Archive for the ‘Open Source’ Category

Adobe’s Flex moveApril 17th, 2012

Ever since Adobe decided to move Flex into the Open Source world late last year, many people have been involved in discussions about the company’s move.  This decision has made some people think that Flex is dying.

When I mention Open Source to almost anyone other than a computer expert, it’s likely that the response will be: “What’s Open Source?”

To try and put it in simple words, Open Source software is free and generally available on the internet. It is also normally distributed with its underlying code, or source code, which a knowledgeable programmer can read and modify to meet specific business needs; unlike commercial software that is sold only in a compiled executable version.

Nowadays many people are giving HTML5 a shot instead of Flex because they think it’s the technology that is going to stick, but it may still be too early to switch. Most of them don’t pay much attention to the fact that, at the time this post is being written, fewer than 5 percent of browsers support HTML5. A simple search on the internet will give you several reasons to reconsider, or at least think twice, before going ahead with HTML5 as an alternative to Flex. This will most definitely change in the next couple of years, but even then it is likely that we go through  a few HTML5 iterations before it is widely supported.

I am a believer that a war between the technologies should never occur. Anyone who rules out one of the technologies is not necessarily doing you a disservice, but, as for any project, the pros and cons should always be considered. There will always be the argument to use Flex for several reasons, such as the code is much nicer, and it has far better object-oriented and pattern support.

Read the rest of this entry »


Share and Enjoy:

Using “Mocking” to make your code testing easierFebruary 27th, 2012

In today’s information technology projects, all project managers know the critical importance of performing important code coverage on their team’s code. Indeed, this investment is costly in terms of development time, but the return on investment is proven since we know that the real main cost of the application is the one for its maintenance, and not the one for its development.

On their end, the developers have also understood that testing their code allows them to detect errors in their programming much more quickly and to insure themselves that their work is of good quality. The tests also allow the developers to guarantee that the behavior of their code will remain consistent even if another member of the development team had to correct or modify it.

The testing also forces the engineer to simplify his or her code in order to make it easier to test, keeping true to the leitmotiv “Keep it simple.” The methods are short, have limited responsibilities, and are less complex. By keeping things simple, it is also easier for the developer to Mock the behaviors for which the part with tested code is not responsible.

This article will, therefore, talk about “Mocking” but from an unusual perspective.

Read the rest of this entry »


Share and Enjoy:

Jurackerfest – 2 Hours of Hacking Thrills and Caffeine HighsAugust 31st, 2011

The competition

Jurackerfest.ch, which took place on August 27th, was part of the first edition of Jura Security Days. This event was organized by BIMO (www.bimo.ch), whose aim is to promote quality software development, and featured conferences running throughout Friday and Saturday. The white-hat hacking competition was organized by SCRT (www.scrt.ch) who are the organizers of the renowned Insomni’Hack.

In the morning we practiced on specially crafted websites designed with specific errors to give participants an idea of what they would be facing during the contest. After a brief lunch break, we were given two hours to solve a set of 10 varied problems, ranging from a (fairly simple) protocol hack, to an exercise in steganography which no team managed to solve in the timeframe given.

 

The atmosphere

Jurackerfest hacking competition

Arriving early, the competition room was fairly empty and quiet, but as the starting time neared, it quickly becamecrowded and lively. Participants came from an array of different backgrounds; there was a technical school teacher with about fifteen of his pupils, quite a few qualified and experienced developers, a few security experts and lambda citizens interested to pick up a few things along the way…

The buzzing of laptop fans and the smell of energy drinks was overpowering!

The funniest part of it all was that in order to prove that one had indeed found a solution; one had to explain how it was found. And as the solutions themselves usually consisted of random characters, people were constantly running to the referee table with their laptops in their hands, to be able to show both the solution and how they had found it!

 

The team

 

blue-infinity's Thomas Hofer at JurackerfestCompeting with me was Nicolas Heiniger, currently working in IT security for the Hôpital du Jura. We studied at the EPFL together and spent many exercise sessions tuning our brains to work together (along with three more classmates, who could unfortunately not make it). Knowing each other’s strengths allowed us to split the challenges efficiently.

Nicolas was running a Linux Backtrack distribution (a dedicated penetration testing OS), while I was running Ubuntu Natty almost out-of-the-box (with zsh and vim added to it).

