I was reading the Wired Magazine that Bill edited and although Bill has done amazing things with his philanthropic activities, part of me things what would had been achieved if he had bought from Microsoft the Windows XP Operating System and Open Sourced it?
Here is an alternative reality that might had been much better for him and the world:
Wednesday, 25 December 2013
Tuesday, 24 December 2013
How to create (using Eclipse) JavaDocs that looks good? (My current approach is not working)
I want to create nice JavaDocs for the API I'm developing for TeamMentor's Eclipse Plugin Builder Kit (see here , here and here) , but at the moment I'm not having the results I want (see at the end of this post screenshots of the type of JavaDoc I want to create).
Here is the workflow I'm using to create the JavaDocs in Eclipse (Kepler):
Here is the workflow I'm using to create the JavaDocs in Eclipse (Kepler):
Just donated £50 to Wikipedia
Similar to what I did last year (see Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships and Lovely 'post help' email from Wikipedia) I just helped keeping Wikipedia open and independent.
I really like their 'please help us' text:
I really like their 'please help us' text:
Monday, 23 December 2013
The power of not being in power (and being ignored)
I think helps a lot to give clarity and focus to ideas when the 'idea maker' doesn't have enough power to 'force' their execution (or adoption)
I've talked about this before in You will not have your best ideas when you are in a position of Power and it is something that more and more fell that is needed.
As somebody who has a lot of opinions and ideas (see I wish that OWASP in 2014 ....) I think it is very healthy that once I Stepped down as Board Member I was able to (eventually) write freely about An Idea of a new model for OWASP
I've talked about this before in You will not have your best ideas when you are in a position of Power and it is something that more and more fell that is needed.
As somebody who has a lot of opinions and ideas (see I wish that OWASP in 2014 ....) I think it is very healthy that once I Stepped down as Board Member I was able to (eventually) write freely about An Idea of a new model for OWASP
Sunday, 22 December 2013
3 Patterns for deserialising Xml into Objects (1 good and 2 very dangerous (XStream and XMLDecoder)) and a bunch of questions on how to handle them
When me and Abe where at DefCon working on the final version of the slides for the RESTing On Your Laurels will Get YOu Pwned presentation, we come up with a nice way to talk about the different approaches that can be taken when converting XML into Objects (the examples here are in Java, but this also applies to other languages/APIs).
Trying to add an 'EVIL bit' to java.lang.String (aka Java Taint Flag) and 'the first one has been set'
Following from the idea documented at the Java Tainted Strings post, Steven van der Baan is continuing his research, and at the last AppSec USA he had a break-though: we set the first 'Java EVIL bit' :)
This is a major development and if you are interested in this type of research, please join in the efforts (Steven is the one that has done most of the research so far, since I've haven't had the time to join in).
This is a major development and if you are interested in this type of research, please join in the efforts (Steven is the one that has done most of the research so far, since I've haven't had the time to join in).
XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article
At the DefCon 2013 I co-presented (with Abraham and Alvaro) the "RESTing On Your Laurels will Get YOu Pwned", which showed a number of PoCs on how REST interfaces and APIs can create a number a security vulnerabilities:
Since that time, I have blogged about a couple of the demos created:
Since that time, I have blogged about a couple of the demos created:
- XmlDecoder JDK class: Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
- Groovy on Admin Interfaces: Neo4J CSRF payload to start processes (calc and nc) on the server
We also showed a PoC using the XStream API (which had been reported to the XStream developers) which so far has not made it into a blog post (the PoCs presented at DecCon are here and here).
Since a quick search for 'XStream Vulnerabilities' only shows a couple examples (Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used, JAVA RESTful Services | Fuzzing Down the Rabbit Hole: Part One and this git commit), I think it is fair to say that this is issue is still quite unknown.
Since a quick search for 'XStream Vulnerabilities' only shows a couple examples (Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used, JAVA RESTful Services | Fuzzing Down the Rabbit Hole: Part One and this git commit), I think it is fair to say that this is issue is still quite unknown.
Wednesday, 18 December 2013
Executing Eclipse Plugin JUnit tests in real-time without needing to restart Eclipse (with no mocking)
One of the key capabilities that I wanted to have after Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in), was to be able to run JUnit tests (including tests using STWBot) in the live (under debug) Eclipse instance (called test Eclipse below).
This would allow me to code in a very quick/efficient TDD workflow, since I wouldn't have to wait 15s to 30s to see execution results for new JUnit tests or major/minor changes to existing JUnit tests.
The good news is that by using the GroovyExecution API that I wrote for the TeamMentor Eclipse Plugin, I was able to dynamically load and run the class files of the JUnit tests to execute, which was already a massive milestone, since that gave me 80% of what I needed. But it was only after Adding and using new API methods, that are consumed by an Eclipse Plugin under development (without Eclipse restart) and having JRebel enabled, that I had the full dynamic environment (where changes to the main plugin code and changes to JUnit test code did NOT require an Eclipse restart).
Here is a walkthrough of how it works (still a bit rough around the edges , but already a really powerful workflow).
This would allow me to code in a very quick/efficient TDD workflow, since I wouldn't have to wait 15s to 30s to see execution results for new JUnit tests or major/minor changes to existing JUnit tests.
The good news is that by using the GroovyExecution API that I wrote for the TeamMentor Eclipse Plugin, I was able to dynamically load and run the class files of the JUnit tests to execute, which was already a massive milestone, since that gave me 80% of what I needed. But it was only after Adding and using new API methods, that are consumed by an Eclipse Plugin under development (without Eclipse restart) and having JRebel enabled, that I had the full dynamic environment (where changes to the main plugin code and changes to JUnit test code did NOT require an Eclipse restart).
Here is a walkthrough of how it works (still a bit rough around the edges , but already a really powerful workflow).
Tuesday, 17 December 2013
Groovy Script to create a view that shows the images available in the ISharedImages class
Today I needed to add a couple icons to the Eclipse Plugin I'm working on, and after a quick Googling a bit, I found that Eclipse already includes a number of images with its release, namely via its ISharedImages class.
As with the question at Overview of ISharedImages? I wanted to see a full list of images available, and although that answer points to a couple blog posts that have it (see here and here) that didn't answer all my needs, since (for example) I also wanted to know if the images were available in the Eclipse versions we currently support (Indigo, Juno and Kepler).
As with the question at Overview of ISharedImages? I wanted to see a full list of images available, and although that answer points to a couple blog posts that have it (see here and here) that didn't answer all my needs, since (for example) I also wanted to know if the images were available in the Eclipse versions we currently support (Indigo, Juno and Kepler).
Football group photo from last Saturday's game in Chiswick
As often I am able to make it, I join a great group of guys in Chiswick's Rocks Lane on Saturday for a 1:45m non-stop game of Football (soccer for the US readers)
This is a great way to keep in shape, and I hope I'm able to play for many more years (I also play in Rocks Lane on Tuesday and Wednesday league games)
Here is a photo of the group that played last Saturday (some of these players are REALLY good, and it is a great honour to play with them) :
This is a great way to keep in shape, and I hope I'm able to play for many more years (I also play in Rocks Lane on Tuesday and Wednesday league games)
Here is a photo of the group that played last Saturday (some of these players are REALLY good, and it is a great honour to play with them) :
Monday, 16 December 2013
Adding and using new API methods, that are consumed by an Eclipse Plugin under development (without Eclipse restart)
This is a variation of the example shown in Using JRebel to HotSwap new Static String fields in an Eclipse Plugin (without Eclipse restart) and its such a cool/powerful workflow that it deserves a dedicated blog post.
Part of the Eclipse Plug-in development toolkit I'm working on, are couple APIs that are inspired/based on my previous work at the OWASP O2 Platform's FluentSharp APIs (available from NuGet).
The core idea of these Fluent APIs is to simplify to the maximum the code required to perform a particular action.
Part of the Eclipse Plug-in development toolkit I'm working on, are couple APIs that are inspired/based on my previous work at the OWASP O2 Platform's FluentSharp APIs (available from NuGet).
The core idea of these Fluent APIs is to simplify to the maximum the code required to perform a particular action.
Using JRebel to HotSwap new Static String fields in an Eclipse Plugin (without Eclipse restart)
After Installing, compiling and failing to use DCE VM for Eclipse Plugin development it was time to give JRebel a go (which is a commercial plugin that costs about ~300 USD per year).
TLDR: It worked and I was able to run an Eclipse Plugin, make big changes in a class already loaded (like adding a new field/method), and have access to those changes without needing to restart Eclipse.
TLDR: It worked and I was able to run an Eclipse Plugin, make big changes in a class already loaded (like adding a new field/method), and have access to those changes without needing to restart Eclipse.
Installing, compiling and failing to use DCE VM for Eclipse Plugin development
Last night I tried to use the amazing DCE VM tool (DCE = Dynamic Code Evolution) to apply hot fixes to the APIs I was creating for the open source Eclipse API Tool Kit I'm working on (as part of the TeamMentor Eclipse Fortify Plugin).
I was trying to address the limitations of the JVM's HotSwap technology which only works on certain inline code changes, and doesn't support at all the addition and changing of new methods.
TLDR: this post doesn't have the solution for this problem (see next post which shows JRebel in action).
In this post I'm going to show the workflow/steps that I followed to:
I was trying to address the limitations of the JVM's HotSwap technology which only works on certain inline code changes, and doesn't support at all the addition and changing of new methods.
TLDR: this post doesn't have the solution for this problem (see next post which shows JRebel in action).
In this post I'm going to show the workflow/steps that I followed to:
- create a version of DCE VM that worked on OSX Mavericks (after failing to use the provided binaries, and needing to compile the DCE VM code),
- run eclipse under the modified/patched JDK
- get a 'hang' in Eclipse when one of the dynamic code changes was applied.
Installing Gradle on OSX
Gradle is a build automation solution which can be downloaded from http://www.gradle.org/downloads and is an really powerful 'Groovy based' way to automate builds.
The download is made available (in Dec 2013) as a zip file, but for OSX there are is not 'installer script', so here is how I just set it up on my dev OSX laptop:
The download is made available (in Dec 2013) as a zip file, but for OSX there are is not 'installer script', so here is how I just set it up on my dev OSX laptop:
Sunday, 15 December 2013
What if minecraft was open source? (it would be an amazing learning tool)
Last week I did my 2nd CodeClub session where we tried to use a Minecraft server in the class (see Setting up a CraftBukkit based Minecraft server on OSX (Nov 2013) )
And it was a painful experience.
There where a ton of technical probs and most (if not all of them) were caused by the fact that MineCraft is not open source and needs to have a 'call home' function to make sure the clients have a valid license (i.e. there is an authentication step when connecting to a Minecraft server which forces the clients to be online, and introduces a number of issues).
This got me thinking about the hidden costs of the 'Minecraft closed' world, and how much more of an impact it would have if it was open source (and freely available to more kids).
And it was a painful experience.
There where a ton of technical probs and most (if not all of them) were caused by the fact that MineCraft is not open source and needs to have a 'call home' function to make sure the clients have a valid license (i.e. there is an authentication step when connecting to a Minecraft server which forces the clients to be online, and introduces a number of issues).
This got me thinking about the hidden costs of the 'Minecraft closed' world, and how much more of an impact it would have if it was open source (and freely available to more kids).
The hidden costs of closed words (in reference to Disney/Pixar animations)
I just watched the Disney movie Frozen (with the kids), which is basically a re-cast of the characters and technology used on the Tangled movie.
What I really found interesting was how the kids (8 of them) really had no idea what I was talking about when I mentioned "...well ... they grabbed the same Software and Character's Programming used in Tangled, added a change of clothes and programmed a new story..."
Basically the concept that there is a HUGE amount of programming and technology behind these movies (Pixar, Dreamworks Animation, Walt Disney Animation, etc...) is completely alien to them.
What I really found interesting was how the kids (8 of them) really had no idea what I was talking about when I mentioned "...well ... they grabbed the same Software and Character's Programming used in Tangled, added a change of clothes and programmed a new story..."
Basically the concept that there is a HUGE amount of programming and technology behind these movies (Pixar, Dreamworks Animation, Walt Disney Animation, etc...) is completely alien to them.
Blogger search is still broken and workaround to create a simpler (but working) blog search
I was trying to ignore this and see if Google Blogger team would fix it, but after a couple weeks (or more) it is still broken, and is starting to affect me (because I blog so that Future Self is able to find those ideas (like my Today Self, which is not able to find for what It think it is there).
Thursday, 12 December 2013
How to word-wrap a word without breaking it (when using bootstrap)
I just had one of those bugs that should had taken 5m, but ended up taking a lot more because the behaviour of HTML and bootstrap was not as easy as I was expected.
Basically the problem was that we needed to handle (in the TeamMentor Eclipse Fortify Plugin) the cases when we don't have a TeamMentor mapping for the issue currently being shown in the Fortify views.
The solution was to show the current Fortify recommendation, which is available from their plugin (I need to explain how I got that data in another post), and after integrating that data in our plugin, it looked like this:
Basically the problem was that we needed to handle (in the TeamMentor Eclipse Fortify Plugin) the cases when we don't have a TeamMentor mapping for the issue currently being shown in the Fortify views.
The solution was to show the current Fortify recommendation, which is available from their plugin (I need to explain how I got that data in another post), and after integrating that data in our plugin, it looked like this:
Wednesday, 11 December 2013
Juno probe captures movie of Earth-Moon 'dance' (and how small we all are)
Very cool movie showing how small we all are:
Tuesday, 10 December 2013
Webcast on TeamMentor integration with Checkmarx
If you want to see how TeamMentor integrates with Checkmarx (namely the special asmx proxy we created), me and Maty (from Checkmarx) are doing a webcast later today (1pm EST) which you can register at http://web.securityinnovation.com/webinar-december/
The title is Faster & Better Remediation with Security Innovation’s TeamMentor and Checkmarx’s CxSuite and here is the session description:
The title is Faster & Better Remediation with Security Innovation’s TeamMentor and Checkmarx’s CxSuite and here is the session description:
What really hurts ... is not being defended by your peers/friends
As somebody who has a strong opinions and likes to do stuff, I found myself sometimes in situations where I step a little out of line and do offend/hurt others (see also Why do others think that I'm "hard to deal with" and that "I don't listen").
This means that I tend to be on the receiving end of some criticism, which I've learned to accept (and not argue back, even though I could). Sometimes it is better to just accept the mistakes and let the other side have their say, specially if they are right and some of their feelings where hurt.
Occasionally when that I happens, I get the question "Doesn't it hurt to be on the receiving end of that criticism?" (which is a variation of "doesn't it hurt to be so misunderstood on what you are trying to do?" )
This means that I tend to be on the receiving end of some criticism, which I've learned to accept (and not argue back, even though I could). Sometimes it is better to just accept the mistakes and let the other side have their say, specially if they are right and some of their feelings where hurt.
Occasionally when that I happens, I get the question "Doesn't it hurt to be on the receiving end of that criticism?" (which is a variation of "doesn't it hurt to be so misunderstood on what you are trying to do?" )
Sunday, 8 December 2013
Blogging is like speaking to my 'Future Self'
Speaking to our 'Future Self' is a concept that I have been thinking and rationalising lately.
Looking back I can see that I have been doing it for a while, but I think the first time I wrote it down was on this tweet:
Looking back I can see that I have been doing it for a while, but I think the first time I wrote it down was on this tweet:
Got 3 Raspberry PIs on the post from @CodeClub
Last week I received 3 Raspberry Pis on the post, to be used on the weekly CodeClub sessions I'm doing at my kids school.
This is part of the 15,000 kits sponsored in the UK by Google, with 3000 of them delivered to CodeClub (see Google to give schools Raspberry Pi and We’re happy as Raspberry Pi )
This is part of the 15,000 kits sponsored in the UK by Google, with 3000 of them delivered to CodeClub (see Google to give schools Raspberry Pi and We’re happy as Raspberry Pi )
Wednesday, 4 December 2013
High-Res images of TeamMentor's Fortify integration in Eclipe
As you can read about here and here we are in the final process of officially releasing (and selling) the TeamMentor Eclipse Plugin with Fortify support.
Alli (from SI Marketing) asked me for some High-Res screenshots of how it works, which I just created on a clean install of Eclipse Kepler 64bit on OSX with both Fortify and TeamMentor plugins installed.
You can see the images below, or download the 1.2Mb images from these links:
Alli (from SI Marketing) asked me for some High-Res screenshots of how it works, which I just created on a clean install of Eclipse Kepler 64bit on OSX with both Fortify and TeamMentor plugins installed.
You can see the images below, or download the 1.2Mb images from these links:
- TeamMentor_Inside_Eclipse.png
- TM_Fortify_Command_Injection.png
- TM_Fortify_First_View.png
- TM_Fortify_SQL_Injection_Bottom_Part.png
- TM_Fortify_SQL_Injection_TopPart.png
Thse where taken on a MacBook Air with Retina display, using the OSX screenshot tool, which creates images with a 3108 × 2028 resolution (which I hope is OK for print).
Setting up a CraftBukkit based Minecraft server on OSX (Nov 2013)
Since I have my regular Codeclub Wednesday session later today, I finally got around to figure out how to run a Minecraft server (I have a number of kids that are starting to get bored with Scratch and REALLY like the idea of programming Minecraft)
There are a couple Minecraft servers out there (including an official one), but the CraftBukkit seems really powerful and very plugin-friendly (see http://plugins.bukkit.org/)
Here are the steps required to get an Minecraft CraftBukkit server up and running:
There are a couple Minecraft servers out there (including an official one), but the CraftBukkit seems really powerful and very plugin-friendly (see http://plugins.bukkit.org/)
Here are the steps required to get an Minecraft CraftBukkit server up and running:
- download the CraftBukkit 1.7.2 development version from http://dl.bukkit.org/downloads/craftbukkit/
- follow the instructions from http://wiki.bukkit.org/Setting_up_a_server
- move the downloaded craftbukkit-1.7.2-R0.1-20131204.020906-17.jar into the BukkitServer folder and rename it craftbukkit.jar (you can delete the one originally downloaded)
- execute ./start.command from a terminal window in the BukkitServer folder
- open your Minecraft client (downloaded from https://minecraft.net/download) and connect to localhost (you will need a valid/paid account in https://minecraft.net)
Monday, 2 December 2013
Installing Eclipse Plugin Builder, accessing Eclipse objects and adding a new Menu Item that opens Owasp.org website
This post shows how to use the Eclipse Plugin Update site described in TeamMentor Plugin and Builder v1.5.6 (Source Code and Eclipse Update site) to install and use the Eclipse Builder Kit that we open sourced last week.
The objective is to do these actions, without needing to start Eclipse to see them:
The objective is to do these actions, without needing to start Eclipse to see them:
- Dynamically access eclipse objects like: Shell, Workbench, Worksapce, ActiveWorkbenchPage, Display, etc...
- Open the http://www.owasp.org website in a browser (and put it inside an Action object)
- Add new Menu called ‘OWASP’
- Add a menu Item to the ‘OWASP’ menu called ‘Open OWASP website’ that calls the Action object that opens wht OWASP website.
Subscribe to:
Posts (Atom)