Saturday, 27 December 2014

Updated FluentNode's description (now aligned with Functional Programming)

You can see it at https://github.com/o2platform/FluentNode and looks like this:


There is also a new documentation site at http://o2platform.com/fluentnode

Please take these for a test drive and let me know what you think of it

Tuesday, 9 December 2014

Node + Chrome TDD test environment (finally got it to work)

In the past 3 months I've spent countless hours (and a good number of weekends) trying to figure out a way to better TDD node and JS, and finally I got it to work:


Monday, 1 December 2014

Node-Webkit REPL with support for Chrome's WebDriver

I needed to write some Selenium WebDriver scripts and since I couldn't find a good REPL for it, I wrote this one in the last coupe days:

I'm actually really happy with how it turned out:


See https://github.com/o2platform/webkit-repl  for the execution instructions, the code and more screenshots

This UI is based on https://github.com/rogerwang/node-webkit and the selenium/webdriver integration is provided by https://github.com/admc/wd

Sunday, 23 November 2014

Chrome OS is now running under a 64 bit CPU

While following the Node and NPM on Chromebook (Chrome OS) blog on how to set up Node, I had the same problem as some of the users that posted a comment. I was getting an cannot execute binary file error when trying to run the downloaded binary files from Archlinux.

This can be confirmed by running uname -m (one of the ways to check if linux OS is 32 bit or 64 Bit) which should return x86_64.

This means that the links provided on that link should be changed from:

Running git, node, python,make and levelgraph on Chrome OS (inside a ChromeBook)

After creating the Chrome REPL extension, I was curious if it would run under Chrome OS and ChromeBook. To try it out, I was able to get my hands on a Dell ChromeBook 11, and It was nice to see that it worked perfectly.

While using the ChromeBook I was thinking that if I was able to run (tools like) git, node and LevelGraph (which is needed for my current dev focus at SI: TM_Graph_DB) I would have a really portable development environment (specially for running longish batches of Unit Tests).

After a bit of Linux fiddling, I was able to get it working and here is a screenshot of the final result:

Friday, 21 November 2014

Chrome REPL (first O2 Platform Chrome Extension)

I was doing some browser automation and it was driving crazy the fact that I was not able easily write code directly on Chrome. Basically what I needed was a Chrome REPL, and since after looking for one, I couldn't find one that suited my needs, I decided to write one :)

It was quite easy to write (about 1 day's work) since Chrome is quite an easy platform to develop for.

You can get this extension from the Chrome Web Store or from the Chrome-REPL Github repo (you can install from the code if you enable 'developer mode')

Here is how to install it from the Web Store and run a couple of the provided test scripts

Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply

---------

Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.

FluentNode API - please help

I've been working on an Fluent API for node which you can get from https://www.npmjs.org/package/fluentnode

It is basically a large number of JS prototype functions (written in coffee-script) which try to simplify node development, improve developer productivity and make the code more readable.

It's still early days, but there are already a good number of APIs in there (and all are covered by UnitTests)

I would love go get some feedback on the current APIs (and other APIs to add)

Reddit thread

Monday, 1 September 2014

O2Platform question on 'Interactive development with Visual Studio'

Here is a reply I posted today to the O2 Platform Mailing list regarding a question about 'How to use O2 inside VisualStudio and WPF support' (with lots of links to code samples and blog posts)



Hi Chris, I'm glad you found the O2 Platform, specially since it looks like it already have the main features you are looking for :)

The key concept used across the main O2 Platform (and FluentSharp) APIs is the REPL (Read Eval Print Loop), which should be very common to you (btw you can run .Net's version of Lisp via this O2 script : Util - Clojure-clr REPL (Lisp).h2 )

Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):

Monday, 4 August 2014

The 4 components of the new TeamMentor 4.0 design (and IE support)

Thinking at the new TeamMentor 4.0 design from a technical, implementation and shipping point of view, there are 4 kinda-separate parts of the new design.

1) the 4.0 look and feel + basic use (simple navigation, basic search and article viewing)
2) the 4.0 ' search driven functionality'
3) the 4.0 design with full article (and library / metadata) editing capabilities
4) the 4.0 design on TBot/Admin features

For the 1st one, we should aim to have a full-backwards compatible version of TM. Note that this version would also be the 'TM Mobile' version (i.e. the default way to consume TM on a mobile, or in a small window space like what we get inside an IDE plugin (bootstrap has a 'responsive, mobile first fluid grid system' which makes this easier))

For the 2nd, this is where the main UE and UI thinking/experimentation needs to occur.

Search feedback loop and other TeamMentor 4.0 Search related topics

While thinking and researching how to do the search on TeamMentor 4.0 (next version of TM), one of the key workflows that I kept coming back into are:
  • need to have feedback loop on the search results (this is really what makes Google Google), which can be be captured: 
    • explicitly: via the user clicking on the + or - sign close to each search)
    • implicitly: via detecting which search result the user clicks (and which rank that search had)
    • by mapping: where the user (or TM admin/editor) is able to provide feedback on a particular search. For example saying that the search results for 'X' should be the search results for 'Y'
  • need to learn: this is connected to the feedback loop mentioned above and is based on the idea that the TM search results should become better with time
  • need to start collecting data as soon as possible (ideally leveraging the current hundreds or thousands of Application security searches SI employees already do every day
  • need to explain how we calculated a particular search result (of course that this needs to be hidden to normal users (unless they want it to), but we really need to show TM Editors/Admins the logic behind the search formula (and data) used to create those results, and reach the conclusion that 'article X' should be shown before 'article Y' (or folder/view/category 'X' should be shown before folder/view/category 'y')
  • Provide links to other search engines and application security websites (like google, StackOverflow, OWASP, Wikipedia, etc...). this would allow us to make the case 'first search in TM and then go into Google' (I think google used to do this with other search engines (in a long distant past)):
    • If fact, this could also allow use to 'fix' Google queries, since we could say "Hey you searched for XSS but what you probably want (from google) is 'How to fix XSS vulnerabilities in .NET" (assuming we had detected that that user was looking at .NET results
  • Provide recommended searches based on past searches: the typical "users that searched/bought this item also searched/bought this ones"

Thursday, 31 July 2014

FluentSharp July 2014 Update - Better README.MD page, list of issues to help and NuGet Packages

I just cleaned up the main FluentSharp README.md file (with lots of info) and added a number of issues to:
Please take a look and see which ones you would like to solve :)

As you can see by the commit activity (graphs/contributors and commits/master) there has been quite a number of API updates and fixes (for example there is quite a lot of great new stuff on the WatiN IE Web Automation front, including native support for Cassini).