 

A sample challenge

Out of the ten challenges:

  • One was a cypher to decode (a variation on a Cesar cypher)
  • Two were oriented towards reverse engineering
  • Two were so-called “trivia” challenges (steganography concepts actually)
  • And the last five were web oriented (e.g. hacking a JavaScript authentication, overriding a htaccess authentication, a SQLi hack for a database authentication…)

One of the reverse engineering challenges consisted of finding the password verified by a python function.

The source file, which we were given, wasn’t too complex (remember we only had two hours to solve ten challenges):

  • When run, it checked that the number of arguments was correct and if so, started verifying the user input – if not, it printed usage instructions.
  • The verification consisted of a series of tests, based (amongst others) on comparisons between the value of an internal variable and the position of one character of the input string in the ASCII table (i.e. the value of the corresponding byte).

One of the tests (the last one) checked that the length of the input was exactly seven. Working backwards from there (and with the help of an ASCII table), we were able to work out that the code was Jc4HAcK.

 

My conclusion

All in all, a very fun day and a thrilling experience (more in my league than extreme sports, admittedly). And a surprisingly satisfying outcome, since Nicolas and I were first-timers in an ethical hacking contest. Next time though (andyes, there WILL be a next time), I’ll make sure I have all the necessary tools installed before going, rather than lamenting not having Internet access from there!

 PS: How did we fare?

Well, we were proud 3rd place winners… and got our pictures in the local papers! View the article (in French).


Share and Enjoy:

Amazing TV program “10″December 22nd, 2010

poker table behind aquariumIf you like TV series that are full of drama and suspense, you’ll love “10”, a  swiss TV series based on the poker world, that is currently running on Sunday evenings on TSR1 until the end of December and on the site itself.

We were mandated to create the website of the series and were able to use the latest technologies available : HTML5 + Flash (yes Steve we can mix them) + Facebook APIs + Streaming videos (1 week before TSR diffusion) using a LAMP OpenSource stack.

The website works on multiple devices and is optimized for iphone, ipads and most of the new smartphones on the market.

Actor in 10 playing pokerIt’s based on social interactions and if you like the site and the show, don’t hesitate to give a hand and promote the website on facebook, twitter, or send it to your friend etc…

You can even win DVDs of the complete show if you take a picture of your best POKER FACE and upload it on facebook.

http://www.10-la-serie.ch



Share and Enjoy:

Guillaume Arluison

Written by Guillaume Arluison

December 22nd, 2010 at 10:54 am

Newsletters & Mass Mailing CommunicationAugust 3rd, 2010

When it comes to emails and corporate electronic communication there is often a huge gap of understanding between  Marketing and IT, regardless the size of the organisation.

This is the beginning of a talk I presented a while ago about the difficulties to understand the challenges of email communication and about one of our solutions which we developped in-house.


Misunderstandings between Marketing & IT

Marketing

IT

does not refer to IT when communicating to the outside world

does not know technical details

does not need IT ?

does not understand Marketing needs

does not communicate on technical constraints and requirements

does not communicate on technical features (tracking, personalization…)

Everybody knows how to use Email, from first graders to grand parents (if not great grand parents!). Therefore, sending out an HTML newsletter shouldn’t be that hard, should it? The answer is yes and no. Given the right tools and a well-thought strategy, mass mailings are indeed quite easy to manage. However, if the “add to CC” solution is chosen, many unpleasant surprises linger around the corner, of which “badly formatted emails” might not be the worst one.

From simple email to corporate Communication

Some questions you should ask yourself or your organisation:
  • What is the scope of your mailing? Are we talking about 10 0r 10.000 ?
  • Do you want to target a specific segment of your customers / audience?
  • Do you need personalization for each email ?
  • Do you want to keep tracks of what has been sent, addresses, errors, unsubscribes?
  • Would you like to measure click-through rates or  conversion rates (in case of e-commerce)?

Mass mailing has technical impacts

There are also technical aspects to consider, which may affect your mailing strategy.

