            Or debug templates maybe.

Michael:          Yeah, debug templates. I’m sorry spaced out there.

Charlie:            Sure but it's the same concept absolutely.

Michael:          So, I'll link those episodes in the show notes. The other thing is you know, one of the resources you mention in CF411 is the C.F. slack channel. There's just thousands of C.F. is in there you know, asking questions not strong and helping each other out.

Charlie:            But you know some people really don't like slack because it's like Twitter. It's a river you got to jump into the river and be ready to follow. And if you're standing on the river and the stuff's already gone by you like wait a minute, that conversation down there, how… where did it start? So, it's [crosstalk]

Michael:          That's why I brought it up because there's a lot of good content in there but it does tend to flow by like a river and I just want to put out. You know, this is a question to not just you Charlie, but everyone listening.

What would it take to be able to save the jams come out through the C.F. slack and make them more available? The other problem with the slack channel as you probably know because it's a free channel it gets… The content at the end of the river off; to ten thousand posts or I forget what it is.

There's a point where it just gets trashed by the slack company because you’re not paying for it. You know because it would be costing I don't know I was going to Brad 39:44 [inaudible] the other day and he said… You know I said to him I asked him this question and I said, couldn’t we just pay for it? And he's like going to be like three thousand dollars a month paid slack corporation to have two thousand users have a real slack channel as opposed to a free one.

Charlie:            So yeah, although you know I guess and it may depend on whether it could be classified as just being community versus a company. But…

Michael:          Well, I think it is classified that way and that's why we have it for free

Charlie:            For free for ten thousand but to pay that much for a community that's… But I've never looked into that. But sure, so slack is one, Twitter, of course, is another, Facebook you know there's a Facebook cope using programmers group.

So, I want to throw that out there I'm not a fan of any of them in particular because I just can't keep up with everything. But people should know if you're a Facebook type person, there is a Facebook cold fusion programme I believe. There's also a C.F. job resources. And I've got that listed and I'll just say to kind of cover many things. I have a category of C.F.M.L. resource sites in my C.F.M. resource site. So very much. But yes I do and I list these things.

Michael: Do you list CF411 in there?

Charlie: I do, oh no,  so let's see em for one one in that yes or could do it well no I wouldn't— be recursive again and my mind bending but if somebody goes to see it or want to just look for slack as they see came you'll find the references to it and one of them is going to be where I'm listing other resources like that and the Facebook one is there and others are there and there's still user groups they have milling lists of those that prefer that there's still the Adobe C.F. forums there's still the Adobe cold fusion blog so there's a lot of resources that people ought to at least look at for a period of time and decide whether they are suitable to them not or maybe like everyone but every But now block every one of them and pick which ones make sense for them because some are going to hit you right to new eyes new to love them and are going to you know learn so much and contribute as well you certainly all these you can just lurk and just learn but eventually you'll realize that some people post questions where maybe nobody wants to answer it because it's something that's been spoken. A hundred times but maybe you haven't said it once so you will jump in and offer your answer and maybe it'll be the right answer or maybe somebody will jump in with some clarification and that's sometimes can go wrong because experience people jump on and experience people and tell them that they said something wrong but hey we all gotta start somewhere and sometimes experience people don't want to take the time to answer the fundamental question so it's an ecosystem and everybody's got their you know opportunity to contribute. Isn't there a separate channel for a newbie or in the slack I know you're talking about flex Yes right sounds like this I mean let's also point out that in the Adobe C.S. forums they have separate forums for the Noles and ones on administration and so yeah there they try to in many of these things they try to break it up but for instance the Facebook group it's just one for everybody so everybody in the pool together and some people play well and sandboxes with other kids and some don't we've all seen that over the years that some people just play well in the sandbox.