Although I have not created a separate O2 Platform exe release, you can already get all the APIs from the NuGet packages:


Friday, 18 July 2014

Wednesday, 16 July 2014

From NUnit AppDomain, accessing properties and invoking methods on 'Serializable MarshalByRefObject TeamMentor objects' (hosted on Cassini's AppDomain)

After How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance) it was time to start accessing internal TeamMentor objects from the NUnit AppDomain.

The main change I did was to add the [Serializable] and the MarshalByRefObject to the TeamMentor (TM) objects that I want to consume (i.e. access data and invoke methods) from NUnit tests.

Here is an example of what it looks like in one of the main TM's data classes:

Tuesday, 15 July 2014

How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance)

A question I received after posting The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain was 'Ok, that is is interesting, but how fast is it?'

That is actually one of the 'THE' key questions, since if we want to be able to create NUnit tests that use newly created Cassini-driven websites (i.e. a new Cassini server per test or test class) they have to be fast.

Ok, so how 'fast' is fast?

Well, in my book, that is either less than 1 second (for quick tests) or 10 seconds (for more complex setups).

More than that, and it is not practical to run those tests from NCrunch (or even manually via Resharper/NUnit-GUIs)

The good news is that (as you can see below), I was able to execute an 'NUnit-Cassini-driven' test in:
  • 6 sec: via NCrunch (consuming a TM instance with 0 libraries)
  • 7 sec: via ReSharper (consuming a TM instance with 3 libraries)

The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain

As you can see at the end of How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website, although I was now able to start cassini in the current NUnit process, I was still not able to have direct/native access to the running objects of that website.

Basically what I wanted was to be able to access programatically the live TeamMentor (TM) objects from an NUnit test (note that both are running on separate AppDomains).

Not only this would make some of the tests I want to write possible, it would allow me to much faster setup specific test environments (for example cases when I need a number of users to already exist in TM).

The key problem is that after starting the 'TM website running inside Cassini, triggered from the NUnit test' I was left with two AppDomains:
  • The NUnit AppDomain running the NUnit Test and the Cassini Server
  • The Cassini AppDomain running the TM website
In practice what I wanted to do is to be able to access and edit one of TM objects (for example TeamMentor.Schemas.TM_Config from the NUnit test).

And that is exactly what I was able to do :)

Friday, 11 July 2014

How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website

One of the cool new capabilities that I'm using when writing QA Automation scripts for the latest version of TeamMentor, is the https://www.nuget.org/packages/FluentSharp.CassiniDev which allows the execution of an an 'in memory' version of Cassini (hosting the full TeamMentor website) in the same process as the Unit Test driving the IE automation of the hosted website (using FluentSharp.WatiN)

In practice, what this means is that the UnitTests are being executed in the same process as the main TeamMentor Website. This something that I have been wanting to have for ages, and the key capability I gained from it was the ability to debug both live website and UnitTest in the same session.

Lets set it in action.

Using WatiN and Embedded Cassini to run complex TeamMentor Automation (Create and Delete an Library)

Here is an QA Automation script I created today which performs a number of Integration Tests on the new version of TeamMentor.

These are the main moving parts (of the QA Environment and script):
  • Using an embedded WatiN IE window inside an WinForms window to drive Cassini hosting an .NET 4.5 website (this 'popupWindow' was actually opened from a UnitTest :) )
  • Driving the IE browser using  a number of FluentSharp ExtensionMethods
  • Number of waits for links to exist (needed due to the Ajax nature of TeamMentor)
  • When needed, directly query javascript variables ('window.TM.WebServices.Data.AllLibraries.length') and invoke core TM Javascript APIs ('window.TM.Gui.LibraryTree.remove_Library_from_Database')  
  • Use of Lambda methods to create an basic TM API (login, logout, open xyz page, trigger complex workflows, etc...)
Here is what this test QA environment looks like:

Friday, 20 June 2014

Please come and play with the OWASP Band AppSec EU at the CB2 (Tuesday 24th,7pm)

Next week the OWASP Band is getting back together and as always we need players. 

So, If you are coming to the conference (or are in the area), please let me know (ASAP) what instrument you can play, and I'm sure we can find a way to make it work.

Due to Adrian relentless efforts there is a full PA + Amps + Guitar + Bass + Keyboard + Drums available, what we now need is players :)

The show starts at at 7pm and we will do the soundcheck (i.e. the rehearsal) from 5pm.

The venue is the CB2 (http://www.cb2bistro.com/contact.html) which is just walking distance from the main conference location:

Sunday, 1 June 2014

Bypassing asp.net request validation detection, but it is a vulnerability?

Defence in Depth is a good strategy, specially since part of its core principles is the idea that some of the security measures applied will fail. The problem with NOT doing defensive-in-depth coding, is that if there is a way to bypass the security control, then the app can be exploited.

Asp.NET Request Validation is one of those security measures that can sometimes backfire, since it can be used instead of output encoding (in context) the data shown to users (i.e. there is a false sense of security provided by the use of that 'outside-of-the-application security filter').

But since fixing vulnerabilities has a real cost, one must be able to make the business case for the fix (i.e. show that there is a significant risk for the target application).

For example, do you think that following scenario is a 'real-vulnerability' (which should be fixed?):
  • Asp.net website has Request Validation Enabled
  • There is a page with a reflected XSS (quasi)vulnerability
  • There is a bypass for the Request Validation that only works in IE
  • On the scenario where Request Validation can be bypassed (in IE) the same IE version is able to detect it via its current Anti-XSS detection (and disable the payload)
This is one of those cases where although there a 'vulnerable' page, the number of affected users is very small, so the interesting question is: is there a business case to fix the vulnerability?