  • Bandwidth: How much bandwidth will you consume with 200K emails sent from your LAN ? Can your network handle it?
  • SPAM : Are you sure you’re doing what’s needed ? There are a lot of rules to be followed to minimize spam and avoid annoying your audience. In several countries, opt in and out rules are strictly regulated.
  • Website : How much traffic can your website handle? (don’t send 200k emails in one go with a link to a promotion if your website cannot take high traffic !)
Not taking these purely technical limitations into consideration can seriously harm your company’s image.

About the template itself

  • Plain text / HTML: Do you want to send a plain text email ? An HTML one ? Don’t forget that in this case you still have to provide a plain text version of it. The best practice is also to give at the top a link to a hosted version of the email in case the client software of your audience is not able to read it properly.
  • Images: For the images, do you want them to be embedded (emails larger but images displayed automatically) or hosted on a webserver (client generally has to accept images before seeing them, emails are smaller) ?
  • Would you like to know whether your emails have been opened, links have been clicked on?
  • Would you like  personalized links in the email to track visitors on your website ?
  • etc…
If you need further assistance with these questions don’t hesitate to contact guillaume.arluison AT b-i.com and we can give you some help. blue-infinity has been managing email campaigns for some of our largest client for years and we even have developed our own software for it.


Share and Enjoy:

Guillaume Arluison

Written by Guillaume Arluison

August 3rd, 2010 at 9:30 am

Flash is dead. Long live Flash!May 20th, 2010

Adobe Flash has been a common target of criticism  for about 10 years now. When it was DHTML’s time, we heard “Flash is dead!”. Then came Ajax, again amid cries of “Flash is dead!”. Now we have HTML5 and guess what? “Flash is dead!”.

So why do some  people have such a pessimistic views on Flash when the technology is very much alive?

In my opinion, it’s always interesting to look at an argument from both sides. Critics argue that

“Flash is a commercial product, it’s not a standard”.

Ok. Right. So what? The “standard” idea is at best optimistic, at worst completely hypocritical. Since the creation of the www, every company does freestyle with W3C specifications. I have never, ever, ever seen a web project without compatibility problems between IE, Mozilla etc. If we all followed standards as they were written, we can forget about videos and motion design and say bye bye to YouTube,  small online games  and the most visually exciting websites this last decade. I didn’t go into this business because I like data, I’ve gone into this business because I love to share and live nice moments.

“You need a plugin to see flash content”.

Right. You need a plugin for Java, you need a plugin for pdf, you need a plugin for SVG, you need a plugin for Quicktime and for everything but HTML and Javascript. Can you do the same things with HTML and Javascript? No. That’s why you need a plugin that takes all of 20 seconds to install, what a pain…

“Flash is not accessible”.

Since 2003, Adobe has put a lot of effort into improving accessibility and they’ve pretty much succeeded. My preferred answer to this argument is: “Ok, HTML development can provide accessibility but when is the last time you cared about that in your projects?” Most of the time: never. It’s not a technical problem, it’s a people problem. You wanna make your web projects accessible? So just do it! Whatever your technology is, it’s just not a major concern in 80% of cases, let’s face it. Flash can do the job as well as any other technology now, especially for video accessibility.

Aside from these three major arguments, it’d take hours for me to write down all the things I’ve heard or read on this subject over the years. If you want to hear more, check with your favorite search engine, you’ll have fun, it’s an endless story…

Before we go any further, have a quick look at what Steve thinks of Flash here : http://www.apple.com/hotnews/thoughts-on-flash/

So now, since the success of the iPhone and Steve Jobs’ very audible attacks on Flash, the critics are out yet again, hailing the end of Flash technology. I’ll admit that I’m not as smart as Steve, but I will try to answer his comments, point by point.

Read the rest of this entry »


Share and Enjoy:

JMX – an answer to application manageability issueMay 3rd, 2010

Spring source logoRunning application manageability is a feature that is often forgotten about on a project, not only by the development team, but also by the customer when defining the requirements.

A good application is one that fits business requirements, is developed in compliance with quality criteria,  is stable and scalable etc..

A very good application also addresses operational needs. And one of these is the ability to easily control and monitor the running application, in real-time.

Lacking the capability to control and monitor usually results in reduced up-time. By monitoring real-time business and technical indicators, problems can be detected before they occur. The application can then be controlled and configurations changed without interrupting or stopping it.