 

While I'm I'm creating a blog post that's going to list all those Facebook and Linked In and slack groups could not put a link to that in there because I think it's a useful thing and what's needed to get to know people need to know what's available now because some of the old things that were used traditionally you there are no more or they're just not people's cup you know mailing lists of us like mailing list email and some people hey you didn't get the C.F. talk list ever come back from the grave for what I heard it did I don't believe in ever did know was a rumor that it was coming back but it never quite made it back you know I mean you're right and I think you're going to steam where they did it some way that it's not the same because I believe how suffusion is still not responding I guess I check on these things that I list on my website and let's I guess you're looking to get all.

 

Most of us and yeah it's all right server not found so yeah I never did because I thought the C.F. Joe. Sort of came back in a different form so there are multiple Yes there's mailing lists there's.

 

Twitter lists there's on their Facebook lists and so on those are the ones that are in that resource patient I put in the show notes that.

 

For you and you know it just you know in thanking all the be more mature C.F. as to give it a different name you know I just want to thank all the young C.F.O. has to contribute you know I've interviewed.

 

Eric paid to send then he is not an old C.F.O. by any stretch you know but he when he joined the see if he started doing coke fusion he just leapt in and he started posting stuff on forge box and. Sharing stuff you know you don't have to be an old timer to contribute you really just have to have the desire to help other people out and everyone listening can help other people out even if you knew you were one step up the ladder from someone else's where you were last week and there's always new blood is a benefit for all kinds of reasons you might bring new perspectives you might have energy to pursue some project or task that somebody else might not so the Absolute is a place for everybody and I was just putting in a plug for us old guys because we tend to you know start to become. Regarded as too old to bother being of value and that's just could happen for sure just like cold fusion I mean some people want to label it as dead or dying and you know it might be to one person's perspective but I can tell you I'm busy every day with different clients from different organizations every day and I know I don't have all the customers that use go vision and I serve a thousand clients and I suspect that's just a.

 

Small fraction right now on numbers I don't know because. I know it's way this way more confusion sites and that I mean his last time I did.

 

It was like two to over two hundred thousand sites using it so you know on that we're just going into into have built with you know which is a site that tells you where technologies are used on different sites your and and the other thing with cold fusion is a lot of it is used on Internet so that it isn't even cool picked up by these extra innings might as that goes scanning for technologies. But that is where we know have been having this debate and discussion for really fifteen years so it's not new and some of us have offered these pieces of information over and over and I'm going to hear it but I'll throw out a new piece of information that some of you know about but some don't and it's even more valuable if it's you know if you'll trust it when C.F. twenty sixteen came out and the dhobi blog which I mention in passing and let me make it very clear it's blogs dot cold fusion dot com blogs doco fusion dot com That's the Adobe C.F. blog and there is if you post a month sometimes several posts a month so it's not hard to keep up with and it's often really valuable stuff well once you have twenty sixteen came out and you know last year February March April never it was they didn't post announcing it and of course there was one hundred comments from people about all kinds of things some supportive some antagonistic some fretting about licensing issues so lots of stuff in the comments go read it when you have time but one of the comments was wreck sheaths who was the product manager he said that there are two thousand sales of cold fusion I believe he said per quarter now maybe ups of heard elsewhere that it was maybe change to per year but even if it's per year he was being very clear because of course there but not every people jumped on him and said Oh man you're really talking about you know upgrades right now oh he said not upgrades Oh you're. We're talking about people buying support licenses right no no he said No Listen everybody these are new people that had never bought go fusion before buying a license of cold fusion two thousand per whatever your recorder thank you and that's where some people say they're going to argue with that and debate whether he's telling the truth I'm not going to go there but I believe you know if they're actually wouldn't say that in a public forum it wasn't true and that's I'm going to stand on that and you can tell you can tell it so be makes a lot of sales because they have an enormous engineering team writing the new features for and supporting it.

 

Upgrades and they make a lot of money on support licenses they make a lot of money made well I'm interviewing rush in a few weeks so and of course the Adobe C.F. weeks coming up real soon as well so. That's an online free training thing for you know I'll put a link to that and yeah so you know unless the coming up in is a October or November this year the C.F. summit.