I think a more interesting (and relevant) question is: Is this an one-off vuln, or, are there other XSS vulnerabilities in that website, specially persistent XSS vulns?

Friday, 30 May 2014

Game to learn how to find XSS Bugs (by Google)

As you can see on https://xss-game.appspot.com and read on Google Launches Game to Teach XSS Bug Discovery Skills , this could be a really interesting way to reach developers.

I will try to give it a test drive and see how easy/hard it is.

I wonder if this could also be used to teach kids about application security (and how fun it can be to break it :)  )

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:

XSS PoC on Lync 2010 (using C# WebClient, WebBrowser and WatiN)

Today I needed write an O2 C# script that was able to put an XSS payload on the UserAgent Header.

This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).

This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:

Here are the PoCs I wrote (also on this gist (embedded below))

Thursday, 8 May 2014

Watching google crawl TeamMentor site (10m after blog post)

This is really interesting and telling of Google's crawling speed and updates.

I posted What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor") 10 minutes ago, and while looking at the new 'TM 3.4.1 real-time TeamMentor Activity' viewer, I noticed a number of 404s:

What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor")

(Earlier today I was asked "What are the most compelling use cases for TeamMentor" and here is my answer:)

There are a couple pages in SI's website that cover some of the common use cases : see here  and here

I think the main use-case is in 'answering Developers/Testers questions'

I like to think of the workflow as in "Don't copy and paste from Google, copy and paste from TeamMentor"

For example take a look at the .NET 4.0 library (direct link here) , if you filter by 'Code Example'

Friday, 2 May 2014

Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

(originally posted to the OWASP leaders list)
---------- ---------- ---------- ---------- ---------- ---------- ---------- 

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job) I'm inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on https://tm-appsensor.azurewebsites.net ) or look at the source code (clone from https://github.com/TeamMentor/Dev and run locally or in Azure (only needs .NET 4.0, no DB install required) 

There is quite a lot of OWASP influence in this release of TeamMentor, from the O2 Platform FluentSharp libraries (which make me a lot more productive as a developer), to the AppSensor-like features (see below) and the multiple OWASP-inspired coding strategies used to keep the app secure (look for example at the ASMX and WCF security tests or the .NET Security Demands).

What is really cool and I'm very excited about, is the first pass at adding AppSensor capabilities to this app. 

Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

TeamMentor (TM) is the project I have been the main developer for the past couple of years, and as we approach another release (v3.4.1), I would like to invite you all to have a go and hack it (i.e. find security vulnerabilities, report them to us, learn a bit and maybe even get paid or get a job offer :)

TeamMentor is a web-based Security KB with tons of prescriptive security guidance, how-tos and guidelines. It is built on C# .NET 4.0,  jQuery with a bit of AngularJS;  and you can see in action at https://www.teammentor.net (you can create an eval account and have access to the entire content for 15 days)

Friday, 11 April 2014

From Azure to Firebase: Could not establish trust relationship for the SSL/TLS secure channel.

UPDATE (16/Apr/2014):  Following a lead from the Firebase Support it looks like the problem could be inside Azure for all SSL, since "https://www.google.pt".GET(); also doesn't work.

Just had a really weird scenario happen to me in the last couple hours, which could be somebody hacking Azure (but I think there is a more benign explanation)

The new version of TeamMentor (currently in 3.4.1 RC0) has a really cool real-time log/activity log viewer which uses Firebase to push data and pull data (from a 'configured TM server' into 'multiple browser-based viewers').

For a while all was good (both locally and in Azure), but in the last couple hours, I noticed that the 'data push' stopped working (i.e. my test version of TM running on Azure was not pushing Activities, DebugMsg and RequestUrls into the assigned Firebase account).

Here is what the viewer looks like (with new messages not being received):

On the unrealistic expectations on OWASP board members, and the 'myth of the OWASP Board member'

Following Michael's original OWASP.next post to the leaders list (regarding his OWASP.next post on the OWASP blog), Dennis replied with a number of examples of rotten leadership  which I don't really agree with and posted the text bellow as my reply

For a while I have been saying that putting such 'expectations and requirements' on board members was going to cause a lot of friction and this is just another example of it

I don't actually agree with Dennis analysis. But the reason I don't agree is not due to the fact that he is correct (or not) in his analysis. My view is that it is completely unrealistic to put  such a high level of expectation on OWASP board members, specially in terms of their: behaviour, morals, actions and words. My biggest problem with current/past board members is on lack of action, decisions and delegation of duties :)

Thursday, 10 April 2014

RIP 'Belly Cruz', 12 year old Labrador

Today was a sad day :(

We had to put our 12 year 'belly' to 'sleep'

She got hit by a brain tumour a couple weeks ago, which left her without being able to walk and without any quality of life.

But what we have to remember, is that she had a great life, fully of joy and happiness (although she never managed to catch the squirrel, even after hundreds of attempts).

She was able to keep a mental map of every single plate/pot/pan that had not been licked (yet), and was always super excited to find our house (after going our for a walk).

She will be missed ... our silly dog....

Tuesday, 8 April 2014

OpenSSL Heartbleed Bug (read server side memory anonymously)

Wow, this is a pretty nasty vulnerability:

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). 

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
(from http://heartbleed.com/)

See if your website is vulnerable using: http://filippo.io/Heartbleed/ 

PoCs:
References



Monday, 7 April 2014

Published Beta version of "Practical O2 Platform Tools" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing the O2 Platform Tools related blog posts.

This new eBook has 113 pages and is made of 23 blog posts published in the last couple years.

The posts are grouped by topic and represent a number of mini-tools created by the O2 Platform

This eBook is available at https://leanpub.com/Practical_O2Platform

Sunday, 6 April 2014

Monday, 31 March 2014

Published Beta version of "Thoughts on OWASP" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing my OWASP related blog posts.

This new eBook has 165 pages and is made of 67 blog posts published in the last couple years.

The posts are grouped by topic and represent a lot of my thinking about OWASP, the current AppSec industry and other philosophical ideas.

This eBook is available at https://leanpub.com/Thoughts_OWASP

Sunday, 30 March 2014

Programmatically configuring an WCF service without using .config files (using FluentSharp REPL)

This post will show how to consume an WCF service directly, firstly using VisualStudio and secondly using the O2 Platform C# REPL environment.

The VisualStudio example will use the FluentSharp – C# REPL NuGet package (which will also show how to dynamically program the WCF service in a REPL environment

Part 1) The WCF test service

In VisualStudio start by creating a new WCF Service Library project called WcfServiceLibrary1

Monday, 24 March 2014

E2E testing AngularJS links and routes using NCrunch, VisualStudio and FluentSharp.WatiN

In order to have real TDD while developing AngularJS inside VisualStudio, I needed a way to write C# Unit Tests that could be executed in the background by NCrunch (i.e. in real-time during coding).

Since I wanted to do E2E (End-to-End) testing of the AngularJS app, I needed either a good mocking environment (like the one provided by KarmaJS/AngularJS Mocks) or the real thing (i.e. actually running the app on a local IIS/Cassini server).

If I have the choice, I always prefer to run my tests without mocking (or with as least amount of Mocks as possible), since that allows for a much more realistic test environment, and promotes much better engineering and coding practices.

This post shows how I created such environment and provides a couple examples of C# tests written to check if links created by AngularJS directives and routes are being correctively set.

Sunday, 23 March 2014

Problem with AngularJS ng-view, it doesn’t work when inside a directive

I hit an interesting problem yesterday with AngularJS views. They (the views) where working when clicking on a link, but not working when accessed directly, or when the back button was used (which broke the idea of AngularJS routing, since it is supposed to handle those to key scenarios).

After quite a bit of debugging, I was able to track the problem to the fact that if I placed the ng-view directive inside another directive, the refresh and back button would break (although it would work ok for links and direct browser url manipulation).

What is really nice, is that I was able to use the .NET C# based Unit Test infrastructure to confirm this problem and test for it :)

Thursday, 20 March 2014

Somebody doesn't like me at /r/netsec sub-reddit (updated with moderator's feedback)

UPDATE: this is most likely a misunderstanding from my part, and lack of coffee in the morning (see reddit moderator image at the end of the post):



Again I had a link (this one) removed from http://www.reddit.com/r/netsec which is very weird.

In most (sub)reddits what happens is that the links I (and others) post are given a couple hours to get up-votes and comments. If they don't they get relegated to the archives (i.e. not on the first couple pages) and forever forgotten (which is how it should be).

But /r/netsec is the only one that I actually see the posts 'disappear' from both Hot and New pages, which means that there is somebody out there that probably doesn't like me and is actively blocking those posts.

This is a shame since it should be the community that decides what is interesting and valuable, and in this case the XStream/XmlDecoder/REST issues deserve to be known and fixed.

Updated presentation of 'RESTing On Your Laurels will Get YOu Pwned' (RSA version)

At the last RSA conference, Abe and Alvaro presented an updated version of the RESTing On Your Laurels will Get YOu Pwned presentation (originally delivered by me and Abe at DefCon 2013).

Here is the description
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.   
By Abraham Kang, Alvaro Muñoz and Dinis Cruz
In addition to the original demos we did, Alvaro added a nice Metasploit PoC which really should drive home the problem with XStream and XMLDecoder.

Monday, 17 March 2014

Published Beta version of "Practical Eclipse Plugin Development" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub and Practical Jni4Net books, here is an equivalent book containing my Eclipse related blog posts.

This new book has 363 pages and is made of 33 blog posts published in the last 9 months.

As with the first release of the other books, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Sunday, 16 March 2014

Published Beta version of "Practical Jni4Net" eBook

After releasing "Practical AngularJS" and Practical Git and GitHub, here is an equivalent book containing my Jni4Net related posts.

This new book has 74 pages and is made of 13 blog posts published in the last 16 months.

As with the first release of the other books, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Saturday, 15 March 2014

Google Location tracking is a step too far for me (but its good they expose it)

Today, I was looking at my  Google Dashboard 'Account Activity', when I noticed the 'Location Tracking' section, which when I realised what it really meant, was quite freaky (and Big Brotherish).

The good news is that at least Google exposes this information, and provides a way to say 'no please' (which as you can see below I exactly what I did).

What would be really good/important, is if everybody that currently holds/collects this type of data (from other businesses/startups, telecom companies, GCHQ/NSA/Other-3-letter-gov-agency, XSS infected websites, owners of compromised browsers, etc...) would at least expose the fact that they are collecting and storing it (ideally there would also be a way to op out).

Another worrying behaviour that missing from the Google Dashboard is the mapping of 'who has current access to this information' and 'who had access to it in the past (both human and bots)'. This is relevant not just for Location Tracking data, but also for the other types of data/information/knowledge Google stores about me (and you, and your kids).

Of course that the fact that I asked Google not to track this information (and that they don't show it to me anymore), doesn't mean that they still not capturing it.

Ironically given the current 'everybody is potentially guilty' mentality of the security agencies today, I bet that asking for the location data NOT to be stored, is seen as a 'red flag' and most likely will meant that others WILL indeed start tracking my location (if they are not already).

Friday, 14 March 2014

Interesting validation problem on new user's email, caused by a TLD in caps (and using NCrunch to test it)

While working on this issue and improving the Unit Test coverage of TeamMentor's user creation code, I noticed that:
    a) these emails worked:
    abc@def.ghi , ABC@def.ghi , abc@EDF.ghi
    b) but these ones didn't:
    abc@def.Ghi , abc@def.gHi , abc@def.GHI

Wednesday, 12 March 2014

Managing LeanPub book's Markdown content using Git and GitHub (synced to back to LeanPub via DropBox)

The original releases of my Practical AngularJS and Practical Git books were made using LeanPub's DropBox model, which was OK, but lacked two massive features: version control and interface for community interactions.