Http servers, application servers and Java Virtual Machine (JVM) provide out-of-the-box management features, but these are usually of a technical and low level nature, and do not allow for accurate monitoring (Http access logs, memory usage, database connections etc..).

One great solution is to add the Java Management Extensions (JMX) services to your applications. JMX is a standard way of exposing services and contains a built-in JVM service, including the graphical JMX console (jconsole) and most of the monitoring applications provide out-of-the box JMX connectors.

JMX offers three valuable features:

  • MBean managed attributes access : read access on Java class managed attributes
  • MBean managed operations: managed Java class methods invocation, including setters methods
  • MBean notification : managed Java class ability to send notifications to JMX listeners

These features provide hot deploy configuration management ability and application or business dedicated metrics.
Personally I usually use JMX to provide metrics on the access and response time of high and medium level services (external services such as web services or EJB, DAO, interfaces with external systems..), and sometimes some useful statistics, usually defined in conjunction with the production operators. I also use JMX to control some service parameters, such as logging level.

You may think “That sounds great, architects always have great ideas but they do not have to suffer the process of implementing them!”. But in this case there is an easy, straightforward and powerful solution: Spring.

Read the rest of this entry »


Share and Enjoy:

jacques.desmazieres

Written by Jacques Desmazières

May 3rd, 2010 at 10:56 am

Posted in Java,Methodology,Open Source

Tagged with , , ,

Google Chrome OS: All Quiet on the Western FrontFebruary 23rd, 2010

Google Chrome logoYou can always count on Google for creating a buzz  on the internet with its innovative applications, such as Google Wave for example.   In November, Google  released its first preview of its new operating system: Google Chrome OS.

Google said that this new operating system targets  netbooks that use on-line applications only, without local storage support. The entire system is stored on SDD disks – and nothing else.

That said, I wanted to see for myself what could be this new Google concept. So I downloaded the Chrome OS VMWare image (also available for Sun’s VirtualBox) from engadget web site and ran it on my PC.

Chrome OS screenshot

Actually, Chrome OS is built on a Linux kernel with an enhanced Chrome browser as the user interface. Only on-line and some off-line (based on HTML 5 off-line access features) applications can be used. Chrome OS does not handle local storage systems such as hard drives or USB keys. So, no way to use your netbook as a video or music player, except for on-line resources (YouTube, Deezer, …).

This new Google operating system left me skeptical. This OS is based on a linux kernel but restricted by Google specifications. I do not think I would ever pay for a netbook that will only work if I can access the internet, on which I cannot store my music and video library, without any way to store my files on a local device or handle external devices (at the time being, Google has not announced any solution to handle printers for instance :( ). It reminds me of the  Sun’s Network PC concept,  a comeback of  the old passive terminal, applied to the Cloud. Google seems to target the iPad-like devices, but the restrictions are so drastic that I think that Apple can sleep on both ears ;)

But we will see, as Google always surprises us …

Resources:


Share and Enjoy:

jacques.desmazieres

Written by Jacques Desmazières

February 23rd, 2010 at 12:50 pm

Book: Maven the complete referenceFebruary 10th, 2010

You may have read interesting posts on Continuous Integration (CI), Test Driven Development (TDD) or source code and build management process (maybe even on this blog ;) ). Most of them show solutions based on Apache Maven tool.

I am not going into details about what Maven is or is not, and how to use it, as Sonatype has released a very good on-line book on the subject “Maven the complete reference“, and on top of it it’s  free. I have read it and I think this book is THE reference to learn Maven or deepen your knowledge on the subject.

Also,  take a look Nicolas Frankel’s review,  a consultant I am working with on a project.  I definitely agree with his opinions.

Maven the complete reference's cover

Resources:


Share and Enjoy:

Google Waves: the definitive collaboration tool ?February 4th, 2010


Google Wave logoUntil I looked at this Google wave podcast, I have to confess that, in my mind, Google was no more than a cool web application editor, adding innovation to existing concepts. But with regards to Google Wave technology, I definitely changed my mind and I now think Google is imagining the next generation of applications (and not only web applications).

Google Wave concept is to federate in a single application features of several domains such as email, chat, syndication, blog, collaboration and much more.