 

And I don't think they make money on that I mean you know it's more of a marketing expense they have a nice big location and hotel and bring a lease because in so you know there's a lot of good things being done there's plenty of that and I was alive and well and I know that that flies in the face of so many people think they were just will not be persuaded otherwise they dine and well I you know I think we all can image there are things we'd like to improve and you know let's also be grateful and recognize things that are good so you know which brings me to the question I'm asking everyone I'm interviewing which couple questions they're actually first of all why are you personally proud to use cold fusion.

 

Which I remember when you asked that previously you know it's a serious question you know proud as.

 

Proud but I'm happy to use it because. I know that there is a large community of people that are still using it and I enjoy being able to help them.

 

Make me proud but it does make me happy and and.

 

Comfortable you know I enjoy doing it I don't forsee needing to change not get I know we talked about this earlier we don't want people to hear a saying people need to only do so yeah of course people should be looking at other things just for rounding out their technical abilities and each of us have done resources blog post podcast we've talked about that so you know we are with you on that but. I'm just saying that I'm very happy doing what I do and I'm perfectly busy just amount of clients every day every week every month for the past ten years I've been doing it and it's not changing and it's new customers every week so I just say yes does not mean it can't be because I would be getting new customers every week and I wouldn't continue to get the work that I do with a thousand customers already have of course some of probably gone but I can tell you I work with too many people and then things like what rights she said and of course Michael I mean your contribution to the community mailing list you have do you count how many people are on that list or do you keep that.

 

You know it's about five thousand on it quite commonly and if there were failures and balances you know it and you remove them so yeah no that's that's having removed all the balances not subscribed there and then also there's some of you know I run the online cold fusion meeting which is a online see if user group it used to be more frequent but it's hard to get presenters I don't know why people just don't seem to want to come on and present you know something they've put together for a conference everybody that if you're a speaker watching that's love to have your presentation but but even with the relatively small number of presentations that we have. Now. There's still twenty seven hundred people on it and meet up would remove any balances so there's two resources right there and we know we're not serving the entire community so well and I won't give out the exact numbers of people who've bought fusion reactor but it's well into the five figures as right I believe they. Are and that's just people who are so serious about CO fusion that paying out money to monitor how good their service running so we should throw out there that some number of those might be using those Iraqi lower Blue Dragon or Tomcat or but I but I know that the majority of people using right or is cold fusion because I give the webinars for them and speak on their behalf and in fact I'll be manning the booth for them at the conference this year. You know so on the fan I'm not an employee but I'm a fan but I'm saying because of that you know I know when I put together resources they're usually C.F. oriented because that's the majority of the user base though it can be used with any java application server and he's also right where you had another question. I did so you know what would it take to make Co fusion even more a life this yeah well I think we've just talked about plenty of ways you know from people taking individual initiative to become more aware of available resources and getting involved and contributing as you mention the oh there are folks getting involved you know that new blood is really vital I'm sure that many of the presenters are first time presenters or infrequent presented to the C.F. community and again don't anybody here US is or cutters stick and C.F. and don't want to learn anything new no one I know that there's talks that are being offered at this conference even though it's not dev objective it's if objective there's talks that are generic and of value and will be of value to you beyond using C.F. and there's plenty of ways to evolve beyond C.F. and I'll be doing a blog post coming up soon about that. Yes So. As far as keeping C.F. alive you know I think making it more a life it's not just keeping it out it's not like.

 

You testified about how it's much more alive than people realize so you know I don't know if it needs to be made more alive I just realize that it is more along.

 

But right you know all these resources and.

 

People learning you know it's going to help make it more like Yeah you know I've done a few things myself as well as starting this podcast which we put out not only on i Tunes but on You Tube and stick sure and goodness knows where else any way we could get it to go we put it and thanks everyone for sharing it with the O.C.F. friends because that's how we get more listeners and also appreciate you leaving reviews on i Tunes partly because we'd like to hear what you think about it but also just the outbursts i mean i Tunes The more reviews you get the higher up it shows up so more people find it so. The other thing I am doing this year which is a little bit out in left field but I think someone's got to go out there. I'm creating a song about cold fusion being more alive.

 

I think that will be a fun way to. Get the message out so.

 

You know when it comes out yes I will happy to be sharing that with you so let's just wrap this up you're going to be speaking at see if objective which is instead of being in in the middle of the country in Minnesota this year is in Washington D.C. So what are you looking forward to at at c a project if this year well you know as a fellow former you know resident it's one just to go back home and in my case it's where I was born and raised.

 

Grew up in D.C. went to high school in fact the same I could take the same bus that I took. Your high school. School and college I could take that same bus to the Marriott it goes by that same bus the thirty bus runs up and down Wisconsin Avenue and Pennsylvania Avenue I could take that same bus if I still lived where I was born and raised so it was fun to be back in D.C. to see those old stomping grounds and to and I've loved seeing the tweets that the conference committee has put out about things you can do there's so much to do in D.C. It's a great city well for someone who hasn't been to D.C. or hasn't been there a long time what what would you suggest as a good thing to do while you as well really rather than me try to think of things to say I'll see if you haven't seen those tweets go Twitter I believe probably just using a pounds if objective ask tag look for those there is they're usually announcing things about the presenters and the topics they're also interleaving in their specific things to do in D.C. from natural things to museum type things to other things that are free almost you know everything cool thing about going to D.C. Is that pretty much everything is free and it's all very close you could walk you know it might you know so at some time in the heart of July it might be a bit arduous to walk a mile but there's so much to do all within you know ten minute walk of where we'll be staying at the conference so hopefully Oh yeah it's amazing and you take the Metro it's very you know economical and it crisscrosses all over the story safe yeah yeah there's so much and if you haven't done these things I know in this day and age of a lot of jaded perspectives on you know Washington and politics if you could set that aside for a minute the history really comes through when you go to some of these places and it can also rekindle a sense of realizing that you know there's a lot behind the you know country that's lost right now in the midst of all the crap that's going on. That really makes it and and that's why it's still going and hopefully in Providence it'll get resolved soon and we can get back to you know just operating the way it did for so many. Hundred years now and there's a good fundamental core you know I know that right there is going to be a debatable topic among some people so let's not go there but you know go check out those things you don't get into that go to the museums go to the whatever go to the yes go to see them the Washington Monument the Viet Nam vet memorial or you talk to some of the vet sat the memorial you know it's not just saying that you can talk to I found interesting conversations with some of the veterans and they're hanging out there you know provide support to other veterans who had P.T.S.D. or other issues and I remember thirty years I was there on this and yeah that was walk right down there when I was openings and it's quite it's very moving and one thing you you can do if you have any relatives who died in that war or you can find they have a little directory you can find weeks actually where they are and not on a piece of paper and pencil you know grab the name of the Yaron they leaflet candles it's it's very moving another one just around the corner from that that doesn't get as much attention as the Korean War Memorial and they have a statue Well several statues there of some soldier I didn't realize Korea got so cold in the winter which is why not me so I know that so they have a some statues of people looking like trudging through some snow and not looking too happy about it to be honest the Vietnam War and now World War two won and then there's are going to war one one so there's lots lots lots to do and a lot of that stuff is covered in trees so it actually can be pretty comfortable you know a lot of that you could spend just a whole afternoon in that area. The reflecting pool and right those and the Lincoln Memorial don't forget that you can you can read President Lincoln's address. Just chiseled into the memorial ladder and that's where of Martin Luther King gave his famous speech on the steps that So lots of history recent and not so recent anyway and you know yes well thanks so much for being on the podcast Charlie it's always a pleasure to have you on and if anyone listening wants suggest other people to be on the pole cost or if you yourself would like to be interviewed drop me an e-mail or you can go to the terror tech Paul cost page you can leave voice message there with either suggestions or you can get questions you want me to Aust. Speakers of all costs great stuff and thanks for everything you're doing for the community and your reviving your own enthusiasm in recent months and years it's great to see him will help also to keep and makes you more lives so thanks for you know.