Inspired by Dennis Groves' idea and workflow described in OWASP Press and using LeanPub with GitHub and DropBox, I was able to use Git and GitHub to track changes on these books.

Which means that from now, not only can I use the GitHub repositories to track/document changes I make, but you can also submit your ideas/problems directly as GitHub issues and fixes as Pull Requests :)

Here is the GitHub repo for the AngularJS book: https://github.com/DinisCruz/Book_Practical_AngularJS

Here is the GitHub repo for the Git/Hub book: https://github.com/DinisCruz/Book_Practical_Git

For an example of how to use GitHub to submit and fix an content problem see this issue https://github.com/DinisCruz/Book_Practical_Git/issues/1 which was fixed by this commit https://github.com/DinisCruz/Book_Practical_Git/commit/7c53c396f4209bb2521dccadbfcfbe8c90318ba7

Published Beta version of "Practical Git and GitHub" eBook

After releasing "Practical AngularJS", here is an equivalent book containing my Git and GitHub related posts.

The book has 411 pages and is made of 60 blog posts published in the last 18 months.

As with the first release of the AngularJS book, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Tuesday, 11 March 2014

Thank you message send to all readers of the "Practical AngularJS" book

After publishing the Beta version of "Practical AngularJS" Book (in both digital and print format) I was very pleasantly surprised by:
    a) the number of readers who got the book for free
    b) the number of buyers  
    c) the general positive kudos of the reddit threads that I started about the book

Using the Leanpub system available on https://leanpub.com/Practical_AngularJS there were 567 downloads/registrations and 24 purchases (which is a really great, if we take into account that the book is still in a early beta format, and they 'choose to buy', since there was the option available to get it for free).

Sunday, 9 March 2014

Published Beta version of "Practical AngularJS" Book (in both digital and print format)

I just released a book based on the 23 AngularJS posts currently published in this blog (as a public beta).

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online). The printed version was created at lulu.

At the moment the book can be downloaded for free and the book has a small markup (you can also chose to pay for the digital version).

Please take a look and let me know what you think of the structure, font, layout, order, content, voice, idea, etc...

Here are the links to the multiple places you can get the book:
  • eBook (PDF, EPub or MOBI) at Leanpub (I've set the minimum price to zero so you can download it for free)
  • Printed book (Paperback, 163 pages) at Lulu.com 
  • Online : LeanPub also publishes the entire book available in one long HTML page (note that there are LOTS of images to load in this page)

Sunday, 2 March 2014

Why doesn't Eclipse community stand-up more to IntelliJ?

When I posted to reddit a link to my recent Eclipse Groovy script to remove the 'busy' image from the WebBrowser Editor  post, the thread what I hoped would happen would be one around the idea of 'fixing in real time minor (but-very-annoying) issues that exist in the IDEs that we use everyday'

After all, there are very few IDE environments that allow that kind of real-time programatic access to the current running IDE (which allows the creation of new 'plugin-like functionality' without needing to run an 'IDE dev instance' on the background).

For reference, the reason why I took the time to develop the Eclispe Grovy REPL Scripting Environment, was because I did the same on this VisualStudio C# REPL extension, and knew how powerful (and useful) it was to have the ability to 'script the IDE'

Saturday, 1 March 2014

Programatically changing an AngularJS scope variable and adding Firebug Lite to an AngularJs app

In this post I'm going to show two really nice tricks that help when developing AngularJS applications:
  • adding Firebug Lite to the current browser
  • changing the scope value outside a normal AngularJS controller, service or module
Let's say that we are inside Eclipse and have this simple AngularJS app (gist here)

Eclipse Groovy script to remove the 'busy' image from the WebBrowser Editor

Now that I'm doing AngularJS and Firebase development inside Eclipse, there was a little 'thing' that was starting to drive me crazy: The animation icon on the top right of the Eclipse WebBrowser!

Apart from the mosaic 2000s look (which is kinda ok), there is a big problem with pages that keep running for a while: the animation doesn't stop!

This means that if you are developing inside Eclipse, there is this 'thing' (i.e. the top right icon) that keeps moving and demand my brain's attention:

C# example of using Firebase REST API

Once I got my head around how Firebase worked (see here multiple Firebase related posts), my next step was to figure out a way to send data to it from C#, namely from TeamMentor.

To try it out, I used the Web C# REPL that is part of TeamMentor's admin section (which gives me a great interactive environment to quickly test new APIs).

Friday, 28 February 2014

Using AngularJS in Eclipse, Part 4) Create Components

This is the last of four posts on how to run (inside Eclipse) the examples provided in AngularJS's home page:
The example covered on this post is the Create Components:

Using AngularJS in Eclipse, Part 3) Wire up a Backend

This is the third of four posts on how to run (inside Eclipse) the examples provided in AngularJS's home page:
The example covered on this post is the Wire up a Backend:

Using AngularJS in Eclipse, Part 2) Add Some Control

This is the second of four posts on how to run (inside Eclipse) the examples provided in AngularJS's home page:
The example covered on this post is the Add Some Control:

Using AngularJS in Eclipse, Part 1) The Basics

This is the first of four posts on how to run (inside Eclipse) the examples provided in AngularJS's home page:
The example covered on this post is the The Basics.

I'm doing this on an OSX laptop and the first step was to download and unzip (eclipse-standard-kepler-SR1-macosx-cocoa.tar.gz (32bit version of Eclipse's Kerpler) into the ~/_Dev/_AngularJS folder.

I fired up eclipse, chose the ~/_Dev/_AngularJS/workspace as the workspace root and installed the Eclipse Grovy REPL Scripting Environment 1.6.0 (update site) and Angular-JS Eclipse Tooling (update site) plugins.

A really SIMPLE and clean AngularJS+Firebase example

As seen on the First PoC of sending TeamMentor's server-side request URLS to Firebase (and seeing it in realtime in an AngularJS page) I created a Simple AngularJS website which I'm very happy with (and I mean Simple with a capital S).

The main reason I really like the solution shown below, is because it represents a number of really nice, clean and Simple solutions for common (complex) problems that exist while developing in Javascript.

The created application is an:
  • AngularJS real-time viewer for HTTP requests, 
  • ... made to an ASP.NET web application (TeamMentor),  
  • ... captured by an custom C# HttpHandler filter
  • ... submitted to Firebase using its REST API and 
  • ... pushed back to the AngularJS app using open HTML 5 WebSockets.

Eclipse Groovy REPL script to sync a Browser with file changes (with recursive folder search via Java's WatchService)

Since I am using Eclipse to develop using AngularJS (see Creating an Eclipse UI to run AngularJS e2e tests using Karma), I needed a way to refresh the browser window every-time I made changes to any AngularJS related file (note that due to the nature of the AngularJS projects, I need the change to trigger on any change made inside the root folder and all its subfolders).

Since there didn't seem to be an easy way to do this ('auto browser refresh on file changes') in  Eclipse, I used the Eclipse Grovy REPL Scripting Environment to develop a script/macro that:
  • Based on a title of an opened eclipse editor file:
  • ... find the full path of that file, and:
  • ... create a Java WatchService that monitors the file's folder and subfolders, and:
  • ... when a StandardWatchEventKinds.ENTRY_MODIFY is received :
    • Create/Open a new Eclipse view with a browser (called Synced Browser), and:
    • ...refresh the index page 

Thursday, 27 February 2014

First PoC of sending TeamMentor's server-side request URLS to Firebase (and seeing it in realtime in an AngularJS page)

After getting my head around how Firebase works (see Using Firebase to sync data with a webpage (via Javascript, REST and Firebase Admin panel) and Trying our Firebase (Beta) hosting solution and good example of Firebase Security rules), I really wanted to see how it could work on a key feature that I've been wanting to add to TeamMentor for ages: Realtime viewing  of traffic and logs

And it worked :)

This is really exciting!!! (can you tell :)  ), specially since I can see so many great uses of this type of technique and technology in TeamMentor (for example it will allow for much better understanding on how the content is used, and for better collaboration between its readers (and authors))

Trying out Firebase (Beta) hosting solution and good example of Firebase Security rules

Since Firebase now offers a Beta hosting service (and I was looking for a quick way to publish one of the firebase PoCs I'm working at the moment), I decided to take it for a spin.

I have to say that I'm really impressed with the end result, and as you will see below, there entire process (from install to published website) was really smooth.

Note 1: in the example below I already had created an Firebase app to hold the data (see Using Firebase to sync data with a webpage (via Javascript, REST and Firebase Admin panel) for details on how to create one) 

Note 2: at the time I wrote this post, the website created is/was (depending on when you are reading this) hosted at https://tm-admin-test.firebaseapp.com/

Starting with the instructions from Firebase hosting page:

Tuesday, 25 February 2014

XSS considerations when developing with Firebase

Following my previous post on Using Firebase to sync data with a webpage (via Javascript, REST and Firebase Admin panel), here are a couple security notes and 'areas of concern', that should be taken into account when developing real-time apps with Firebase:
  • Firebase will reflect any payloads sent to it
  • We are talking about DOM based XSS
  • The current browsers XSS protection does not protect against DOM based XSS
  • It is very easy to create a vulnerability (as you will see below, all it takes is a simple change from .text() to .html())
    • If powerful DOM based API-manipulation frameworks are used (like jQuery), there are many more injection points (sinks)
  • By nature of Firebase applications, the XSS exploit will have wormable capabilities (i.e. it will be able to distribute and self-propagate itself VERY quickly)
  • Current static-analysis tools will struggle to pick up this type of vulns
Note: I think (and I will want to double check this) that if is safe (i.e OK) to put received Firebase data/payloads, on an AngularJS auto-binded location/variable (for example {{name}} : {{message}} )

Let's use the chat application provided by Firebase to see this in action (note that as you will see below, the chat application as provided by Firebase, is secure and not exploitable)

Using Firebase to sync data with a webpage (via Javascript, REST and Firebase Admin panel)

If you haven't seen the Anant Narayanan presentation on AngularJS conference called Building realtime apps with Firebase and AngularJS you are missing something good.

Firebase really seems to fix one of the pain points that I currently have in client-server development, which is how to send/synchronise data across multiple clients (including the server).

I first heard about Firebase from the Wire up a Backend example that can be found at http://angularjs.org, and today I was able to give it a test drive (since I want to use it on the AngularJS front-ends that I'm currently developing for TeamMentor)

Monday, 24 February 2014

Creating an Eclipse UI to run AngularJS e2e tests using Karma

This post shows how I created a nice set of views in Eclipse to quickly see the execution result of AngularJS e2e (end-to-end) tests, without leaving the Eclipse UI.

The image below shows this UI in action, where:
  • The source code of the test is shown in the Eclipse Java editor
  • Just below is the console out of the Karma runner (which is detecting files changes)
  • On the top-right is the hooked browser (i.e. the one that will run the tests)
  • On the middle-right is the simple AngularJS Hello World page
  • On the bottom-right is the debug view of the hooked browser (which is what you get if you click on the Debug Button included on the top-right page)

Thursday, 20 February 2014

Example of DOM XSS in WebSocket.org echo demo page (that bypasses Chrome's XSS detection)

I was looking at WebSockets today (because of its use in Firebase which is used in one of AngularJS samples), and noticed an DOM XSS example on the WebSocket echo page which is used as an example of how to use WebSockets (I found that page from this article Inspecting WebSocket Traffic with Chrome Developer Tools)

For historical record (and to reuse them in a Javascript SAST) I've copied the current (vulnerable) version of the HTML and JS provided to this gist.

Code samples (like these) should not be provided with these types of security vulnerabilities, since they should represent best practices.

Specially when we know that the normal developer workflow is to start with copy-n-pastes from these type of examples (note how that page, as of Fev 2014) has no references to security).


Let see the vulnerability in action.

Monday, 10 February 2014

Removing broken links from TeamMentor Articles using C# REPL and HtmlAgilityPack

After creating and using the TeamMentor TBot page to delete articles based on list of Guids the next action to do is to clean up and fix the links to the articles we removed.

Note that this is not a simple task, since there are multiple cases where the links are inside <li> tags (with or without text) which will also need to be removed (there was also a problem caused by the fact that the <li> tags were not correctly normalised (as you will see below)

I used the TM Link Status tool since it provides a nice analysis of what needs to be fixed, including REPL environments to script the object created during the 'link analysis' phase'.

Here is the workflow I followed, including some of the probs I had to solve along the way:

Reverting changes mades to TeamMentor articles

The problem was simple, there were a number of commits made to an TeamMentor GitHub repo that I wanted to completely reverse (without re-writing history).

For reference this happened when I was doing some 'Link fixing' tests on a server that was configured to auto commit to GitHub (which meant that the option to do a pure git reset --hard was not available since it would break the TM server)

In this case, the last good commit was e794cc839689dfc7915099d39972abde643a969d and the last bad commit was c53002083e85673f9a4dd7e6dbd2a37bc7ff9e2f (currently HEAD of master)

My first idea was to just do a git revert to the e794cc839689dfc7915099d39972abde643a969d which worked ok locally.

But I struggled to merge it with the master HEAD, because git was being too cleaver , since it realised that these two commits were compatible, and just fast-forwarded into the most recent one (vs doing a 'reverse merge')

Monday, 3 February 2014

Just added Flattr to this blog (I wonder how much Flattrs I will get?)

After Just Signed up for Flattr, what do you think of it? I decided to give it a try in this blog, since after all I'm also a content creator (and have recently reached my 1000 blog post).

What is interesting is that adding Flattr to this blog feels better than when I tried using Google AdSense (see Just disabled AdSense for this blog).

I guess the difference is that by adding AdSense to my blog I was exploiting my readers and benefiting from the 'getting out of control' ad industry (whose business model is to monitor and spy on everybody).

While by using Flattr I basically asking my readers to support me (if they like a particular blog post or content).

I also fell that it is a better relationship with the readers, since AdSense kinda pushes for the 'blockbuster post' with as much traffic as possible, where Flattr will (I hope) reward good and solid content, that added value to the reader, and that the reader liked enough to want to support it (lets see what happens :)  ).

For reference here is how I added Flattr to this blog:

Just Signed up for Flattr, what do you think of it?

While reading the Eclipse Memory Analyzer (MAT) - Tutorial I noticed a link to https://flattr.com which is a micro-payment solution for consumers of content to support the content creators.

Here is more info about Flattr:
Here are the steps I took to register:

Friday, 31 January 2014

TeamMentor TBot page to delete articles based on list of Guids

Continuing on the thread where I'm helping Serge to prune the TeamMentor's ASP.NET 3.5 library (see here, here and here for how I set-up the current test environment), one of his requirements was to be able to batch delete TeamMentor articles based on a list of GUIDs.

Without touching the 3.4 codebase I was able to add a new TBot Admin page with this feature (which is quite a cool 3.4 TeamMentor capability that I will blog about in a different post).

As with the previous examples, the TBot Script, called Delete_Articles_By_Guid.cshtml was developed on a GitHub hosted, TeamMentor UserData Repo:

Eclipse Plugin that allows the execution of REPL Groovy Scripts (in the current Eclipse Instance) and Fluent API for Eclipse+SWT

For the past 6 months I have been working on an Eclipse plugin that implements a Groovy REPL that makes it very easy to learn Eclipse and SWT.

I also started the creation of a fluent API for Eclipse and SWT, in order to reduce the amount of code that needs to be written when creating Eclipse plugins.

The plan is to release the next version of this plugin as an kind of Eclipse Plugin Builder, but it is already quite usable in the current state.

Setting up a Minecraft server in Azure (for use at weekly CodeClub session)

For almost one year, I've been doing a weekly CodeClub session at one of my kids schools, and sometimes at a local restaurant (see here)

Since there is quite a lot of passion in the kids for Minecraft, I decided that for this term, we would try to use a Minecraft server in class, and see if we (me and kids) can figure out how to use Minecraft without a mouse (ie, with only programming).

Since my first experiments with a Minecraft server where quite positive (see Setting up a CraftBukkit based Minecraft server on OSX (Nov 2013)) I decided that it was time to take it up a notch, and try to create a Minecraft server in Azure (so that the kids can access it from home).

Here are the steps I took:

Adding files to TeamMentor's web root via a UserData folder (synced with GitHub)

This post shows how to add custom files to the TeamMentor's webroot using a special feature of the TeamMentor's UserData folder.

In this demo I'm going to use the UserData setup in this post (currently synchronised with a GitHub repo)

Basically we are going to edit a file in GitHub, which will end up in the root of the associated TeamMentor website (which is quite a powerful PoC and bug fixing feature).

First step is to go to the synced GitHub repo (created here) and click the Create a new file here button in GitHub's UI:

Wednesday, 29 January 2014

Using TeamMentor 3.4 TBot admin pages to load and sync UserData with a GitHub hosted repo

Continuing from where Using TeamMentor 3.4 TBot admin pages to load and sync a Library hosted on GitHub left, this post shows how to use the same technique to sync TeamMentor's UserData with a GitHub repo.

For more details on how the UserData repo/folder fits within TeamMentor's architecture, see these posts:

Using TeamMentor 3.4 TBot admin pages to load and sync a Library hosted on GitHub

Serge asked me to help making some changes to the TeamMentor's Asp.NET 3.5 library, and since we need a test server to look at what might be changed (and run some scripts) this is a good time to show about how to use the TeamMentor's 3.4 Tbot pages to load a Library hosted on GitHub

I will also show, how once the TM server is configured with a library using a Git url,  changes can be auto committed/pushed to that Git server, every-time there is a content edition using TM's web editors.

Step 1: Preparing the target TM server

Lets start with an Azure hosted TeamMentor server, for example this one:

Viewing Eclipse and SWT objects (Workbench, Display and Shell) using Groovy's ObjectBrowser and using TeamMentor's Plugin ObjectBrowser

Using the Groovy REPL included in TeamMentor's Eclipse Plugin (see update site and more info here, here, and here) it is possible to view in real time a number of Eclipse/SWT objects (for example the Workbench, Display or Shell )

Using Groovy's ObjectBrowser:

Let's start with Groovy's ObjectBrowser which I used to use just about every day, since it gave me access to a live view of an particular Object's Fields, Properties (from getters) and Methods.

Tuesday, 28 January 2014

Eclipse Groovy REPL - Open TeamMentor Article in multiple formats

Part of the new TeamMentor Fortify Eclipse plugin v1.6.0 (update site hereinstallation instructions here) is a really powerful TeamMentor and Eclipse API which can be easily accessed via the included Groovy REPL.

In this first post (of several in this topic) I will show how to use the APIs to Open TeamMentor Article in multiple formats


The first step is to open the Util - Write Script (TeamMentor DSL) view (which is the name of the provided Groovy REPL) using the TeamMentor menu (note that the Advanced mode features config property needs to be checked, or the Advanced and Debug Features sub-menu will not be visible):

Monday, 27 January 2014

Fixing Coding Signing issue where Eclipse Plugin didn't install in Indigo

As mentioned in the Saga to sign an eclipse plugin with a code cert the problems didn't finish after the plugin was signed OK.

During the final QA stage Roman reported that he was Unable to install plugin on Indigo.

I was able to replicate that issue on a clean install of Indigo, where I got the following error when trying to install the TeamMentor Plugin:

Saga to sign an eclipse plugin with a code cert

Signing an Eclipse Plugin with a code cert should be simple right?

Well this is probably one of those cases that maybe it is obvious for others with more knowledge on how java code signing works, but I've spend the good part of two days trying to sign an eclipse plugin, and finally I was able to get it to work.

I will start with the solution (as executed in OSX), and then talk about the problem:

Sunday, 26 January 2014

Book: Sum: Tales from the Afterlives

I just finished reading Sum: Tales from the Afterlives by David-Eagleman, which is a small and easy to read book with lots of great ideas and concepts.

The books is basically 40 mini sci-fi stories about possible scenarios that could happen after we die.

Ironically, and predictably, the side effort of reading these possible scenarios, is to appreciate even more the live we currently live on :)

David is also the author of  Incognito: The Secret Lives of The Brain, which is a book that I started reading on a Kindle, loved it, but never finished. This is another good example of why Kindle/eBooks don't have the same connection with the reader as physical book (see Physical Books are the best technology for reading for a better analysis of why I think that happens).

I have now bought a physical copy of  The Secret Lives of The Brain  and am looking forward to reading it property :)

Saturday, 25 January 2014

Lockhart's Mathmatician's Lament, Math's should be treated as Art and the 'dangerous idea' that Zero is

I have a problem with how maths is being taught to our kids.

The best description of the problem I've read is Lockhart's Mathmatician's Lament since it really touches on the fundamental problem that we (as a society) have created:

Maths should be taught as Art, just like Music or Painting , instead of the current 'force feed abstract non-real-work complex set of instructions and concepts'

If you have not read his amazing paper (and you can just start with the first 10 or so pages), do it NOW since it might change how to think about Maths and how they are taught in school.

Updating GitHub Forks with latest commits from GitHub's 'parent' repo

One of the areas that tend to case some problems with GitHub 'Forking model' workflow, is the need to have the Forks updated with the commits that have been added to the Parent repo (i.e. the repo that was used to create the Fork from).

To see real-word examples (and pains) of this issue, take a look at these posts:
For the example show below, I'm going to update the DinisCruz-Dev/TeamMentor_Eclipse_Plugin repo which is a Fork of TeamMentor/TeamMentor_Eclipse_Plugin (here also referenced as the Parent repo).

Updating the GitHub repos for the 1.6.0 release of the Eclipse Fortify Plugin

As you can see by the recent eclipse related posts, I have been working on a Plugin for Eclipse that shows TeamMentor guidance to users that have access to the Fortify Eclipse plugin (and *.fpr files). We are now in the final stages of releasing the first public version (1.6.0) which is actually made of two parts: An Eclipse Plugin builder (which is Open Source) and a small 'Fortify Specific' code-mapping script. Very soon these will be in separate projects, but for now they are all hosted at the TeamMentor/TeamMentor_Eclipse_Plugin.

This post is just to document the current GitHub development model and where to find the main parts of this release.

Wednesday, 15 January 2014

On Java code formatting

As a variation of what I wrote in Formatting code for readability here is another example.

Which 'Java source equivalent files' shown below are easier to read?

This one (from FAQ How do I open an editor on something that is not a file?):

Tuesday, 7 January 2014

How to update a forked GitHub repo (in this case tm-sme/Lib_Vulnerabilities)

Today I helped to update the tm-sme/Lib_Vulnerabilities repo which is a fork of the TMContent/Lib_Vulnerabilities and is being auto-updated in real-time when changes made to the https://sme.teammentor.net/ server (i.e every time there is a content change in https://sme.teammentor.net there is a server-side git commit, followed by a git pull to tm-sme/Lib_Vulnerabilities (which is a pretty sweet workflow))

The issue we had was how to push the changes from tm-sme/Lib_Vulnerabilities into the TMContent/Lib_Vulnerabilities  repo, so that they can be synced back to https://vulnerabilities.teammentor.net

Note: this workflow would had been easier if the two repos where in sync, but it happened that there was one commit made to TMContent/Lib_Vulnerabilities (which is the master repo) on the 13th of Dec (d26f385) in between a bunch of updates to the tm-sme/Lib_Vulnerabilities repo (done automatically by TeamMentor). Bottom line: at this stage the repos are not compatible, which is why the GitHub Pull Requests don't work.

Thursday, 2 January 2014

The O2 Platform is like a Microscope

Dennis Groove gave a really nice answer today on how he views the O2 Platform: "...O2 is in my humble opinion a tool not dissimilar from a microscope, it allows you to see what can not be seen. So yes, it does allow you to identify security vulnerabilities via static analysis and other methods. However, that is not really using the tool to its full potential..."

Here is the question asked on the O2 Platform mailing list: