Monday, 31 October 2011

5 minute wonders: From zero to hero with AppHarbor

Monday, 31 October 2011

In case you’ve been living under a rock this year, AppHarbor is one of the hottest things to hit .NET since, well, just about ever. It packages up the entire app lifecycle of source control, build, deployment and hosting and makes it dead simple; in fact it couldn’t be easier. It then adds a comprehensive collection of add-ons to do everything from persisting data (MS SQL, MySQL, MongoDB) to caching services (Memcacher) to load testing (blitz).

And the best bit? It’s free. Zero dollars. Nada. Zilch. If you want to get a bit demanding then you start to pay money but it’s in the order of figures like $10 a month for a 10GB SQL DB. This is truly the cloud promise of low cost, high agility, commoditised services done right and it’s what's helped me make ASafaWeb a reality.

Let me show you just how easy this is; in the last 5 minute wonder about the ASP.NET membership provider, I built an app from scratch which included a web front end and a SQL back end with registration and log in functionality. This included the secure storage of passwords protected with a cryptographically random salt and hashed with SHA256. Let’s take another 5 minutes and put this in the cloud under source control with continuous build and release courtesy of the very awesome people at AppHarbor:

Read more

Wednesday, 19 October 2011

Secret iOS business; what you don’t know about your apps

Wednesday, 19 October 2011

In the beginning, there was the web and you accessed it though the browser and all was good. Stuff didn’t download until you clicked on something; you expected cookies to be tracking you and you always knew if HTTPS was being used. In general, the casual observer had a pretty good idea of what was going on between the client and the server.

Not so in the mobile app world of today. These days, there’s this great big fat abstraction layer on top of everything that keeps you pretty well disconnected from what’s actually going on. Thing is, it’s a trivial task to see what’s going on underneath, you just fire up an HTTP proxy like Fiddler, sit back and watch the show.

Let me introduce you to the seedy underbelly of the iPhone, a world where not all is as it seems and certainly not all is as it should be.

Read more

Monday, 17 October 2011

Open letter to First State Super re responsible security disclosure

Monday, 17 October 2011

This is an online reproduction of the letter sent to First State Super today.

I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets.

As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been in First State’s favour (refer to Security Researcher Threatened With Vulnerability Repair Bill on Slashdot). What Patrick did – and what many of us do – is make a conscious effort to partake in what’s referred to as “responsible disclosure”. The intent is to alert the organisation to potential risks in their software in an ethical fashion so that they may be remediated before they are maliciously exploited. As appears to be the case here, frequently these risks are simply observed by security conscious customers during the course of their legitimate use of the software.

Read more

Thursday, 13 October 2011

Anatomy of a virus call centre scam

Thursday, 13 October 2011

I just had a call from a very nice women who appeared to be from the subcontinent and wanted to help me remove viruses from my computer. Normally I’d dispense of such callers in a pretty quick, ruthless fashion but given the nature of this one I thought it was worth recording and sharing. It all unravels and the gig is finally up at the 23 minute mark. Enjoy!

TL;DR: Here are the steps they wanted followed:

  1. Open the event viewer then establish there are errors and warnings (there as viruses).
  2. Open the Windows prefetch folder and establish there are files in there (these are infected with the aforementioned viruses).
  3. Claim my Windows license needed to be renewed and that it would cost $315 Aussie.
  4. Open www.support.me and run their remote desktop software with the code 226841.

Clearly this is where I stopped. LogMeIn (the provider of the remote desktop service), is a perfectly legitimate organisation and I’ve contacted them to report the incident and the code used.

This is obviously a pretty organised scam. They put me through to three different people and you can hear a lot of call centre activity in the background. Given the generally well organised nature of the scam I’m surprised I kept them going for nearly half an hour (there were a few minutes before I started recording), but I guess it’s all part of establishing the FUD. Nasty stuff.

Update: A lot of people were wondering what the scammers would have done had they gained access to the machine - so I called them back. Watch the whole thing in my post about Scamming the scammers – catching the virus call centre scammers red-handed.

Wednesday, 5 October 2011

Birth of a UX – ASafaWeb gets an identity part 2

Wednesday, 5 October 2011

Back in part 1 of Birth of a UX I talked about identifying styles that I liked, the head start the default MVC 3 template gives you, the eternal battle of Photoshop first versus CSS first, CSS resets then actually making a start on styling one central element of ASafaWeb and making it all play nice across browsers. And that was it – phew!

This time around it’s about debugging the markup, building the nav and then completely changing my mind about CSS resets. Well perhaps not completely, but rather understanding a little bit more about what “reset” really means and instead coming at it from a different angle by using a “normalisation” approach instead. It might sound a bit semantic, but there’s an important philosophical difference.

Speaking of semantics, we’ll also have a good look at what semantics mean in HTML markup. It’s a pretty important concept which is often misunderstood so I’ll give it a recap here.

Read more

Tuesday, 4 October 2011

5 minute wonders: The ASP.NET membership provider

Tuesday, 4 October 2011

Often times I’ll have a discussion with a software vendor or developer about implementing a particular piece of functionality or performing a certain task which I perceive as easy but they’ll come back with some sort of outlandish estimate.

“Securely implement an authentication mechanism? 3 weeks please!”

“Identity network performance issues in a web app? Hmmm, maybe 2 or 3 days.”

And so on and so forth. Part of my day job is to try and get the most bang for buck from my employer’s hard earned dollars so I’ll usually revert with something like “Hang on – I’m not asking you to fly to the moon, this should be a 5 minute job.” Perhaps it’s just the ingratiating nature of some people, but I’ll often hear something along the lines of “Ah, but you’re very smart!” Uh, no, that’s not the reason.

I simply know some shortcuts, that’s all. They’re not necessarily high tech and often they’re reasonably well known but they’re the sort of thing where if you don’t know about it, you end up blowing days or weeks or simply putting it in the “too hard” basket and missing out on some of the goodness which is out there at your disposal.

The idea of “5 minute wonders” is to show how simple development life can be using some of these tricks (hat tip to Jim Hare for inspiring the title with his Little Wonders series). They’ll all be videos, they’ll never run for more than 5 minutes and they’ll always be practical. They’ll be old hat to many people but for others, it will be a new world they didn’t know already existed right in front of them.

Read more