Web Browser Security: Cracked in minutes

There was a hacking contest at the [CanSecWest 2009 security conference](http://cansecwest.com/) this past week, and it proved that web browsers still aren’t secure. Here’s [the report](http://www.heise.de/english/newsticker/news/134843):

> Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X in a matter of seconds.

> Following Miller, a 25 year old computer science student at the University of Oldenburg in Germany, who went by the name of ‘Nils’, used an exploit on Microsoft’s Internet Explorer 8 circumventing the latest Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR)… he then demonstrated an exploit for Safari and Mozilla’s Firefox.

What does this mean for me and you? That if a well organized group or well funded organization wants to, they can and will hack your machine.

I think there’s an extremely high likelihood that these hackers exploited a hole in JavaScript or Flash, not in the web browser’s rendering of HTML itself. Running untrusted code from random sites never has been, and never will be, without security risk. That’s why I use the [NoScript](http://noscript.net/getit) Firefox extension. Unfortunately, it makes many sites confusing by reducing the “richness” of the web browsing experience, and can even break online shopping.

Is there a moral of the story here? Life is risky. Surfing the web is risky. By avoiding all risk, there is no opportunity, no life.

Interesting Article: Nuclear power? Yes please!

Ars Technica has an interesting article “[Nuclear power? Yes please!](http://arstechnica.com/science/news/2009/03/nuclear-power-yes-please.ars)” that reports, “Nuclear power will have to form part of a comprehensive post-carbon energy infrastructure, and its downsides are greatly overstated, according to a group of experts.”

Safer Way to Produce Stem Cell Alternative

> Scientists have developed what appears to be a safer way to create a promising alternative to embryonic stem cells, boosting hopes that such cells could sidestep the moral and political quagmire that has hindered the development of a new generation of cures.

[Read more…](http://www.washingtonpost.com/wp-dyn/content/article/2009/03/01/AR2009030101741.html)

mwrc: Saturday evening Lightning Talks

Binary Lottery code — how he wrote the app.

Mhong – Event Machine. require ‘eventmachine’ module. `EM.run { block }` takes
over your ruby, and nothing after that block will be run.

There’s EM::PeriodicTimer and single-fire timers: `EM.add_timer(2) { block }`
To use EM in your web-app, `require ‘thin’` or spin up a new thread and use
`EM.run`. `EM.HttpRequest.new … EM.system () … { if status.exitstatus == 0
… end }`. Message queues, etc. Looks cool.

Dana Gray – regular expressions. “it’s been two days since my last regular
expression”. She went over the basics of regular expression string matches. How
to match word chars, positional anchors, capturing and non-capturing
parenthesis, grouping, character classes. Don’t fear regex, embrace regex.

Jake Cahoon from the Utah Valley Ruby Users Group. He used a slightly
monkey-patched ‘feedzirra’ module to pull tweets using Ruby code. Finshed
writing the code at 2 A.M. this morning. Now it pulls tweets and puts them into
IRC. His code is on http://pastie.org

MerbCamp videos from last year are online. How to do Rack testing. with require
‘rackbox/spec’. He wrote three apps that echo text in three different
frameworks (sinatra, merb, rails), and showed the tests running against each.
All in five minutes.

Sockets and Ruby.
`require ‘socket’; client = TCPSocket.net(”, 6789); client.write(“Hello!”);`

`server = TCPServer.new(‘’, 6789); client = server.accept; client.recv(500);`

MongoDB – a document oriented data store. Supports native Ruby objects. Has
full index support. Uses memory mapped files for speed. Has a file storage API.
Will support sharding soon. Best use cases: Most web apps, caching (memcachedb
+ indexes), when you need high scaleability. Worst case use cases:
Transactional systems, data warehouses. Why should you use it? Fast! No
migrations, ever. Replaces memcached & tokyo. Has great Ruby support, and it’s
not mySQL. http://mongodb.org

It’s easy to contribute RSpecs to Rubiniess. One presenter showed how.