To describe Wave in a few words, I would say that Wave is a “real time” communication application, where collaboration is the core concept. You can use Wave like email, as the waves are persistent do not need on-line participants, but you can also use it like a chat, concurrently editing a wave with other participants. But that is only the tip of the iceberg, as Google tried to federate the best-of-breed of (Google) web applications.

But the reason why I think that Wave is the definite revolution in communication and collaboration is that it is more group_reportthan just an application. Wave is built on an open protocol, really similar to the main concept of email protocols, allowing Wave servers to communicate with each other. Wave is open source, and you can have your own wave server, opened or not onto the internet, and I think this is a key feature for companies that want to host all of their IT resources or use Wave only in their Intranet with securtiy and confidentiality concerns.
And finally, like Google Maps, Google Waves provides a Wave API allowing you to embed Wave components in web applications  to implement, customize and extend Wave client and server. Actually Wave as been built as an integration platform around a collaboration platform.

The only drawback I see  is that as a user, you need to change your way of communicating and collaborating. This may take some time, but not always, if the concept is really good and matches with the ways users actually think and act (just think of Apple with the iPhone …) .

Read the rest of this entry »


Share and Enjoy:

How to validate an email address ?January 28th, 2010

emailatHaving worked on various web projects, I often encounter a very well known problem : finding an effective regular expression (regexp) to check the validity of user submitted email addresses.

In his blog, Fighting for a lost cause, Ian Dunn has compiled various regular expressions which try to address this problem. The editor’s idea is great: using a set of valid/invalid emails and a simple unit test, he can provide a good comparison of some of the most used regexps.

His philosophy is simple : “It’s better to accept a few invalid addresses than reject any valid ones, so I’m looking for 0 false-positives and as few false-negatives as possible.”
But I’ve noticed 2 problems :

  1. His “best” regexp doesn’t work in JavaScript (JS doesn’t support advanced features like negative lookbehind …)
  2. The method used to validate IP addresses is not correct (doesn’t take care of 0-255 range)

So i’ve decided to improve another existing regex, created by Warren Gaebel and already enhanced by Guillaume Arluison, by adding another test criteria : also check the “real” validity of the IP address.

Here is my solution :
/^[-a-z0-9~!$%^&*_=+}{\'?]+(\.[-a-z0-9~!$%^&*_=+}{\'?]+)*@([a-z0-9]([-a-z0-9_]?[a-z0-9])*(\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z]{2})|([1]?\d{1,2}|2[0-4]{1}\d{1}|25[0-5]{1})(\.([1]?\d{1,2}|2[0-4]{1}\d{1}|25[0-5]{1})){3})(:[0-9]{1,5})?$/i

This one works very well (found 18/18 valid mails + deep IP address check, and found 19/20 invalid mails – there is a problem checking global length)

There’s just a small problem, each time a new TLD > 2 chars will be added, you’ll need to append it to the list in the regex, if you want a more generic solution, you can use this variant (note that this version will not check if the TLD really exists) :

/^[-a-z0-9~!$%^&*_=+}{\'?]+(\.[-a-z0-9~!$%^&*_=+}{\'?]+)*@([a-z0-9]([-a-z0-9_]?[a-z0-9])*(\.[-a-z0-9_]+)*\.([a-z]{2,6})|([1]?\d{1,2}|2[0-4]{1}\d{1}|25[0-5]{1})(\.([1]?\d{1,2}|2[0-4]{1}\d{1}|25[0-5]{1})){3})(:[0-9]{1,5})?$/i

Those 2 solutions should be usable in all languages providing PCRE (Perl Compatible Regular Expressions), on server & client side (such as Javascript, PHP, Perl, Python, Ruby etc…)


Share and Enjoy:

Prelude SIM : Security Information Management systemJanuary 18th, 2010

We live in an over-networked world where security becomes more and more important to protect us from information thefts, servers downtimes and other attacks.

Prelude LogoVarious solutions exist. I have recently given an  internal presentation to present  Prelude SIM (Security Information Management) System, a project I have contributed to. It’s an  OpenSource solution which allows you to monitor in real-time your infrastructure by correlating events from deployed sensors such as Snort (IDS), Samhain (FileSystem Integrity Checker) or Prelude-LML (Log analyzer) and  helps you react quickly to a potential attack.

Here are my slides : Prelude SIM Talk


Share and Enjoy:

One of the best OpenSource CMS : DrupalDecember 11th, 2009

Drupal is a free and open source Content Management System (CMS) written in PHP. It allows to easily publish, manage and organize a wide variety of content on a website.

Drupal is highly popular

Drupal is currently used by more than 500 000 users over the world. Dozens of well-known blue chip companies use it as well as NGOs & not-for-profit organizations. One of the latest famous addition to the long list is the official “whitehouse.gov” website adopted in October 2009 by the US administration.

Core modules

Drupal comes out of the box with default modules called core modules which can be easily enabled or disabled by the administrator. Here are some features provided by the Drupal core:

  • Access statistics and logging
  • Advanced search functionalities
  • Blogs, books, comments, forums, and polls
  • Caching and feature throttling for improved performance under load
  • Search Engine Friendly URLs (for example, “www.example.com/products” rather than “www.example.com/?q=node/432″)
  • Multi-level menu system
  • Multi-site support
  • Multi-user content creation and editing
  • OpenID support
  • RSS Feed and Feed Aggregator
  • Security/new release update notification
  • User profiles
  • Various access control restrictions (user roles, IP addresses, email)
  • Workflow tools (Triggers and Actions)

More modules

Read the rest of this entry »


Share and Enjoy:

Things evolve fast, but take time to be adopted… and understood.November 4th, 2009

How many bytes are  in a Megabyte ?

1024 x 1024 = 1,048,576 bytes ?

1000 x 1000 = 1,000,000 bytes ?

This question/confusion, which seems as old as technology itself, has finally gotten  a clear answer.

…in 1998.

What is interesting is that very very few people know what a Mebibyte is. Do you?

And what’s even more disturbing is that it is only with the latest version of Mac OS X Snow leopard a little bit earlier this year (end of August 2009) that at least one OS is using the correct computations (but not the real nouns) !

It means that a file of 1,000,000 bytes under Mac OS < 10.6 and any other current Operating System (Windows XP/Vista/Seven, Linux etc…) is reported as 976 KB but if you upgrade to Snow Leopard than it suddenly weights “more” : 1.0 MB.

… but dont be afraid, that means that your Hard Drive capacity has increased, too :

160 GB hard-drive gives you 152.6 GB under Windows XP but “enlarges” to 160 GB on Snow Leopard.



Share and Enjoy:

Guillaume Arluison

Written by Guillaume Arluison

November 4th, 2009 at 10:15 am

When the best is enemy of the goodSeptember 22nd, 2009

(from “Le meilleur est l’ennemi du bien” – Voltaire)

If you use the  internet as much as we do, you probably use google and you probably find https security problems quite scary.

If by any chance, like me, you look for “edu” on google :

http://www.google.ch/search?q=edu&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a

with Firefox 3.5 or greater and when the first result as below is “mailedu.ge.ch” (this may change in the future or depending on your google’s history searches) this is what happens :

google certificate error

And this come a bit as a shock. At least it did for me. What ? A certificate problem with google ?

Everytime you try, same problem.

Well, funnily enough, this problem should happen very very rarely. The reason is that Google engineers have probably realized that most of the time when a user is searching for something with google, he/she will click on the first result.

On the other hand, Mozilla has implemented a new “prefetch” mechanism in Firefox 3.5. This is derived from the old “internet accelerators” when some developers thought it was good to have a program “clicking” for you on links to prefetch the pages in order for the user to have it already in its browser cache before he made his choice on which one he wanted to click on. (Supposedly useful when … you had a low-bandwidth connection).

This time it’s better organised : it is the webmaster of the site the user is visiting who decides (or not) to put special tags in his html to enable this feature, for example :

<link rel="prefetch" href="/images/big.jpeg">

will prefetch the big family poster… when you are still looking at the article and the picture thumbnail for the moment.

So when you use  Google with Firefox (latest version), the first link on the results list is automatically prefetched.

In the case shown above,  the browser tried to pre-fetch the “mailedu” https link, which sadly had a problem with its certificate… and made it look like Google had the problem.


Share and Enjoy:

Guillaume Arluison

Written by Guillaume Arluison

September 22nd, 2009 at 11:49 am