Saturday 29 June 2013

Insanely Simple book: Great view into Steve Job's quest for simple solutions

I just read Insanely Simple: The Obsession That Drives Apple's Success and was really inspired by it's peek into Steve Job's mind.

What is really great about the book (and author) is how it shows the decision making process behind Steve/Apple's success.

The key message is how Simple and well designed products/solutions, are a result of a relentless and uncompromising focus on Simplicity.

Writing REPL scripts on side-by-side Chrome and IE

Following the Chrome-Hijacking posts, I’m starting to convert the WatiN Extension methods into ChromeDriver, and to do so needed to execute requests side-by-side (to test the APIs and to be able to write UnitTests for them).

To do that (side-by-side Chrome and IE execution) I wrote this script:

Tuesday 25 June 2013

CodingLab Library at Union Jacks in Chiswick

After talking about the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road with Ed (Chiswick's Union Jack manager), I'm happy to say that he embraced the idea and gave us some nice (prime-location shelf) location downstairs to hold the first batch of Library books :)

This means that if you want to learn about:
  • Scratch
  • RaspberryPI
  • Arduino
  • BeagleBone
  • Phyton
  • Linux
  • and others (OWASP, Android, Robotics)
... just pop in into Union Jack, grab a drink and take a look one of the available books:

Review of first CodeClub meetup in Chiswick (24th Jun 2013), with Scratch and RaspberryPI 'coding stations'

Following the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road idea and the creation of CodingLab , I organised a Code Club meetup at Chiswick's Union Jack which had a nice crowd and vibe.

Here are some pictures of this event and set-up

Saturday 22 June 2013

PoC of Auto-Screenshot of Hijacked Notepad main Window

On the topic of Window-Hijacking, here is a PoC that:
  • creates a GUI with two Panels (left and right)
  • starts a new notepad process
  • hijacks its main window into the left panel
  • takes a screenshot of a captured Nodepad window every 100ms
  • checks if the screenshot is different from the last one, and if it is:
    • shows the screenshot of the hijacked notepad window into the right panel (inside a PictureBox)
Here is the code:

Using WebStorm with Chrome and ChromeDriver (to view KarmaJS execution results)

Following from the example described inWhen the best way to automate Chrome is to use ... Chrome ,  here is a more practical scenario where I’m creating a GUI that has both WebStorm and Chrome running side-by-side

Here is what it looks like:

When the best way to automate Chrome is to use ... Chrome (with examples on Google search, direct AngularJS scope manipulation and ChromeDriver javascript access)

On the topic of Web Automation, I always wanted to have a REPL environment for Chrome like I have for IE (using Watin).

In the past I have explored multiple solutions, for example the use of CefSharp (see here and here). But that was never the real thing, and there was always a couple issues (caused by the fact that the ‘real’ chrome wasn't being used).

For a while, in the back on my mind the solution was simple and obvious: Use the real Chrome process in a way that it can be programmatically accessed from an O2’s C# repl environment!

Well, the good news is that is exactly what I have done :)

I just created the Gui you can see below, which uses the Window-Hikacking technique to inject an (Selenium's ChromeDriver started) Chrome process' window in a Panel, and pass its reference (as a variable) to an O2 REPL environment.

Thursday 20 June 2013

Adding KarmaJS support to WebStorm to automagically run tests on file changes (and test UI with SublimeText, Chrome and Cmd.exe)

On the AngularJs and KarmaJS theme (see A small AngularJS Jasmine test executed by KarmaJS and the related posts linked at the bottom), here is my first attempt at using Karma to test AngularJS code inside TeamMentor.

I’m using WebStorm instead of VisualStudio, since for Javascript coding WebStorm is MUCH better/faster/cleverer, specially since it has good support for AngularJs and Jasmine (with KarmaJS support easily added, as we are about to see).

Also shown below is a cool tool I created that hijacks windows from SublimeText, Chrome and Cmd.exe windows into the same UI (an O2 Platform .NET Script)

Here is the directory structure:

A small AngularJS Jasmine test executed by KarmaJS

When I try to understand how a particular technology works I always like to create a simple test case with a small number of moving parts.

This post shows such example for an AngularJS page, a Jasmine test, a NodeJS web server and a KarmaJS execution cycle.

The files used/customised were based on the KarmaJS test/e2e/angular-scenario example:

KarmaJS AngularJS Scenario Test Runner execution variations in IE 7,8,9 and 10 when using AngularJS

While trying to get Karma JS to work, I found a number of different behaviours for its AngularJS Scenario Test Runner in IE’s multiple 'compatibility modes'.

TLDR: some of the Jasmine and AngularJS test apis don't work (although Angular does seem to work ok)

Here is the default web page I was using:

If AngularJS doesn’t work on your O2 Platform IE scripts (the fix is to change browser compatibility mode)

If when trying to open an AngularJS page inside an O2 Platform script, you see:

image

... this means that the IE browser embedded in that .NET process is set to run under IE 7

Wednesday 19 June 2013

Debugging a weird case of missing module in AngularJS and KarmaJS

When I was trying the  Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome) I hit on the the following weird behaviour.

TLDR; the solution was to run npm install –g karma@canary

Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome)

To learn and get an idea of how Karma (the 'Spectacular Test Runner for JavaScript') works, and how it can be used to create browser automations tests, here are the steps I took to get the test/e2e/angular-scenario example to work.

It all started with a clone of: git@github.com:karma-runner/karma.git

Sunday 16 June 2013

Trying to running HuBot (and being stuck on ‘ERROR XMPP authentication failure’)

Sitting on a Starbucks in a Saturday morning (after dropping the kids on PSSA) it felt like a good time to try HuBot (repo is here).

Since I already had NodeJS installed on my test VM, I stated with the Deploying Hubot onto Windows instructions:

Using Jabber-net to talk to OpenFire

After Installing Ignite’s OpenFire and Spark (IM server and client),  using Jabber-Net, I wrote a O2 Platform C# script to access OpenFire, which will:
  • Connect to a local OpenFire server
  • Login as a user
  • Find the HuBot room
  • Join that room
  • Post public messages to it
(see end of post for the source code)

NDepend Query to visualize call flows

After installing NDepend and writing a first simple CQL query, it was time to try something more interesting, namely a query that could help me write rules to find security vulnerabilities like SQL Injection.

So I decided to write a rule to find out the call flows into/from a particular method, ie ‘Who calls this method and who it calls?’

With NDepend enabled on the source code of TeamMentor/Master , I opened a class and chose this option:

Customizing my first NDepend CQL rule (Potentially dead Methods)

After Installing NDepend, I was looking at the rules execution result of TeamMentor/Master and saw that there were a result of 21 Potential dead methods:

Installing NDepend

After a nice correspondence with NDepend’s Patrick Smacchia who offered me a license of in exchange for some blog posts on how I used it, here is my first one covering the installation and first run

If don't know about NDepend, here are some references :

Trying DevExpress (install and uninstall)

Since I'm still not 100% happy with Resharper performance and system Impact, I just tried CodeRush from DevExpress

The rest of this post shows how I installed, used it and uninstalled CodeRush

Friday 14 June 2013

AngularJS code editor using UI-Bootstrap and CodeMirror (done without using jQuery)

I’m adding a number of AngularJS views to TeamMentor, and here is a simple HTML based source code editor inspired on the How to Integrate Codemirror With Angular UI post and ui-codemirror repository.

In the end, these are the APIs I used:
And this is what it looks like:

Gource Visualisation of "TeamMentor Git Development - 18 Months in 180 Seconds"

Here is a pretty cool video of 18 months of Git commits using the Gource tool which is a software version control visualization tool.

Try to see it in full screen and at 1024p HD quality:

Wednesday 12 June 2013

More TeamMentor UI Javascript trace and debug views

On the topic of TeamMentor UI debug helpers (see Opening up TeamMentor’s Javascript Trace Viewer which hooks TM method calls) here are a couple other useful options:

Opening up TeamMentor’s Javascript Trace Viewer which hooks TM method calls

If you are trying to debug (or understand) the TeamMentor’s Javascript layer, there are a number of debugging tools and options (in the /Javascript/TM/Settings.js file) that might help you:

Tuesday 11 June 2013

Trying out NCrunch

Intrigued by Kofi’s NCrunch and TeamMentor post, and since today I had to write a number of Unit Tests, I decided to give NCrunch a test drive.

I downloaded the MSI, the install was smooth and next time I opened up VisualStudio there was a new NCrunch menu available:

Changing the way User Sessions are handled by TeamMentor (will be 3.3 Release HotFix 3)

One feature we introduced in TeamMentor 3.3 was the limitation of only allowing one user session to be active at any given time.

This had the nice side effect of 'preventing user account reuse'.

In practice, this meant that TM users had to stop using shared accounts (like the admin account), which was a good thing.

But, it created nasty side effects where the user can only be logged in once across all its devices. And an even worse side-effect happened when we implemented a SSO solution for a client, and we realized that for the cases where there was one SSO token shared across multiple users, we would have to create an TM account per user session!

So we went back to the Concurrent Logins Have Broken  issue, reopened it and changed it priority to P0 (which means that this will be another 3.3 HotFix)

The rest of this post shows the workflow that I took when making the code 3.3 HotFix #3 changes, testing them and pushing the new version to GitHub.

Fixing a couple bugs and pushing new TeamMentor 3.4 Dev Version (from 4 to 5)

This post shows one way to use GitHub to update the main development branch of TeamMentor.

At the moment TeamMentor/Dev repo  is at version 3.3 – Dev 4

The day CodingLab.org was born

After brainstorming about the idea of 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road with Sarah (my wife), she come up with the name of Coding Lab, as a better way to present the concept to local venues (with the added idea of doing regular/monthly lab sessions in there).

So I:
and voila, here is the very first version of: http://CodingLab.org

Creating TeamMentor release 3.3.2 (3.2 version with HotFix 2)

Now that the two P0 issues are marked as fixed (after a round of QA):

Monday 10 June 2013

'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road

Yesterday I 'dropped' 10 Python books to a friend's kid house with a 'take a look at these books and pick one that make sense to you' workflow (they are trying to use a RaspeberryPI and learn how to code in Python)

Later that day one of the kids asked me '... can we keep two?..' , which is always a good sign :)

This got me thinking that that some of my books (I have lot of them) deserve to be shared with more kids :)

Maybe I could have them 'somewhere' on the local Chiswick High Road (West London) as a kind of 'Public Geek Library' for kids (and adults).

This could also be a great location to put information about CodeClub and examples of what I'm creating with the kids that I am teaching every Wednesday.

Sunday 9 June 2013

Installing Ignite’s OpenFire and Spark (IM server and client)

When testing HuBot, I needed an IM server and client

Since the HuBot install article that I was following recommended OpenFire and Spark, I decided to give it a test drive.

Here is how I installed and set it up on a local VM.

The first step was to get OpenFire from the Ignite's website:

A constant source of confusion: Simplicity

From this reddit I found the really interesting and thought provoking (long) post on A constant source of confusion: Simplicity

Simplicity is a topic that really matters to me, and is something that always try to do when writing code or creating APIs (like the ones in the O2 Platform, FluentSharp or TeamMentor).

That post has some great references, which are well worth a read:

Saturday 8 June 2013

What is Privacy all about? ... its about 'not being surprised'

Privacy is one of those subjective topics that is hard to talk about, because everybody seems to have a different definition of it (which depends on culture, personal experience, current/past jobs and state-of-mind.

Recently I found a Seth Godin post (while reading Whatcha Gonna Do with That Duck? in the toilet) which really provided a great explanation of privacy.

The post happens to also be online (People don't truly care about privacy) and here is the key part:

Friday 7 June 2013

Why the need to enable the use of OWASP chapter funds

I just send the text below to the OWASP Leaders list, which was part of this thread

My answer was to  Tim's comment and I started a new thread with it

-------------

Tim's solution (see below) is great and we should apply it now (using data from the last year). The only thing I would change is to remove the C (soft cap) and  P (hard cap). This would have a net positive result for all chapters (and not move the money to the 'OWASP mothership' which is a very sensitive topic).

For the ones really interested in this thread/topic, you should read the amazing Seth Godin's post Non-profits have a charter to be innovators which really explains why OWASP (as an organisation) as the DUTY and moral responsibility to spend its available funds, to experiment, to get things done, etc....)

OWASP is Hiring a FT Event Manager (35k USD)

Sarah Baso just posted the email below to the OWASP-leaders list which is a great move for OWASP.
    OWASP Leaders -
    We are looking for a motivated professional to take on management of OWASP Events.  

    Applications are being accepted until June 21, 2013 with interviews immediately following with a final decision made by July 5, 2013.
    How to apply: Email a cover letter and resume with your name and the position you are applying for in the subject line to owasp.foundation@owasp.org.
    Please help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

Help out with WebGoat .NET development

If you are looking for a great project to learn about ASP.NET, C# and Web Application Security, WebGoat .NET is a great place to start.

Please grab the code (here or here), read the current issues and join the mailing list

See my WebGoat.NET in Action (and how I set-it up) post if you need help setting it up.

And please fell free to invite others to join the party :)

13 Great Quotes from Steve Jobs

I like the fact that I can relate to most and am actively involved in executing them.

For example ... the idea that when we start working on something it tend to be very complex, and it is only by working on it 'over and over again' that it becomes simple, easy to use and useful (for a wide audience)   ... is exactly how I approach the development of the O2 Platform and TeamMentor

Controlling Selenium and Chrome WebDriver from a C# REPL GUI (while fixing UnitTest)

When I was Running TeamMentor WebAutomation UnitTests locally (using Selenium and ChromeDriver), there were a number of TeamMentor's UnitTests that failed, and could not be fixed with simple changes or re-execution

This post shows how I used the O2 Platform's FluentSharp REPL script_Me capabilities to debug the problem and find a solution.

Running TeamMentor WebAutomation UnitTests locally (using Selenium and ChromeDriver)

If you want to run the TeamMentor's WebAutomation UnitTests (for example to see how we use Selenium and the multiple WebDrivers, like ChromeDriver), there are couple gotchas that you will need to take into account.

This post shows how I went from a git clone to a full execution of all unit tests.

Wednesday 5 June 2013

Adding Markdown support to TeamMentor's Article 'view and edit workflow'

After Adding MarkdownDeep Web Editor and Editing/Viewing an TeamMentor Article, the next step was to add Markdown support to the main TeamMentor's Article rendering and editing workflow.

Since all the heavy lifting was already done, adding these capabilities was relatively easy to do with the code that can be see on the 2ead06cf1098872849f8e1d68fb3215e2668f502 commit:

Adding MarkdownDeep browser-based Markdown 'Edit and Preview' capabilities to TeamMentor (and editing an TM Article)

After Adding MarkDown support to TeamMentor using MarkDownDeep, where I got MarkdownDeep to work on the backend (ie server-side markdown transformation), the next step was to add client-side viewing and editing (i.e browser-side markdown transformation).

Although there is a MarkdownDeep NuGet package with the client-side coed, I wanted to put the files in a specific location, so I manually added the html, JS and CSs files into the TM’s Javascript folder:

Adding MarkDown support to TeamMentor using MarkDownDeep

After adding ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout) I was ready to add Markdown support to TeamMentor.

I chose MarkdownDeep after reviewing the multiple Markdown C# and JavaScript APIs currently available (for more details see the references section at the end of this post)

My first step was to go NuGet and choose the MarkDownDeep - .NET Only Edition package:

Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout)

On TeamMentor's 3.3. release we added support for C# RazorEngine and System.Web.Razor.

For 3.4 release, there is requirement to add Markdown support (see next post). Since the API that I want to use (MarkdownDeep) works really well with ASP.NET MVC 4.0, here is how I added ASP.NET MVC 4.0 support to TeamMentor.

The process was quite smooth, and I was able to quickly get it up and running.

It all started with NuGet where I added this package

Tuesday 4 June 2013

WebGoat.NET in Action (and how I set-it up)

For the OWASP EU Tour London event I showed the WebGoat.NET vulnerable web app (which is a .NET variation of the highly successful Java-based OWASP WebGoat project).

Here are (draft) notes on my efforts to get WebGoat.Net up and running (which might help help others since there is very little documentation about this great new OWASP Project)

After cloning from https://github.com/jerryhoff/WebGoat.NET and using the code from the https://github.com/jerryhoff/WebGoat.NET/tree/new-lessons branch (note that there is now the https://github.com/OWASP/WebGoat.NET repo, which is a better home for this code), I was able to get WebGoat.Net running (see below the probs I had to solve), and here is what the first page looks like:

View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page

In the Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using Jni4Net) I posted the screenshots below, which are such a big step forward that I'm creating this separate blog post to expand the idea a little bit :)

One of the things that I always wanted to do with ESAPI , was to have programmatic access to the multiple ESAPI encodings methods, since I believe they are a great example of the type of encodings capabilities that are needed in order to safely consume data provided by (potentially malicious) users.

ESAPI provides a number of sepecific methods to encode a string (each focused on a particular use case)
  1. encodeForHTML
  2. encodeForHTMLAttribute
  3. encodeForCSS
  4. encodeForJavascript
  5. encodeForVBScript
  6. encodeForLDAP
  7. encodeForDN
  8. encodeForXPath
  9. encodeForXML
  10. encodeForXmlAttribute
  11. encodeForURL
And given a particular string, what does each of of these look like?

Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using Jni4Net)

Yesterday at the OWASP EU Tour London Chapter event meeting I presented the next step of my research on using ESAPI and AppSensor inside a .NET application like TeamMentor (using Jni4Net to allow the JVM to work side by side with the CLR).

The source code of the demo I presented is posted to the github.com:DinisCruz/TeamMentor_3_3_AppSensor repo, and this post shows a number of screenshots of what is in there.

I used TeamMentor’s TBot C# and AngularJS pages to create the prototypes (since it is very easy and fast to code in that enviroment)