Brian Marick: How to learn from the screw-ups of the past. He’s been involved
in three movements in computer programming in the past 20 years. First, it was
lisp, which was going to take over the world, but died when it failed in the
commercial world. Second was ???, and third is Ruby. He thinks “agile” is in
trouble like lisp was in trouble. Agile was founded by people who like to
program. The key thing that was missing from agile is solidarity of action. He
ran out of time to complete his thoughts.

Coby R. announced the LA Ruby Conf – April 4th, 2009

Justin Graham showed a working example of Adhearsion (the Ruby telephone
framework for Asterik).

Pat Eyler – Ruby Brigades. You should participate in your local Ruby Brigade so that you can strengthen the community. It’s a chance to grow and learn. The best way to learn is to teach others. Simply show up. It’s discouraging when someone organizes a group and no one shows up. Get on the mailing list. Don’t just subscribe. Ask questions. Answer questions. Be involved. Give a lightning talk at the meeting.

There are two types of meetings: Ones that are a launchpad, and ones that are a destination. Don’t let your meetings become a destination. Make the world a better place.

mwrc: Jim Weirich: The Building Blocks of Modularity

Jim Weirich: The Building Blocks of Modularity

Interview questions:

– What tech books have you read lately? To guage their interest in continued
– How do you recognize a good design?

Someone said they’d come and listen to him talk about oatmeal. So guess what?
He’s going to talk about oatmeal.

At one time, the thought was that matter was like a bowl of oatmeal, that it
was fairly consistent all the way through with maybe a few lumps. Someone shot
a particle emitter at a thin strip of gold, and found out that that wasn’t
true. Matter is like a bowl of oatmeal with rasins and apples in it. That’s
when scientists started developing their atomic theory. Several forces in the
universe: Gravity, Electromagnetism, Strong Nuclear, Weak Nuclear. Why should
there be so many different forces? They tried to come up with Grand Unified
Field Theory, and they’re still working on it.

In computers, we have some principles we use to write software:

– Law of Demeter
– Small Methods
– Design by Contract
– etc.

Is there a grand unified theory of software development? That’s what he wants
to think about and discuss today.

Everyone should have a mentor when they get started in their careers. He did.

Coupling & Cohesion. The connection between modules, and how well a module
itself fits together. Less coupling is good. Too much coupling is bad. Seven
different types of coupling, according to Meyers:

– None
– Data
– Stamp
– Control – when you have do describe the func with the word “or” or “otherwise”
– External
– Common
– Content

Which boil down to local data and global data, and whether it’s simple or
structured data.

A simpler way to thing about coupling: Connascence – things that are born together and change together. If two pieces of software are tied together so that changing one requires changing the other. Rule: As the distance between software increases, the conanascence between the two should be weaker.

Connascence of Position (with parameters to methods) versus Connascence of Name
(using a hash to pass parameters). The latter is better when there’s a large
number of parameters.

Connascence of meaning. I.E. Don’t use magic numbers in your code.

Contra-nascence – when it doesn’t matter what magic number you assign to two
different constants, as long as they aren’t the same.

Connascence of Algorithm. If you change a checksum checking func, and you have
to also change the corresponding function that generates the checksum.

Connascence of timing, of value, etc. This entire talk is on github: git://github.com/jimweirich/presentation_connascence.git

mwrc: Alan Whitaker on programming passion and Ruby

Alan Whitaker: La Dolce Vita Rubyista
of Lead Media Partners

Discovery – something that kids do. Something that many ruby programmers are
doing as they leave old jobs for new jobs where they can use Ruby.

“The real voyage of discovery consists not in seeking new lands, but in seeing
with new eyes.” — Marcel Proust.

Resistance – anything worth doing is likely to meet resistance. Resistance
stands between the life we live and the life we would like to live.

Cultivate passion while maintaining balance in life.

Flow. The book. By Mihaly Csikszentmihalhyi.

Enjoyment factors: Clear goals, no distractions, challenge, rapid feedback,
deep involvement, sense of control, loss of self-concern, timelessness.

The book “The Power of Full Engagement” says, “Energy, not time, is our most precious resource”.

mwrc: James Britt: Wii Ruby

James Britt: Wii Ruby

Wii Hardware: CPU, IR Sensor bar, Wiimote, nunchuck, balance board.

The nice thing about the hardware is that you can replace the Wii CPU with a
laptop, and still use the rest. Nice 3rd part sensor bar: PSE112 from Psyclone — runs on batteries

Why do we like Java? Because of JRuby and because of the really good libraries.

Java libraries:

– WiiRemoteJ: Closed source, jar only.
– WiiUseJ: Open source (GPL v3) on Java 1.6. Sits on a C library.

Ruby wrappers to these libs:

– WiiRemoteJRuby
– WiiUseJRuby

Your laptop needs bluetooth. The Wiimote has an IR camera that reads the IR
lights in the “sensor bar”. He used Linux to do his work. In theory, it should
work on other platforms as well.

Monkeybars.org – wraps swing in a form of MVC for Ruby

– Controller handles events
– View maps UI to model
– Model holds data

He showed some basic apps he had written. One of them would make music
depending on how you waved the Wiimote.

What’s good?

– Mapping events is easy
– GUI is easy
– MIDI is okay

What’s bad?

– Precise control is HARD
– Project creation is tedious
– Many little annoyances persist

johnnylee.net/projects/wii – great wii hacks

Q: Did you look into the C libraries at all? He went straight to Java.

mwrc: Paul Sadauskas: Writing Adapters for DataMapper

Paul Sadauskas: Writing Adapters for DataMapper

What is DataMapper?

– A lightweight, modular Ruby ORM with
– lazy loading
– strategic eager loading
– plugins (types, migrations, validations, timestamps, sweatshop, is-list, is-searchable, is-versioned, etc.)
– adaptors (heap, YAML files, REST-ful web services, CouchDB, Sphinx, Netflix, etc.)
– and it’s better than ActiveRecord

The goal of the adapter API is to make it as easy as possible to write one. He
then showed how to do it. How do I know my adaptor works? Run the tests that
are provided.

Q: What about supporting “join”? That’s a good question. Currently, not all
adaptors support it.

mwrc: Learn from programming masters by Philippe Hanrigou

Philippe Hanrigou: What The Ruby Craftsman Can Learn From The Smalltalk Master

He talked about Picasso and how he studied the grand masters of classical art
for his entire life. He didn’t imitate them, but he used them for inspiration,
and he was considered a genius.

We, as programmers, can learn from the masters of previous generations. [I dislike Picasso’s art, but agree with the analogy].

– Naming is crucial.
– Use a role-suggesting name

Cognitive Scalability

As our software grows and becomes more complex, how do we maintain the ability
to change the software? It’s so easy for software to get “out of control”.

Look at Ruby’s String class and how many methods it has. It’s a mess.
Everything depends on String. If, every time we add a method to convert a
string to something else (to the String class), then we add a reverse
dependency on the other classes. Instead of `”3/14/2009″.to_s`, let’s do

Reduce code to the Essence. Let’s learn from Haiku, which values conciseness.

Symmetry. The Taj Mahal isn’t geometrically symmetrical, but is designed to look that way from one perspective. Symmetry will allow your code to be easier to read and understood. Kent Beck calls this “Reversing Method”.

We should spend more time studying the software grand masters from the lisp
and the smalltalk communities. And read Kent Beck’s books on Smalltalk best
practice patterns and/or Implementation Patterns.

Give him feedback on his ideas at [http://ph7spot.com](http://ph7spot.com)

mwrc: Ben Mabey: BDD with Cucumber

Ben Mabey: BDD with Cucumber

He highly recommends “The RSpec Book”. When someone gives you a feature request, the most important question to ask is “Why?”. He demo’d the use of Cucumber. Every test you add also adds maintenance cost.