Wednesday, 25 December 2013

Bill Gates would had changed to world more if he had bought and open sourced the Windows XP code base

I was reading the Wired Magazine that Bill edited and although Bill has done amazing things with his philanthropic activities, part of me things what would had been achieved if he had bought from Microsoft the Windows XP Operating System and Open Sourced it?

Here is an alternative reality that might had been much better for him and the world:

Tuesday, 24 December 2013

How to create (using Eclipse) JavaDocs that looks good? (My current approach is not working)

I want to create nice JavaDocs for the API I'm developing for TeamMentor's Eclipse Plugin Builder Kit (see here , here and here) , but at the moment I'm not having the results I want (see at the end of this post screenshots of the type of JavaDoc I want to create).

Here is the workflow I'm using to create the JavaDocs in Eclipse (Kepler):

Just donated £50 to Wikipedia

Similar to what I did last year (see Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships  and Lovely 'post help' email from Wikipedia) I just helped keeping Wikipedia open and independent.

I really like their 'please help us' text:

Monday, 23 December 2013

The power of not being in power (and being ignored)

I think helps a lot to give clarity and focus to ideas when the 'idea maker' doesn't have enough power to 'force' their execution (or adoption)

I've talked about this before in You will not have your best ideas when you are in a position of Power and it is something that more and more fell that is needed.

As somebody who has a lot of opinions and ideas (see I wish that OWASP in 2014 ....) I think it is very healthy that once I Stepped down as Board Member I was able to (eventually) write freely about An Idea of a new model for OWASP

Sunday, 22 December 2013

3 Patterns for deserialising Xml into Objects (1 good and 2 very dangerous (XStream and XMLDecoder)) and a bunch of questions on how to handle them

When me and Abe where at DefCon working on the final version of the slides for the RESTing On Your Laurels will Get YOu Pwned  presentation, we come up with a nice way to talk about the different approaches that can be taken when converting XML into Objects (the examples here are in Java, but this also applies to other languages/APIs).

Trying to add an 'EVIL bit' to java.lang.String (aka Java Taint Flag) and 'the first one has been set'

Following from the idea documented at the Java Tainted Strings post, Steven van der Baan is continuing his research, and at the last AppSec USA he had a break-though: we set the first 'Java EVIL bit' :)

This is a major development and if you are interested in this type of research, please join in the efforts (Steven is the one that has done most of the research so far, since I've haven't had the time to join in).

XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article

At the DefCon 2013 I co-presented (with Abraham and Alvaro) the "RESTing On Your Laurels will Get YOu Pwned", which showed a number of PoCs on how REST interfaces and APIs can create a number a security vulnerabilities:

Since that time, I have blogged about a couple of the demos created:
We also showed a PoC using the XStream API (which had been reported to the XStream developers) which so far has not made it into a blog post (the PoCs presented at DecCon are here and here).

Since a quick search for 'XStream Vulnerabilities' only shows a couple examples (Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used, JAVA RESTful Services | Fuzzing Down the Rabbit Hole: Part One  and this git commit), I think it is fair to say that this is issue is still quite unknown.

Wednesday, 18 December 2013

Executing Eclipse Plugin JUnit tests in real-time without needing to restart Eclipse (with no mocking)

One of the key capabilities that I wanted to have after Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in), was to be able to run JUnit tests (including tests using STWBot)  in the live (under debug) Eclipse instance (called test Eclipse below).

This would allow me to code in a very quick/efficient TDD workflow, since I wouldn't have to wait 15s to 30s to see execution results for new JUnit tests or major/minor changes to existing JUnit tests.

The good news is that by using the GroovyExecution API that I wrote for the TeamMentor Eclipse Plugin, I was able to dynamically load and run the class files of the JUnit tests to execute, which was already a massive milestone, since that gave me 80% of what I needed. But it was only after Adding and using new API methods, that are consumed by an Eclipse Plugin under development (without Eclipse restart) and having JRebel enabled, that I had the full dynamic environment (where changes to the main plugin code and changes to JUnit test code did NOT require an Eclipse restart).

Here is a walkthrough of how it works (still a bit rough around the edges , but already a really powerful workflow).

Tuesday, 17 December 2013

Groovy Script to create a view that shows the images available in the ISharedImages class

Today I needed to add a couple icons to the Eclipse Plugin I'm working on, and after a quick Googling a bit, I found that Eclipse already includes a number of images with its release, namely via its ISharedImages class.

As with the question at Overview of ISharedImages? I wanted to see a full list of images available, and although that answer points to a couple blog posts that have it (see here and here) that didn't answer all my needs, since (for example) I also wanted to know if the images were available in the Eclipse versions we currently support (Indigo, Juno and Kepler).

Football group photo from last Saturday's game in Chiswick

As often I am able to make it, I join a great group of guys in Chiswick's Rocks Lane on Saturday for a 1:45m non-stop game of Football (soccer for the US readers)

This is a great way to keep in shape, and I hope I'm able to play for many more years (I also play in  Rocks Lane on Tuesday and Wednesday league games)

Here is a photo of the group that played last Saturday (some of these players are REALLY good, and it is a great honour to play with them)  :

Monday, 16 December 2013

Adding and using new API methods, that are consumed by an Eclipse Plugin under development (without Eclipse restart)

This is a variation of the example shown in Using JRebel to HotSwap new Static String fields in an Eclipse Plugin (without Eclipse restart) and its such a cool/powerful workflow that it deserves a dedicated blog post.

Part of the Eclipse Plug-in development toolkit I'm working on, are couple APIs that are inspired/based on my previous work at the OWASP O2 Platform's FluentSharp APIs (available from NuGet).

The core idea of these Fluent APIs is to simplify to the maximum the code required to perform a particular action.

Using JRebel to HotSwap new Static String fields in an Eclipse Plugin (without Eclipse restart)

After Installing, compiling and failing to use DCE VM for Eclipse Plugin development it was time to give JRebel a go (which is a commercial plugin that costs about ~300 USD per year).

TLDR: It worked and I was able to run an Eclipse Plugin, make big changes in a class already loaded (like adding a new field/method), and have access to those changes without needing to restart Eclipse.

Installing, compiling and failing to use DCE VM for Eclipse Plugin development

Last night I tried to use the amazing DCE VM tool (DCE = Dynamic Code Evolution) to apply hot fixes to the APIs I was creating for the open source Eclipse API Tool Kit I'm working on (as part of the TeamMentor Eclipse Fortify Plugin).

I was trying to address the limitations of the JVM's HotSwap technology which only works on certain inline code changes, and doesn't support at all the addition and changing of new methods.

TLDR: this post doesn't have the solution for this problem (see next post which shows JRebel in action).

In this post I'm going to show the workflow/steps that I followed to:

  • create a version of DCE VM that worked on OSX Mavericks (after failing to use the provided binaries, and needing to compile the DCE VM code),  
  • run eclipse under the modified/patched JDK 
  • get a 'hang' in Eclipse when one of the dynamic code changes was applied.

Installing Gradle on OSX

Gradle is a build automation solution which can be downloaded from http://www.gradle.org/downloads and is an really powerful 'Groovy based' way to automate builds.

The download is made available (in Dec 2013) as a zip file, but for OSX there are is not 'installer script', so here is how I just set it up on my dev OSX laptop:

Sunday, 15 December 2013

What if minecraft was open source? (it would be an amazing learning tool)

Last week I did my 2nd CodeClub session where we tried to use a Minecraft server in the class (see Setting up a CraftBukkit based Minecraft server on OSX (Nov 2013) )

And it was a painful experience.

There where a ton of technical probs and most (if not all of them) were caused by the fact that MineCraft is not open source and needs to have a 'call home' function to make sure the clients have a valid license (i.e. there is an authentication step when connecting to a Minecraft server which forces the clients to be online, and introduces a number of issues).

This got me thinking about the hidden costs of the 'Minecraft closed' world, and how much more of an impact it would have if it was open source (and freely available to more kids).

The hidden costs of closed words (in reference to Disney/Pixar animations)

I just watched the Disney movie Frozen (with the kids), which is basically a re-cast of the characters and technology used on the Tangled movie.

What I really found interesting was how the kids (8 of them) really had no idea what I was talking about when I mentioned "...well ... they grabbed the same Software and Character's Programming used in Tangled, added a change of clothes and programmed a new story..."

Basically the concept that there is a HUGE amount of programming and technology behind these movies (Pixar, Dreamworks Animation, Walt Disney Animation, etc...) is completely alien to them.

Blogger search is still broken and workaround to create a simpler (but working) blog search

I was trying to ignore this and see if Google Blogger team would fix it, but after a couple weeks (or more) it is still broken, and is starting to affect me (because I blog so that Future Self is able to find those ideas (like my Today Self, which is not able to find for what It think it is there).

Thursday, 12 December 2013

How to word-wrap a word without breaking it (when using bootstrap)

I just had one of those bugs that should had taken 5m, but ended up taking a lot more because the behaviour of HTML and bootstrap was not as easy as I was expected.

Basically the problem was that we needed to handle (in the TeamMentor Eclipse Fortify Plugin) the cases when we don't have a TeamMentor mapping for the issue currently being shown in the Fortify views.

The solution was to show the current Fortify recommendation, which is available from their plugin (I need to explain how I got that data in another post), and after integrating that data in our plugin, it looked like this:

Tuesday, 10 December 2013

Webcast on TeamMentor integration with Checkmarx

If you want to see how TeamMentor integrates with Checkmarx (namely the special asmx proxy we created), me and Maty (from Checkmarx) are doing a webcast later today (1pm EST) which you can register at  http://web.securityinnovation.com/webinar-december/

The title is Faster & Better Remediation with Security Innovation’s TeamMentor and Checkmarx’s CxSuite and here is the session description:

What really hurts ... is not being defended by your peers/friends

As somebody who has a strong opinions and likes to do stuff, I found myself sometimes in situations where I step a little out of line and do offend/hurt others (see also Why do others think that I'm "hard to deal with" and that "I don't listen").

This means that I tend to be on the receiving end of some criticism, which I've learned to accept (and not argue back, even though I could). Sometimes it is better to just accept the mistakes and let the other side have their say, specially if they are right and some of their feelings where hurt.

Occasionally when that I happens, I get the question "Doesn't it hurt to be on the receiving end of that criticism?" (which is a variation of "doesn't it hurt to be so misunderstood on what you are trying to do?" )

Sunday, 8 December 2013

Blogging is like speaking to my 'Future Self'

Speaking to our 'Future Self' is a concept that I have been thinking and rationalising lately.

Looking back I can see that I have been doing it for a while, but I think the first time I wrote it down was on this tweet:

Got 3 Raspberry PIs on the post from @CodeClub

Last week I received 3 Raspberry Pis on the post,  to be used on the weekly CodeClub sessions I'm doing at my kids school.

This is part of the 15,000 kits sponsored in the UK by Google, with 3000 of them delivered to CodeClub (see Google to give schools Raspberry Pi and  We’re happy as Raspberry Pi )

Wednesday, 4 December 2013

High-Res images of TeamMentor's Fortify integration in Eclipe

As you can read about here and here we are in the final process of officially releasing (and selling) the TeamMentor Eclipse Plugin with Fortify support.

Alli (from SI Marketing) asked me for some High-Res screenshots of how it works, which I just created on a clean install of Eclipse Kepler 64bit on OSX with both Fortify and TeamMentor plugins installed.

You can see the images below, or download the 1.2Mb images from these links:
Thse where taken on a MacBook Air with Retina display, using the OSX screenshot tool, which creates images with a 3108 × 2028 resolution (which I hope is OK for print).

Setting up a CraftBukkit based Minecraft server on OSX (Nov 2013)

Since I have my regular Codeclub Wednesday session later today, I finally got around to figure out how to run a Minecraft server (I have a number of kids that are starting to get bored with Scratch and REALLY like the idea of programming Minecraft)

There are a couple Minecraft servers out there (including an official one), but the CraftBukkit seems really powerful and very plugin-friendly (see http://plugins.bukkit.org/)

Here are the steps required to get an Minecraft CraftBukkit  server up and running:

  1. download the CraftBukkit 1.7.2 development version from http://dl.bukkit.org/downloads/craftbukkit/
  2. follow the instructions from http://wiki.bukkit.org/Setting_up_a_server
  3. move the downloaded craftbukkit-1.7.2-R0.1-20131204.020906-17.jar into the BukkitServer folder and rename it craftbukkit.jar (you can delete the one originally downloaded)
  4. execute ./start.command from a terminal window in the BukkitServer folder
  5. open your Minecraft client (downloaded from https://minecraft.net/download) and connect to localhost (you will need a valid/paid account in https://minecraft.net)

Monday, 2 December 2013

Installing Eclipse Plugin Builder, accessing Eclipse objects and adding a new Menu Item that opens Owasp.org website

This post shows how to use the Eclipse Plugin Update site described in TeamMentor Plugin and Builder v1.5.6 (Source Code and Eclipse Update site) to install and use the Eclipse Builder Kit that we open sourced last week.

The objective is to do these actions, without needing to start Eclipse to see them:
  • Dynamically access eclipse objects like: Shell, Workbench, Worksapce, ActiveWorkbenchPage, Display, etc...
  • Open the http://www.owasp.org website in a browser (and put it inside an Action object)
  • Add new Menu called ‘OWASP’
  • Add a menu Item to the ‘OWASP’ menu called ‘Open OWASP website’ that calls the Action object that opens wht OWASP website.

Wednesday, 27 November 2013

TeamMentor Plugin and Builder v1.5.6 (Source Code and Eclipse Update site)

TLDR: open eclipse and install the plugin from: http://eclipse-plugin-builder.azurewebsites.net

I just updated the TeamMentor_Eclipse_Plugin repo with the latest version of this plugin (take a look at the develop branch which is in sync with the develop branch in my dev fork).

This code is now Open Source (see SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor) so fell free to take a look, fork it and figure out how to use it.

Executing two H2 scripts after compiling them

Sometimes you want to reuse a script that already exists, for example to have multiple copies of it running at the same time (great for Fuzzing of load testing).

Here is a simple example (from the TeamMentor UnitTest/Tools collection) that does exactly that:

Util - Browse TeamMentor Libraries.h2

Here is another simple tool that allows for a quick browse of TeamMentor Articles (download exe from: Util - Browse TeamMentor Libraries v1.0.exe )

The objective of this tool is to show how to mass consume TeamMentor Articles (if you look at the code you will notice that all metadata will be downloaded locally so that after an initial delay, all navigation happens in real time (with the articles being downloaded on demand).

Note that that there is a more advanced version of this tool (called Library Manager), but for local access and quick views of TeamMentor Libraries, this is quite a nice tool:

No OWASP app on the OSX AppStore (Nov 2013)

Definitely a missed opportunity here :)

What types of App should exist?

At least we should have a couple that expose OWASP materials (books, wiki pages) , projects and events.

I will be a happy guy when this page doesn't look like this:

Monday, 25 November 2013

Script to create stats from TeamMentor Libraries

While creating a better tool to manage the new 'TeamMentor Researcher Programme' (more details later today), I am updating the https://github.com/TeamMentor/UnitTests/ scripts to the latest version of TeamMentor (3.4) and FluentSharp Apis (5.3).

Amongst the scripts/apis I'm fixing there is the Calculate TM article totals.h2 which I created a while back when we needed to know the size of TeamMentor articles for translation (btw, if you speak Japanese, there is a version of TM in your language almost done).

Here are the stats of the current version of TM:

Sunday, 24 November 2013

SI Open Sources the Eclipse Plugin-development toolkit that I developed for TeamMentor

For the past couple months I have been working on a Eclipse plug-in for TeamMentor (see Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in) , Opening up a native Chrome Browser window inside Eclipse (raw version) , Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI  and Two Videos showing TeamMentor Eclipse Plugin integration with Fortify Eclipse Plugin (as shown in HP Protect 2013 conference) ).

I had a number of culture chocks coming from a C#/VisualStudio/O2Platform/REPL world into a Java/Eclipse one. The biggest one by far was the loss of 'semi-real-time' code execution that I have in Windows/C#. I used the O2 Platform REPL (and Resharper+Ncrunch VS plugins) to have a proper TDD development mode (i.e. high effectiveness and productivity), and in the Eclipse world (specially in plugin development) I had a 10 to 30 sec delay before seeing the result of any code or UnitTests execution! (which is 95% slower than what I was used to)

So, as I guess it is typical of me, I didn't just create an Eclipse Plugin. I created an 'Eclipse Plugin to create/develop Eclipse Plugins' (think of it as a 'Groovy based Eclipse Plugin where the Groovy scripts have access to the Eclipse Objects of the Eclipse instance running those Groovy scripts' :)

4 Million USD to build a secure Operating System to run Secure websites?

Is that too expensive or a great investment?

Well ... I meet a great friend at AppSec USA that already built a secure OS (based on Open Source technology) years ago in a company that failed (i.e. went bust at great personal cost). He is one of the most cleaver guys I know, and he and his team built (at the time) an OS that powered a very high-profile and targeted website that was NOT compromised.

The only catch is that their previous efforts was done under a 'closed software' platform, and my view is that such creation needs to be done under an Open Source model. This would allow the code to be peer reviewed and checked. Just like crypo, a secure OS needs to have the highest degree of assurance.

And since we can't really have a 'Secure Website' without a 'Secure OS' , I'm sure we will see multiple 'Secure OSes' in the future. My only doubt is if my friends' creation will be one of them.

So how do I got to the 4 Million USD value?

Friday, 22 November 2013

Just disabled AdSense for this blog

I was curious on how it was going work out, but never really liked the idea of exposing readers to adds.

And since I want to move into a static based blog as soon as possible (maybe something like docpad), it was just a matter of time.

Friday, 15 November 2013

I'm doing the 'Survival of the Fittest' (please sponsor if you can)

Sarah and I have been offered last minute places to take part in race called 'Survival of the Fittest', to raise money for the Philippines.

We have decided to go for it with very little preparation because we are raising money for a really important Philippines charity and the disaster relief fund. Splitting the funds 50/50.

If you haven't already made a donation to the disaster appeal then please consider sponsoring us.

The charity already sponsors some of the poorest children in the Manilla, and they are now suffering from the recent typhoon.

Friday, 8 November 2013

Presenting at OWASP Turkey Chapter on Sat 10th of November (on Secure Continuous Delivery)

If you happen to be in Turkey this weekend, there is a great OWASP event happening tomorrow, where I'm also presenting on "Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating".

This is basically going to be a review of the O2 Platform and development work I have been doing for the past years (namely in trying to automate application security knowledge).

Wednesday, 6 November 2013

Tuesday, 5 November 2013

Updating my bio description (as of Nov 2013), now more 'developer focused'

My current bio is quite a bit out of data and it looked like this:
    Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project.
This was used in a number of places I presented recently (for example http://appsecusa2013.sched.org/speaker/dinis.cruz) and it not an accurate representation of what I'm currently focused on.

Thursday, 3 October 2013

Syncing all releases to the same commit and Tag (for TeamMentor v3.4)

This is a bit of house keeping, as you can see by the Fixing the Merge conflict caused by one extra commit on TeamMentor master  and Git Flow - Moving patches from one Commit into another Commit posts, not doing this has already cause us some pain in the past.

So after some pushes and pulls (of both commits and tags) I now have the main TeamMentor repos all synchronised at the 72ca4b5d3322901266ca294678cbe15aa343a4b3 commit:

Enabling GitHub Two Factor Authentication

Inspired by Google’s Two Factor Authentication workflow, last month GitHub did the same thing.

I just enabled it, and I strongly recommend that you do it to.

As per the instructions in GitHub’s Two-factor Authentication post, the first step is to go to https://github.com/settings/admin and click on the Set up two-factor authentication’ button:

Wednesday, 2 October 2013

The Projects Summit 2013 is happening: GET INVOLVED!!!!

Here is the announcement email from Samantha Groves sent to the OWASP Leaders list:

Fixing the Merge conflict caused by one extra commit on TeamMentor master

On the 3.4 Release of TeamMentor (which was the first release we really used Git Flow on development (see this great presentation on Git Branching Model) we ended up with a situation where the commit that was the parent of all feature/fix branches was off-by-one the master of the TeamMentor/Master repository (we also had to do a bunch of back-porting of fixes into that commit, see Git Flow - Moving patches from one Commit into another Commit post)

In practice this means that the TeamMentor/Master graph currently looks like this:

Monday, 30 September 2013

Java Tainted Strings

At AppSec EU Steven van der Baan approached me with the great idea of seeing if we could do an open source implementation of Java Tainted Strings.

The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")

There is still a lot of thinking that needs to happen on this idea, and we are currently in the 'pre PoC' stage.

Physical Books are the best technology for reading, and bookstores should 'give' an eBook with every physical book published

I just bought 5 books at a really nice book store in central London and it is amazing how:
  1. these bookstores are still afraid of the digital world 
  2. don't have the confidence to say: 
      "... If you buy a physical copy, we will give you (or sell for 10%) the eBook version. 

       ... the reason we 'give' you the eBook, is because the 'real' book is much better, but there are places were you might want to use the eBook.."
This is something that I already talked about it in my Why doesn't Waterstones (UK BookStore) also upsell kindle books? post (which has more ideas on what bookstores should do to provide a better service to readers).

Saturday, 28 September 2013

Script to Git Clone 13 repositories in order to have all TeamMentor Libraries in one folder

Part of the push for the 3.4 release of TeamMentor, I wanted to have a copy of all TeamMentor libraries locally (there are 13 libraries on the 3.4 release).

Since O2 Platform’s FluentSharp has native Git support, I was able to do create the clones using this script (note how simple it is to create a clone from a GitHub repo):

Friday, 27 September 2013

Using TeamMentor Checkmarx proxy to scan a vulnerable PHP application inside Eclipse

Michael Hidalgo has posted a really nice article which shows:

  • an PHP app, 
  • inside Eclipse,
  • scanned by Checkmark's SAST,
  • with security guidance provided by TeamMentor

Check it out at : http://blog.michaelhidalgo.info/2013/09/using-teammentor-checkmarx-proxy-to.html

The Open Web Interface for .NET (OWIN) and Katana

Definitely need to take a look at this: http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana (anybody used it?)

Here is its hello world example:


A quick skim of that article showed that they were inspired by Rack and Node.Js , which can't be a bad thing :)

Wednesday, 25 September 2013

Should developers code naked once a week? (or in a mankini?)

That way developers (or managers) would have more 'empathy' with the 'naked' state of the applications they are developing and publishing :)

I got this idea, following from this comment/suggestion on Guidelines of OWASP:

Tuesday, 24 September 2013

Reaching out to Developers, Aspect is doing it right with Contrast

UPDATE: I got the dates wrong when I posted this. The Contrast blog post and presentation are from 2012, it is the award that is from 2013:


In case you missed it OWASP's long time contributor Aspect Security were at Java One conference in presenting their (commercial) product Contrast.

I was not there, but from the noises I'm hearing it was quite a successull event, with lots of developers reached.

Here is a cool picture from their Contrast @ JavaOne post (which contains a link to their presentation (also embedded below));

Monday, 23 September 2013

Chaos Computer Club breaks Apple TouchID (the bad idea that is fingerprint biometrics and 'its cool to hack Apple now')

Well it didn't took long: Chaos Computer Club breaks Apple TouchID

For me the key statement of that post is: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token"

I have to say that I have never been involved in designing or testing fingerprint biometrics, but I always had this voice in the back on my head saying "...humm... it really doesn't sound good the idea that the security ID cannot be changed, and once that ID is stored in digital format, there is nothing that can be done to prevent its reuse...."

OWASP Flight Booking using Amex and Project's Mini-Summit at OWASP AppSec USA 2013

I just booked my flight using the new OWASP 'Amex travel' partnership and it was a great experience

Guidelines of OWASP

OWASP got a great quote on this EU Regulations document which is aimed at laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens’ initiative)

Wednesday, 18 September 2013

Video: Coding WebInspect in real-time to Inject Fortify Plugin Views

Here is a detailed video that shows the multiple steps required to inject windows originally hosted in Eclipse (Java process) into WebInspect (.NET process).

Of course that this workflow could be automated using a script, but I hope that the video below helps to explain how it is actually works, and how windows are hijacked from one process into another:

Two Videos showing TeamMentor Eclipse Plugin integration with Fortify Eclipse Plugin (as shown in HP Protect 2013 conference)

Here are main videos shown at the HP Protect 2013 conference.

This is our first working version of an TeamMentor Eclipse plug-in that is able to show security guidance natively on Eclipse.

Injecting Fortify Eclipse Plug-in Views into Notepad and WebInspect (and key difference between Fortify content and TeamMentor content)

Following from Opening up a native Chrome Browser window inside Eclipse (raw version) and Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI  here are a couple more examples of how to reuse Fortify Eclipse Plug-in Views into other processes.

Example 1: WebInspect with Fortify and TeamMentor (inside Chrome)

Injecting HP Fortify Eclipse Plug-in Views into HP’s WebInspect UI

Using the O2’s Win32 Window Hijacking capabilities (see also Opening up a native Chrome Browser window inside Eclipse (raw version)) , here is a PoC on how to inject a couple Eclipse Views from the HP Fortify Eclipse plug-in (which is Java app running under an JVM) into the HP WebInspect UI (which is .NET app running under an CLR).

The power of this PoC is to show that we can have the best of both worlds and show security consultants and developers the best possible environment/UI for them to analyze, review and fix security vulnerabilities.

Opening up a native Chrome Browser window inside Eclipse (raw version)

On the Win32 Window’s Hijack theme, here is a raw version of how to show an actual Chrome browser window inside an Eclipse view (ie. a window from a C++ process inside a JVM-based Process).

Using the Groovy execution capabilities described in the Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in) post, in Eclipse, I start by creating an instance of a SWT panel and get its handle:

Using IKVM on a Apache Derby Database

After creating the .Net version of the Derby dlls using:

Saturday, 14 September 2013

No more UFOs :)

Great post from Seth: Cell phone cameras repel UFOs which points to this XKCD cartoon:


On the topic of 'devices' being carried by everywhere, I wonder how long until we'll find out how easy it is (or not) for 3rd parties (NSA, criminals, etc...) to remotely enable a mobile/laptop microphone and push the captured data (in real-time or not) into an external location :)

Microsoft should sell Fully Patched Windows XP licenses (or open source it)

Microsoft should sell Windows XP because its newer operating systems should be so much better than Windows XP that its customers would be happy to buy the newer versions.

May the 'Farm' be with you - Grocery Store Wars (2005)

This is a funny video from 2005 which talks about a very important topic in a really cleaver way

Wednesday, 11 September 2013

Running Groovy natively in .NET using IKVM

I’m really getting into Groovy (see also Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in)), but one problem is that Groovy runs natively on the JVM!

And although I could use Jni4Net to create a bridge between a JVM and the CLR, it would be much nicer if I could write Groovy scripts under the CLR (with live access the FluentSharp APIs and O2 created objects).

And by using IKVM I was able to do exactly that :)

I was able to convert the main Groovy jar JVM bytecode into .NET CLR bytecode, and evaluate Groovy scripts directly in C# (i.e. without a JVM loaded in the current process). For more O2 usage of the amazing IKVM API's see Util - O2 Java Tools (IKVM Based) v1.0 


Evaluating an Groovy script in .NET:

After created the groovy-all-2.1.6.dll .Net IKVM dll (see Appendix 1) Creating groovy-all-2.1.6.dll below), I was able to consume it (in O2’s C# REPL) like this:

Consuming password protected TeamMentor Articles using REST GET APIs (and creating mini-tool to view article's data)

As described by the TeamMentor’s CX integration requires TM instance that is serving the content to be open to anonymous access issue, there are times when programmatic access is needed to password protected TeamMentor articles.

Let’s take for example the Add Unique Tokens to HTTP Requests Using ESAPI article, which has the 7d647e95-e47f-42e3-bb84-fd0dd727245c GUID, and can be opened directly at https://teammentor.net/article/7d647e95-e47f-42e3-bb84-fd0dd727245c (free account is needed to see that link)

Tuesday, 10 September 2013

Example of using GitHub Pull Requests to merge changes made on Branches

After the fixes explained in the Git Flow - Moving patches from one Commit into another Commit  post and the reset of the TeamMentor 3.4 branch, Michael reapplied his other changes/fixes to the correct 3.4 commit, and I’m now in the process merging his Pull Requests into the 3.4_Release branch (and eventually into the master branch).

This post walks through my current workflow.

At the moment there are a number of Pull Requests to process:

Saturday, 7 September 2013

Do you use the O2 Platform? (and O2 page at ohloh.net)

I just updated the O2 Platform project page at OHLOH see https://www.ohloh.net/p/o2platform and if you use it, please register your interest :)

Note that the stats only include the main O2 Platform code and the commits made to GitHub (the multiple O2 Forks and past SVN stats are not there)

Thursday, 5 September 2013

Git Flow - Moving patches from one Commit into another Commit

This (longish) post will cover detailed git workflows and is part of the series of blog posts that show how we use the Git Flow workflow to manage TeamMentor's source code (you will also see practical applications of GitHub's powerful  of powerful features like Network Graphs and Pull Requests).

The key problem that we are going to solve, is the situation created by Michael Hidalgo’s TeamMentor fixes/commits/branches that were done against an commit (38bfcd54d8046372c0ace2409324ecc965761504) which was originally planed to be part of the next release, but we decided that the next 3.4 Release of TeamMentor will be based on the current 3.3.3 version (with is based on the earlier commit: b97a470ffa173d67a9c74373593eea03eb7a2da4).

The key reason is that he  38bfcd54d8046372c0ace2409324ecc965761504 commit (currently the parent of Michael’s fixes/branches) is not stable and is going now to be the basis of the 3.5_Release (this code contains a number of big changes which need more TLD and testing: native ASP.NET MVC routing, better Git support, native Markdown editor, depreciation of HTML WYSIWYG editor, and more)

In a nutshell, we need to re-apply Michael’s bug fixes to an earlier commit than the one used (i.e. backport those commits).

Saturday, 31 August 2013

Creating a Fork of Jni4Net,dealing with ‘Attempted to read or write protected memory’ problem and what I had to do to make it work with ZAP

An O2 user was having some issues with the Jni4Net scripts and I think the root cause is because the current O2 Scripts uses the jni4net.n-0.8.6.0.dll which is the version currently available for download
image

TLDR: The code of the patched version is here the compiled binaries are here

NOTE: THIS VERSION IS CURRENTLY published as DRAFT since I'm on the Algarve (i.e. the beach is waiting) and don't have time to proof read the text below (which is posted how I wrote it at the time)

WTF an SQL injection payload as part of an URL (in IIS.NET) , it must be a honeypot

Update: I wrote the original post in March 2013, and after a couple days I was contacted by the IIS.net admin asking me to remove it (which I did). Since It has been fixed since, here is the original post (which now I'm assuming the vuln was real, but still have no idea how it got there)



NOTE: I used the 'contact us' form at IIS.net to ask for a direct email to send the info below, and they said to 'post it on the support forum'.  (see at the end of this blog entry a screenshot of the email I sent to IIS.NET)

Btw, since the issue is still there (a week later), I think this is a honeypot

Here is blog entry I was writing when I found this (saved as a draft since).

Wednesday, 28 August 2013

“The State of Application Security” Research report (by Security Innovation and the Ponemon Institute)

Based on a joint research study between Security Innovation and the Ponemon Institute, here is a really interesting report that presents/rationalises the current sorry state of Application Security (in 2013).

If you are a regular reader of my blog, you shouldn't really be shocked by any of this, but, it is a good read and provides good data for management to take Application Security seriously.

Here is a quote from the A must-read report for everyone involved in software development: “The State of Application Security” article:

Notes on TeamMentor integration with CheckMarx (and pdf with info)

On the topic of integrating TeamMentor with Checkmarx, embeded below is nice document (created by Roman and Michael) that explains how it works and where the TM (TeamMentor) guidance shows up.

This is a major milestone for TM and it shows that the best place to consume TM is in the developer's IDE.

Couple notes on this implementation:

Saturday, 24 August 2013

Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in)

While working on an Eclipse plugin to integrate TeamMentor with Fortify, it was driving me crazy to have to deal with the loop of:
  • Write the code in the main Eclipse instance (hosting the Eclipse plug-in project)
  • Start the Eclipse plug-in project (in debug mode)
  • Wait about 1 minute for the 2nd instance of Eclipse to start
  • See the changes
  • Make some fixes
    • If I’m luck they will be in a place that can be done (in the hosting Eclipse instance) without a restart of the 2nd eclipse
    • If I’m not lucky, go back to step one

Monday, 19 August 2013

Creating a clone of WebGoat on GitHub

I needed a couple vulnerable source code examples (to use on the new TeamMentor Eclipse plug-in) so an obvious option was to use WebGoat (whose code is currently hosted at Google Code page)

But since there wasn’t a source code download option (in the current download page)

image

Friday, 16 August 2013

Util - Quick Hex File Viewer.exe

When I was creating the Generating Fuzzing Images and trying them on WebBrowser (IE)  and Install Debugging Tools for Windows as a Standalone Component scripts I needed a simple and fast HEX viewer.

Since I didn’t had one at hand, I quickly wrote an O2 Script that uses a C# ListView to show binary data (see source code below)

Here is the link to the Stand-Alone tool: Util - Quick Hex File Viewer v1.0.exe

Which looks like this when executed:

Install Debugging Tools for Windows as a Standalone Component

Annoyingly (after many requests on MS mailing lists) it is still not possible to download the Windows Debugging tools independently.

To get it, you need to go here

Thursday, 15 August 2013

Generating Fuzzing Images and trying them on WebBrowser (IE)

An O2 user asked me today of a good way to fuzz images, so here is a quick PoC that does that.

Note that I didn’t expect any of this to work in IE since fuzzing is part of Microsoft’s SDL (and so should be for anybody that creates C++ that parses binary data).

The first step was to generate the 'Fuzzed' images, which were created using this script (see Gist at the end of this post):

Wednesday, 14 August 2013

Using captured account details on login form

This post will put in practice the data collected in Generating an small MD5 Rainbow Table in C#  and  Loading, parsing and consuming unstructured data (i.e. password hashes from google)

Usually if you have access to usernames and passwords, a good test is to see if they work on the site that we are currently (legally) testing (remember that a lot of companies don’t have a good sense of humor if you do do this type of automated testing on them)

Let’s say that we have a website that has a login page like HacmeBank:

Loading, parsing and consuming unstructured data (i.e. password hashes from google)

Following Generating an small MD5 Rainbow Table in C#,  the objective of this post is to show how to consume unstructured data (to be used for example on a fuzzing brute-force login attempt, which you will see on the next post)

Now that we have a way to resolve MD5 hashes, we need a couple hashes to test it out.

Unfortunately (for the affected users) there are a HUGE amount of password hashes out there. For example, take a look at the http://www.exploit-db.com/google-dorks/9/ page:

Generating an small MD5 Rainbow Table in C#

I need a simple Rainbow Table today, and since I couldn’t easily find one I could download, I decided to create it in C#

So I went to the O2 Platform REPL and quickly wrote this script (included in full at the end of this post):

Tuesday, 13 August 2013

The speed of Google's crawling updates is impressive (with Bing and Yahoo not even on the map)

When I was researching the Adding Custom Descriptions and Content to Fortify using the RulePack's CustomDescriptionRule element post, there was not one direct hit/result for CustomDescriptionRule in any of the major search engines (it really makes you fell alone in the world, when there is no info out there about the current research topic :)  ).

So what does it look now, after just 30m of posting it (I actually bet that Google got there sooner, but I don't have the screenshot to prove it).

Here are google's results:

Adding Custom Descriptions and Content to Fortify using the RulePack's CustomDescriptionRule element

After Cat.Net and Checkmarx, the next TeamMentor integration target is HP's Fortify

The idea is to add references and cross-links between Fortify results and TeamMentor Guidance. Since that way we get the best of both worlds: 
  • SAST Findings
  • Targeted and customised Security Guidance
I'm currently using the 5.16 version of Fortify which contains a nice Rule Editor that can be used to create well formatted RulePack files (this tool also as a nice wizard to help with the creation of 'proper' custom rules (for example to map out new Sources or Sinks)):

Tuesday, 6 August 2013

Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

At the DefCon REST Presentation we did last week (see slides here), after the Neo4J CSRF payload to start processes (calc and nc) on the server demo, we also showed how dangerous the Java’s XmlDecoder can be.

(tldr: scroll to the end of the article to see how to create an XML file that will trigger an reverse-shell from an REST server into an attacker's box)

I have to say that I was quite surprised that it was possible to execute Java code (and start processes) from XML files!

Abraham and Alvaro deserve all the credit for connecting the dots between XMLDecoder and REST.

Basically what happens is that the Java’s JDK has a feature called Long Term Persistence which can be used like this:

Neo4J CSRF payload to start processes (calc and nc) on the server

The first demo that we showed at the DefCon REST Presentation was how to use CSRF to exploit the Neo4J remote code execution feature (provided by groovy).

The reason CSRF was used, is because by default, the REST API that allows the web UI to pass a groovy script, is only available on localhost.

Abe and Alvaro's concern (and the reason we showed this in action) is that a considerable number of Neo4J admins fail to read the guidance provided here: http://docs.neo4j.org/chunked/stable/security-server.html

Back in London from DefCon and ALL research materials are now available on GitHub

The DefCon presentation on REST Security and Exploitation went great :)

The slides and demos worked out ok, there was a good crowd, and there was lots of great iterations/reactions from the attendees:

WP_20130804_002

Monday, 5 August 2013

Can you join us for lunch?

With this simple words me and OWASP's Joanna had a great lunch with two complete strangers (to us) at DefCon 21.

We were going into a local restaurant at Rio's hotel when they (a couple on first trip to DefCon) asked us to join them. They said that they wanted to meet new people and we looked decent enough :)

They were both from LA. He was was the director of a local web development company and she was a lawyer.

The conversation was wide ranging, and it was great to hear how he used to work for a financial company (doing financial analysis for tech acquisitions), but quit due to the lack-of-values and wrong-motivations in that world (i.e he left the dark-side).

What he has found is that our community (software development, hackers, web app security) is a much more value-based world/society, with a lot more of 'good people'

Courage is a series of baby-steps that are taken in two-acts (and 'what should my friend do?')

During DefCon, I had a number of people I really admire, saying how much they respect my 'courage'.

Namely the efforts that I put into the O2 Platform, and how I was able to create a world where I have a huge degree of freedom, with most of my activities happening on the interwebs (from code in GitHub to blogging about anything I want (i.e. these days I expect SI to read my blog, and don't give advance warning before I write a new post))

The reality is that it is easy to over-estimate the effort required to have 'courage', and to over-value the amount of  'real courage' that is actually needed (specially when even 'big changes' are done in baby-steps)

For example, one of my really good friends, is stuck in a 'good job', which pays him very well, but is not allowing him to follow his passion, and ultimate fulfil his potential.

My friend (he knows who he is) says that I (Dinis) am very 'courageous', but what I would like to say to him, is that 'it is not that hard' :)

Day 5 - DefCon 2013 - roundup of what happened

Since my Day 1 post, a lot has happened and I'm finally on the way home.

After all the adrenaline, my brain is starting to shutdown so here is a brain dump of the highlights of DefCon 21:

Wednesday, 31 July 2013

MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC)

While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good ones to look at (with publicly available source code)).

I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a 'that is not the recommended way to code MVC controllers').

So I think I found a great example (of what not to do) on the Contoso University sample.

This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET MVC Application (1 of 10)  and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET MVC website)

Example example of SQL Injection using Database.SQLQuery from GitHub (and idea for Cat.NET workflow)

After posting Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)  I did this search on GitHub, and found an example of that dangerous Database.SqlQuery API in use:
These one allows callers to create SQL Injection (which means that whoever is consuming those APIs need to be VERY careful)

Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)

In Darren's great SQL Injection with Entity Framework 5 and Static Code Analysis post, he mentions how all SAST tools he used failed to find this security vulnerability:


The reason is simple: None of the tools he used had the Database.SqlQuery Method marked as a Sink (and btw last time I checked FxCop is not a SAST tool)

One of the things I wanted to do this week was to add a rules manager/editor to CAT.net (see my current research on this SAST tool from Microsoft here), and this could a good example (i.e. show how to write a custom CAT.Net rule to detect this security issue).

Email (outlook.com, gmail) should be stored on a git repository, with hashes used to detect account hijack

On the topic of being secure (and minimising account compromise) while using hostile networks (see Day 1 - made it to Vegas, start of ASP.NET MVC research  and Trying to keep secure while at BlackHat and DefCon 2013) I started using outlook.com, and was wondering how can I detect if that account is hijacked (for example by somebody who has a root SSL cert and is sitting on the same wireless network that I'm in (currently at Starbucks using the Mirage WIFI))

So what happens if somebody sends an email from this account:



How could I detect it?

Day 1 - made it to Vegas, start of ASP.NET MVC research

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.

I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.

Tuesday, 30 July 2013

Trying to keep secure while at BlackHat and DefCon 2013

Since the BlackHat and DefCon networks are getting more and more dangerous/compromised (and SSL doesn't mean much these days), this year, I'm going to try to be more careful with my interweb and account's activities.

So:
  • I'm only taking 1 Mac Laptop which has a clean install of OSx (+ Fusion with clean window's installs), which will use this for research on the presentation I'm doing at DefCon (on Sunday) 
  • I'm not taking my real phone (I'm going to try to get a SIM cart in the US which hopefully will work on a unblocked and factory-reset iPhone 4)
  • I'm not going to check my OWASP and SI emails while there, and am only going to use the temporary diniscruz_defcon@outlook.com account (I also have an temp GitHub, twitter and blogger accounts)
So if you want to reach me, the best way is via the diniscruz_defcon@outlook.com (which I will check regularly, but will expect to be a little-bit compromised)

Any other ideas?

For the ones that are going, what other security measures are you taking?

Cya in Vegas

Tuesday, 23 July 2013

Version of O2Platform 5.3 released

I just pushed to GitHub a new version of the O2 Platform which has a massive Namespace rename and a number of new features


The NuGet packages can be consumed from http://www.nuget.org/packages?q=fluentSharp 

And the code is at https://github.com/o2platform  (with for example the FluentSharp commits available at: https://github.com/o2platform/FluentSharp/commits/master )

Let me know your views on it or if you find probs running it

Thanks

Friday, 19 July 2013

Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample

Following a comment on this reddit threadt I did a search for 'ASP.NET MVC Design' patterns and found the site https://aspnetdesignpatterns.codeplex.com which is from the Wrox Professional ASP.NET Design Patterns book.

Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC 4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.

And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don't use Model Binding :)  )).

Thursday, 18 July 2013

Research on Azure WebSite security: Process Execution (cmd.exe, git.exe, node.exe, xyz.exe) and Folder Browsing (outside azure root)

Following the presentation I did a couple weeks ago at the UK Azure user-group event (http://ukwaug.net/events/security-compliance/), here are my rough notes on my research (for a couple hours/days before the event)

Using  DotNet_ANSA (see end of post for more info about this tool) I was able to show a number of security issues that exist with Azure Websites

BUT (Important disclaimer):
  • I was not able to see data from other Azure websites hosted on the same server (since I was limited by the IIS user account used)
  • This happens because of running .NET code under Full Trust (which is the default in most ASP.NET apps, since partial trust is dead now)
  • Although this is nothing new, I was surprised by the number of ASP.NET Azure specialists that were not aware that it was possible to (for example) browse files/folders outside the allocated folder and start new processes on the azure server
  • These are ‘Security Issues’ and ‘Areas of concern’ for Azure (and other) deployed websites.
  • These are not ‘Security Vulnerabilities’ since they happen by ‘design’
  • The key is to make sure that all parties understand that this is possible (namely remove process execution on cloud/hosted services)
  • I didn’t upload any exploits or metasploit-like tools (since that would be pushing my Azure testing a bit too far), but as far as I can see, they should work 
  • I didn't spent a lot of time on this, and there are a number of other research areas that should be pursued

Wednesday, 17 July 2013

Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?

This post contains an example of a serious security vulnerability that is common on ASP.NET MVC applications.

There are two versions of a Model Binder (CartModelBinder) class shown below, one or both are vulnerable.

Your job is to find out how to exploit them :)

Ideally you should provide your answer/results/proof using UnitTests :)

Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).

Note 2: I’m yet to to look/review/see a large MVC application that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)

Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).


Tuesday, 16 July 2013

Code Club - Video with Scratch Games created by the Kids I was teaching at a local school

For the last couple months (May till June 2013) I have been running a  Code Club session at my daughter school.

Every wednesday at 3:30pm, I went there for 1h and taught 14 kids (Y3 till Y6) how to program Scratch (with a brave one doing some Python)

To wrap up the year, we did a presentation to the Key Stage 2 assembly, where we presented the video below (to show some examples of their efforts and creativity):

Saturday, 29 June 2013

Insanely Simple book: Great view into Steve Job's quest for simple solutions

I just read Insanely Simple: The Obsession That Drives Apple's Success and was really inspired by it's peek into Steve Job's mind.

What is really great about the book (and author) is how it shows the decision making process behind Steve/Apple's success.

The key message is how Simple and well designed products/solutions, are a result of a relentless and uncompromising focus on Simplicity.

Writing REPL scripts on side-by-side Chrome and IE

Following the Chrome-Hijacking posts, I’m starting to convert the WatiN Extension methods into ChromeDriver, and to do so needed to execute requests side-by-side (to test the APIs and to be able to write UnitTests for them).

To do that (side-by-side Chrome and IE execution) I wrote this script:

Tuesday, 25 June 2013

CodingLab Library at Union Jacks in Chiswick

After talking about the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road with Ed (Chiswick's Union Jack manager), I'm happy to say that he embraced the idea and gave us some nice (prime-location shelf) location downstairs to hold the first batch of Library books :)

This means that if you want to learn about:
  • Scratch
  • RaspberryPI
  • Arduino
  • BeagleBone
  • Phyton
  • Linux
  • and others (OWASP, Android, Robotics)
... just pop in into Union Jack, grab a drink and take a look one of the available books:

Review of first CodeClub meetup in Chiswick (24th Jun 2013), with Scratch and RaspberryPI 'coding stations'

Following the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road idea and the creation of CodingLab , I organised a Code Club meetup at Chiswick's Union Jack which had a nice crowd and vibe.

Here are some pictures of this event and set-up

Saturday, 22 June 2013

PoC of Auto-Screenshot of Hijacked Notepad main Window

On the topic of Window-Hijacking, here is a PoC that:
  • creates a GUI with two Panels (left and right)
  • starts a new notepad process
  • hijacks its main window into the left panel
  • takes a screenshot of a captured Nodepad window every 100ms
  • checks if the screenshot is different from the last one, and if it is:
    • shows the screenshot of the hijacked notepad window into the right panel (inside a PictureBox)
Here is the code:

Using WebStorm with Chrome and ChromeDriver (to view KarmaJS execution results)

Following from the example described inWhen the best way to automate Chrome is to use ... Chrome ,  here is a more practical scenario where I’m creating a GUI that has both WebStorm and Chrome running side-by-side

Here is what it looks like:

When the best way to automate Chrome is to use ... Chrome (with examples on Google search, direct AngularJS scope manipulation and ChromeDriver javascript access)

On the topic of Web Automation, I always wanted to have a REPL environment for Chrome like I have for IE (using Watin).

In the past I have explored multiple solutions, for example the use of CefSharp (see here and here). But that was never the real thing, and there was always a couple issues (caused by the fact that the ‘real’ chrome wasn't being used).

For a while, in the back on my mind the solution was simple and obvious: Use the real Chrome process in a way that it can be programmatically accessed from an O2’s C# repl environment!

Well, the good news is that is exactly what I have done :)

I just created the Gui you can see below, which uses the Window-Hikacking technique to inject an (Selenium's ChromeDriver started) Chrome process' window in a Panel, and pass its reference (as a variable) to an O2 REPL environment.

Thursday, 20 June 2013

Adding KarmaJS support to WebStorm to automagically run tests on file changes (and test UI with SublimeText, Chrome and Cmd.exe)

On the AngularJs and KarmaJS theme (see A small AngularJS Jasmine test executed by KarmaJS and the related posts linked at the bottom), here is my first attempt at using Karma to test AngularJS code inside TeamMentor.

I’m using WebStorm instead of VisualStudio, since for Javascript coding WebStorm is MUCH better/faster/cleverer, specially since it has good support for AngularJs and Jasmine (with KarmaJS support easily added, as we are about to see).

Also shown below is a cool tool I created that hijacks windows from SublimeText, Chrome and Cmd.exe windows into the same UI (an O2 Platform .NET Script)

Here is the directory structure:

A small AngularJS Jasmine test executed by KarmaJS

When I try to understand how a particular technology works I always like to create a simple test case with a small number of moving parts.

This post shows such example for an AngularJS page, a Jasmine test, a NodeJS web server and a KarmaJS execution cycle.

The files used/customised were based on the KarmaJS test/e2e/angular-scenario example:

KarmaJS AngularJS Scenario Test Runner execution variations in IE 7,8,9 and 10 when using AngularJS

While trying to get Karma JS to work, I found a number of different behaviours for its AngularJS Scenario Test Runner in IE’s multiple 'compatibility modes'.

TLDR: some of the Jasmine and AngularJS test apis don't work (although Angular does seem to work ok)

Here is the default web page I was using:

If AngularJS doesn’t work on your O2 Platform IE scripts (the fix is to change browser compatibility mode)

If when trying to open an AngularJS page inside an O2 Platform script, you see:

image

... this means that the IE browser embedded in that .NET process is set to run under IE 7

Wednesday, 19 June 2013

Debugging a weird case of missing module in AngularJS and KarmaJS

When I was trying the  Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome) I hit on the the following weird behaviour.

TLDR; the solution was to run npm install –g karma@canary

Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome)

To learn and get an idea of how Karma (the 'Spectacular Test Runner for JavaScript') works, and how it can be used to create browser automations tests, here are the steps I took to get the test/e2e/angular-scenario example to work.

It all started with a clone of: git@github.com:karma-runner/karma.git

Sunday, 16 June 2013

Trying to running HuBot (and being stuck on ‘ERROR XMPP authentication failure’)

Sitting on a Starbucks in a Saturday morning (after dropping the kids on PSSA) it felt like a good time to try HuBot (repo is here).

Since I already had NodeJS installed on my test VM, I stated with the Deploying Hubot onto Windows instructions:

Using Jabber-net to talk to OpenFire

After Installing Ignite’s OpenFire and Spark (IM server and client),  using Jabber-Net, I wrote a O2 Platform C# script to access OpenFire, which will:
  • Connect to a local OpenFire server
  • Login as a user
  • Find the HuBot room
  • Join that room
  • Post public messages to it
(see end of post for the source code)

NDepend Query to visualize call flows

After installing NDepend and writing a first simple CQL query, it was time to try something more interesting, namely a query that could help me write rules to find security vulnerabilities like SQL Injection.

So I decided to write a rule to find out the call flows into/from a particular method, ie ‘Who calls this method and who it calls?’

With NDepend enabled on the source code of TeamMentor/Master , I opened a class and chose this option:

Customizing my first NDepend CQL rule (Potentially dead Methods)

After Installing NDepend, I was looking at the rules execution result of TeamMentor/Master and saw that there were a result of 21 Potential dead methods:

Installing NDepend

After a nice correspondence with NDepend’s Patrick Smacchia who offered me a license of in exchange for some blog posts on how I used it, here is my first one covering the installation and first run

If don't know about NDepend, here are some references :

Trying DevExpress (install and uninstall)

Since I'm still not 100% happy with Resharper performance and system Impact, I just tried CodeRush from DevExpress

The rest of this post shows how I installed, used it and uninstalled CodeRush

Friday, 14 June 2013

AngularJS code editor using UI-Bootstrap and CodeMirror (done without using jQuery)

I’m adding a number of AngularJS views to TeamMentor, and here is a simple HTML based source code editor inspired on the How to Integrate Codemirror With Angular UI post and ui-codemirror repository.

In the end, these are the APIs I used:
And this is what it looks like:

Gource Visualisation of "TeamMentor Git Development - 18 Months in 180 Seconds"

Here is a pretty cool video of 18 months of Git commits using the Gource tool which is a software version control visualization tool.

Try to see it in full screen and at 1024p HD quality:

Wednesday, 12 June 2013

More TeamMentor UI Javascript trace and debug views

On the topic of TeamMentor UI debug helpers (see Opening up TeamMentor’s Javascript Trace Viewer which hooks TM method calls) here are a couple other useful options:

Opening up TeamMentor’s Javascript Trace Viewer which hooks TM method calls

If you are trying to debug (or understand) the TeamMentor’s Javascript layer, there are a number of debugging tools and options (in the /Javascript/TM/Settings.js file) that might help you:

Tuesday, 11 June 2013

Trying out NCrunch

Intrigued by Kofi’s NCrunch and TeamMentor post, and since today I had to write a number of Unit Tests, I decided to give NCrunch a test drive.

I downloaded the MSI, the install was smooth and next time I opened up VisualStudio there was a new NCrunch menu available:

Changing the way User Sessions are handled by TeamMentor (will be 3.3 Release HotFix 3)

One feature we introduced in TeamMentor 3.3 was the limitation of only allowing one user session to be active at any given time.

This had the nice side effect of 'preventing user account reuse'.

In practice, this meant that TM users had to stop using shared accounts (like the admin account), which was a good thing.

But, it created nasty side effects where the user can only be logged in once across all its devices. And an even worse side-effect happened when we implemented a SSO solution for a client, and we realized that for the cases where there was one SSO token shared across multiple users, we would have to create an TM account per user session!

So we went back to the Concurrent Logins Have Broken  issue, reopened it and changed it priority to P0 (which means that this will be another 3.3 HotFix)

The rest of this post shows the workflow that I took when making the code 3.3 HotFix #3 changes, testing them and pushing the new version to GitHub.

Fixing a couple bugs and pushing new TeamMentor 3.4 Dev Version (from 4 to 5)

This post shows one way to use GitHub to update the main development branch of TeamMentor.

At the moment TeamMentor/Dev repo  is at version 3.3 – Dev 4

The day CodingLab.org was born

After brainstorming about the idea of 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road with Sarah (my wife), she come up with the name of Coding Lab, as a better way to present the concept to local venues (with the added idea of doing regular/monthly lab sessions in there).

So I:
and voila, here is the very first version of: http://CodingLab.org

Creating TeamMentor release 3.3.2 (3.2 version with HotFix 2)

Now that the two P0 issues are marked as fixed (after a round of QA):

Monday, 10 June 2013

'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road

Yesterday I 'dropped' 10 Python books to a friend's kid house with a 'take a look at these books and pick one that make sense to you' workflow (they are trying to use a RaspeberryPI and learn how to code in Python)

Later that day one of the kids asked me '... can we keep two?..' , which is always a good sign :)

This got me thinking that that some of my books (I have lot of them) deserve to be shared with more kids :)

Maybe I could have them 'somewhere' on the local Chiswick High Road (West London) as a kind of 'Public Geek Library' for kids (and adults).

This could also be a great location to put information about CodeClub and examples of what I'm creating with the kids that I am teaching every Wednesday.

Sunday, 9 June 2013

Installing Ignite’s OpenFire and Spark (IM server and client)

When testing HuBot, I needed an IM server and client

Since the HuBot install article that I was following recommended OpenFire and Spark, I decided to give it a test drive.

Here is how I installed and set it up on a local VM.

The first step was to get OpenFire from the Ignite's website:

A constant source of confusion: Simplicity

From this reddit I found the really interesting and thought provoking (long) post on A constant source of confusion: Simplicity

Simplicity is a topic that really matters to me, and is something that always try to do when writing code or creating APIs (like the ones in the O2 Platform, FluentSharp or TeamMentor).

That post has some great references, which are well worth a read:

Saturday, 8 June 2013

What is Privacy all about? ... its about 'not being surprised'

Privacy is one of those subjective topics that is hard to talk about, because everybody seems to have a different definition of it (which depends on culture, personal experience, current/past jobs and state-of-mind.

Recently I found a Seth Godin post (while reading Whatcha Gonna Do with That Duck? in the toilet) which really provided a great explanation of privacy.

The post happens to also be online (People don't truly care about privacy) and here is the key part: