Clic!Dev, ‘Tate, and many more projects!

Every now and then, a developer makes a post on their blog that, to the unsuspecting novice, seems like common sense.
Beware, though. If the post is less than comprehensive or accurate, it better not be about security matters or that newly acquired peace of mince may be quickly shattered.

Exhibit A: This post on the topic of PHP and SQL injections. It’s not like there is a lack of information already freely available on the web.
The author even references this excellent material at the end of his post. It is too bad that his own article actually contains less relevant information than the original post.

For instance, he recommends the use of mysql_real_escape_string().

• Observation #1: this implies that you are using mysql as your database of choice. Granted you may use this method before sending a SQL query to Postgresql, but then there is no guarantee that mysql functions were compiled in the current php library.
• Observation #2: mysql_real_escape_string() does nothing more than escape quotes. From the original article: “Be aware that “sanitizing the input” doesn’t mean merely “remove the quotes”, because even “regular” characters can be troublesome.“

He recommends validating for the proper input, which is good practice. So, brownie points for that. But it wouldn’t hurt to have, for instance, mentioned the use of intval() to enforce that integer values are nothing but that. Integer values. I would say that it’s advice just as important as escaping input strings.

Now, the part that I found horrifying, but it’s just me, I’m a stickler: the author encourages you to code your HTML forms so that they will not accept too many characters. I see here some confusion: this is good usability advice, granted, but as far as security it is misguided.

The golden rule is simple: Always perform input validation server-side, where the user cannot ‘fake’ the values they are sending to your application.
Never, ever accept data “as-is” if it came through a path that allowed it to be tampered with.

Two other equally important points I wish he had mentioned are:

• Configure error reporting so that your server does not display these “helpful” error messages that he mentions and attackers are delighted to find
• A good SQL query is one cautiously put together, but a great SQL query relies on prepared statements. There are cases when you are after raw speed and direct queries feel more ‘natural’ -I know, I use them a lot- but whenever possible, use prepared statements, since the user is then not given a chance to “write” your query string himself.

Oh, great.
Merry X-Mas and all that. Unless you’re ThinkSecret. Or Fake Steve Jobs. See here.
And here.

Of course, there is still the possibility that it’s another hoax created by our favourite Steve Jobs.

Here are two groups of people who are not about to get any more of my money if this is all true:

Apple:
Sorry, guys, but coolness is part of your products’ appeal. If you behave like a-holes, I will simply dedicate more of my time writing drivers for Linux.
I know, this isn’t the first time Apple enters ************ mode. But, obviously, after their ThinkSecret victory, there is enough blood in the water to keep the frenzy alive for a while.

The EFF:
Oh, come on guys. Again, I have no idea whether FSJ’ posts are pure hoax or the real thing. But when in doubt, I always get on my soap box. So, here goes: It is not the first time that I see a report of the EFF getting a less-than-positive result. And claiming victory over a site’s shuttering, I’m sure that FSJ is devastated, now that you made clear to him that freedom of speech is your thing, but only on your terms.

Merry Christmas, Happy Hanukah and Kwanzaa, or whatever else helps you live with yourselves.
Chris out.

I try to make this blog mostly about open-source and management. And I do not necessarily mean “open-source and management” in the same breath.
These just happen to be two topics that I live and breathe daily and, as they say: “Write about what you know”.

Anyway, today, both worlds collided and you can see the result at http://blog.mootools.net/2007/12/13/an-open-apology-to-the-authors-of-jquery-prototype-and-others
I am not going to comment on the original issue, this isn’t my goal. I simply think that it’s very instructive to read all the comments to that post. They raise some very interesting questions about management.
Was the author’s reaction “leadership?” What constitutes leadership, then? Is it knowing when to apologize? Is it sticking by your own troops?

I leave it to you to form your own opinion.

Kodachi v0.5.1 is out! It’s good news for developers who want to write plug-ins or if you wish to change the look and feel of the application:

1. A demo plug-in is now included. All it does is add a new direct word to Kodachi’s vocabulary: ‘Demo‘. Type it, select some action, and it will display a Growl-like notification confirming your action. A very easy starting place for budding plug-in developers.
   -
2. Kodachi’s user interface is now skinnable. Actually this goes a bit beyond a simple skin as you can change its behaviour alltogether. Note that when launching Kodachi, you will now see the new demo skin, called ‘Bezel‘, that I created. If you are familiar with QuickSilver, this is certainly an interface you are already used to. If you wish to work with the old interface, simply disable the ‘BezelInterface’ plug-in.
   -
3. The installer now checks which version of .Net is installed on your PC, if any, and offers to install the correct version if necessary.

Download Kodachi 0.5.1

Ever used GenPass? SuperGenPass?
What do you mean, you do not know what I am talking about? Oh, you need to read on.
Of course, I am referring to SuperGenPass, developed by Chris Zarate. This wonderful bookmarklet automatically generates strong passwords for you, based on the url of the web sites you are visiting. You only need to memorize your master password and that is all.
This is a great tool on so many levels. It works for broken brains -like mine: you take all your passwords with you wherever you go since all you have to do is use the bookmarklet in any foreign browser. It is secure: no password is in fact stored anywhere.

What are the advantages of Air GenPass?

• Well, first of all, it allows you to run the tool with web browsers that do not provide correct support for bookmarklets. Safari for Windows, I am looking at you.
• If you are a tad paranoid, like me, but have to use browsers that are unable to store such a big bookmarklet, for instance Internet Explorer or Opera, you may not wish to use Chris Zarate’s server to run it every time you need to regenerate a password.
• If you are at a friend’s house and they do not wish to let you install a bookmarklet in their browser, no problem: GenPass is portable and you can carry it around with you on a USB stick. Of course, one may argue that they still have to agree to install Air

Explaining how this application works is a breeze, mostly because there isn’t much to explain. When you open it, you see three text fields. Enter your master password in the bottom one and click on the tiny icon to close it. The top text field will contain the password generated by the tool and you will be able to copy them to the clipboard using its own icon. The middle field is the one where you will enter or paste the link of the site you are currently visiting. Since Air is a desktop application, you can alternatively grab the link’s icon in your browser’s address bar and drop it on the application.

You can stop reading here and download the application directly if you are not interested in the technology behind this simple guy.

This is my first Air application. So, how hard was it?

I used the latest release of Aptana, which is very nice for creating Air applications. That is, as long as your Air applications do not rely on Flex.

application.xml contains all the information pertaining to your application. Note that this information is not used by the Air installer. It seems that the installer only looks at the certificate used to sign your application. Since the only certificates currently available can be bought from Thawte for several hundred dollars, I believe that the fact that the installer does not claim that “Chris was here!” is a reasonable trade-off.

You can edit this file manually to provide information such as application license and icons.

AIRAliases.js is the library that links the objects used by Air’s bridge.

If you are a total Air newbie, just like I was before I wrote this tiny application, you have no idea what is this bridge that I am talking about.

The first iterations of Air -formerly known as Apollo- did not come with a security model and it was potentially possible to do all sorts of nasty things with Javascript code that could simultaneously talk to the Internet and clobber your local filesystem if it felt like it.
Adobe quickly introduced their own security model, which happens to be kind of kludgey but certainly makes sure that any connection between the World and your local resources is voluntary.

unsafe.html is a html page that is included in a frame. This simple fact means that it has access to all your web browser resources and no access to your computer’s resources. This is the Web sandbox and is usually used as presentation layer.
In my case, of course, because I am a little piggy, al l the presentation is done in the top frame, which happens to have access to your computer resources but cannot run queries to the World or execute arbitrary code through the use of eval() or setTimeout()
Joking aside, it is perfectly legit to use the top frame as presentation layer; it just makes your life harder if you use some libraries that make extensive use of eval()

GenPass.html is our top frame, just described in the previous paragraph. It contains a lot of Javascript and the definition of the iframe
container that links to unsafe.html. I have no right to be proud of this Javascript because I did not write most of it. It’s actually Chris Zarate’s supergenpass bookmarklet code, only modified just to the point where it can be included in an Air application. The rest of the code is the UI, which relies on jQuery. Because, good news, jQuery works on Air!

<iframe id=”unsafe”
src=”unsafe.html”
sandboxRoot=”http://voilaweb.com/”
documentRoot=”app-resource:/”
width=”0%”
height=”0%”
style=”border: 0px; margin: 0px; padding: 0px; width: 0%; height: 0%; visibility:hidden;”>
</iframe>

What’s really important here -save for the fact that I am setting all sizes to ‘0′ because I do not want to display the frame- is the src attribute. The page that will run in the web sandbox is unsafe.html

function notworking()
{
$(’#working’).css(’visibility’, ‘hidden’);
}

// Bridge
var Exposed = {};
Exposed.notworking = notworking;

$(document).ready(function() {
document.getElementById(’unsafe’).contentWindow.parentSandboxBridge = Exposed;

Do not blink: this is where it’s happening!
If it were not for this bit of code, we would not need our iframe. But since we wish to be able to invoke notworking() using setTimeout(), now we have to jump through hoops. Fortunately, these are simple hoops once you understand them.
First, we create an object called Exposed. We store a reference to our callback method in this object.
Then, when the DOM is ready according to jQuery, we take advantage of the fact that top frames are allowed to access the content of iframes: we store a reference to Exposed in the child document (remember that when we created our iframe, we gave it an id of ‘unsafe’? This is how we are accessing it now).

When the user clicks on the ‘Copy to Clipboard’ icon, we display an animated gif: a couple spinning arrows. We wish to display these guys for a second, then get rid of them. Of course, that’s the rub: since we are in the local sandbox, we cannot invoke setTimeout(). No problem! Let’s ask our child document, who lives in the Web sandbox, to do this for us. We are keeping, in our top document, a reference to the only method contained in the child document: localpause(). It is now time to invoke it. Let’s have a look at its content:

function localpause()
{
setTimeout(’parentSandboxBridge.notworking()’, 1000);
}

It is pretty straightforward: after a second, it will invoke the parent’s notworking() method, which will hide the animated gif (see above).

And that’s all there is to it, really.

Feel free to leave a comment if you have more questions.

I want to download it!

Oh, yes. Sure. Clicky.

You can now anonymously sync. to the bleeding edge version of Kodachi’s source code at svn://nextbbs.com/kodachi

If you do not feel like installing svn/compiling Kodachi but are still curious about its source code, you can browse it at http://www.nextbbs.com/trac/kodachi/

Note: if you sync. to the first check-in, you will get the version of Kodachi that is currently downloadable. If you sync. to the next one, you will get a new version with a temporary default interface. Yes, I am working on adding customizable interfaces.

Oh, man. Jack of all trades, master of…not many?

This week, my frustration over not finding a QuickSilver-like tool for Windows, was at an all-time high.

Do not get me wrong: Colibri and Launchy are fine tools. They just do not have this QuickSilver-like feel that I miss so much at work.
Fortunately, I came upon Kodachi completely by chance and I really like the tool.

Unfortunately, there was no executable available, only source code. Obviously, no installer either…And the project was abandoned by its original author. I contacted the interim maintainer and created a nice installer. I also did some clean-up.
I may or may not offer to take over the project, depending on the feedback I get.

Here is a video of Kodachi in action:

And of course you can download it: thank you SourceForge.

Note: this is an alpha release. There is no guarantee that it will even work on your machine. All I can tell you is that it will not break your PC.

The FFII, a not-for-profit organization promoting a free market in information technology, published this press release.
The title is a bit over the top, but what’s the point of writing a press release if it isn’t compelling?

Basically, it’s about a great victory for Microsoft, in Europe: if you write a piece of software that interoperates with a Microsoft product, they have to pay royalties for each copy distributed.

This means that commercial entities such as IBM have to give Microsoft money when they write a competing product -who wants a word processor that cannot read Word documents?. It also means that many open-source projects are going to have to sit down and decide whether to shutter the whole project or stop distributing it in Europe.

One might argue that if royalties are a percentage, free projects shouldn’t have to worry about the whole deal. This would be true if Microsoft’s wording didn’t specify a percentage of their revenue. This is dangerous territory, now. What’s a non-profit to do?

Anyway, as if all of this wasn’t reason to worry enough, this quote from Commissioner Kroes takes the cake:

That percentage royalty has become a nominal, one-off payment of Euro 10,000. This is all that has to be paid by companies that dispute the validity or relevance of Microsoft’s patents.

Yes, you read right: Euro 10,000 (US$14,000). What open-source project is going to fork that kind of money?
And, wait, “this is all that has to be paid”…if you dispute Microsoft’s patents relevance?
Ouch! How much are you supposed to pay if you don’t dispute it?

Well, this was much more work than I had anticipated.
And now, of course, I find that my voice sounds weird, the rhythm seems off, etc. The way I’m supposed to feel about it, I guess.
Here is the quite undecipherable version. For a better, bigger, readable one: http://www.nextbbs.com/do_topic_id_1166

I will soon post on my newly acquired experience. If it saves you time *just once* -the first time you try creating your own screencast-, I will feel entitled to the warm feeling that comes from having helped somebody.

The text below is what I originally typed in the comments form at http://lifeonrails.org/2007/8/30/netbeans-the-best-ruby-on-rails-ide -a very informative Rails blog!- but as I was about to click on ‘Add that puppy’ (-G-) I decided against it, not wanting to become a comment troll myself.
So, it’s now here instead:

Joe,
As a JBuilder veteran, let me tell you that it saddens me to see you spend time writing a plug on this blog rather than working on your products. I was very disappointed with JBuilder 2006. The way I see it, after releasing an abysmally buggy JBuilder 2005, you apparently decided to throw the baby with the bath water. I do not know if you guys got overwhelmed by the complexity of your own product but it seems that you thought that, rather than fixing it, selling us a few Eclipse plugins rebranded as ‘JBuilder’ was going to do the trick.
After more than 7 years of sticking with you guys, I have moved my whole team to Netbeans and have nothing but praises for it. IMO, it is the product that JBuilder was destined to be. Except it also handles Ruby seamlessly, which feels like a natural evolution for us Java developers.

Now, feel free to tell me if I got it all wrong. It is not my intent to start a flame war with the Borland people and I would be very happy to be proven wrong since I was a JBuilder fan for so many years.

-C.