Programming

All things related to IT security, privacy and compliance.

Don’t forget to check out #InfoSecAndCompliance on Jaiku.

ActiveState Dishes Out Perl For Christmas

Not to be counted among the slackers, ActiveState busts out the Christmas presents early with a discount on their pro bundles and a 5.10 Perl release for all the major platforms.

Well done and good news for those that need a supported version of the best scripting language out there (sorry Python, PHP & Lua, Perl still rocks).

|

Microsoft Security SDLC Guide Updated - Developer Highway Code

Microsoft updated their sold, free guide to developing secure software. They discuss generic topics that apply to all development:

  • Integrating security into the SDLC
  • Security engineering objectives
  • Web app security design guidelines
  • Threat modeling (tho i’m not crazy about that term)
  • Security architecture & deisgn reviews
  • Security code reviews
  • Security devlelopment reviews

and also provide some specific guidance, checklists and information on Microsoft technologies.

A must-read for all developers.

|

Perl - Now In Strawberry!

Saw this O’Reilly Perl 5.10 post via slashdot (see, they’re still relevant!) and made my way to Strawberry Perl which ultimately got me to this Vanilla Perl.

You can read more about both flavors here and here.

From the wiki:

The purpose of Vanilla Perl is to provide a series of releases that are as close as possible to the core Perl distribution, and containing *only* the minimum changes and additions required to get installation of XS modules from CPAN.

In addition to the modules in Vanilla Perl, Strawberry will also include the entire dependency tree for Bundle::CPAN, as well as a targeted set of upgraded versions of dual CPAN/core modules that have win32-specific fixes.

Thankfully OS X users already have the chocolate flavored version (mmmm…Cocoa).

Everyone join me in wishisg Perl a happy 10th birthday! You can read more about the new features here.

I’m liking the given-when statement, function state variables and the fact that kill -9 works correctly in Windows.

(Maybe we’ll see Perl 6 in 2008)

Technorati Tags:
|

Apple Updates Java, Still No Sign Of Java 6

Apple updated Java on OS X today (they updated Quicktime and GarageBand as well). Unfortunately, we’re not getting Java 6 yet, just performance and bug fixes.

From Software Update:

Java for Mac OS X 10.4, Release 6 delivers improved reliability and compatibility for Java 2 Platform Standard Edition 5.0 and Java 1.4 on Mac OS X 10.4.10 and later. This release updates J2SE 5.0 to version 1.5.0_13 and Java 1.4 to version 1.4.2_16.

For more details on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=307051

As of the time this was posted, the details link did not work, but the update installs without a hitch.

UPDATE: A different link http://docs.info.apple.com/article.html?artnum=307177 now provides information on the security content and it’s significant! Test & update as soon as possible (though Leopard is fairly patched already w/r/t these vulns)!

  • CVE-ID: CVE-2007-5862

    Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

    Impact: A malicious webpage can remove or insert items in the keychain

    Description: An access check may be bypassed for Keychain updates. A specially crafted Java applet may be able to add or remove items from a user’s Keychain, without prompting the user. This update addresses the issue through an improved access check. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Bruno Harbulot of the University of Manchester for reporting this issue.

  • CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005, CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232

    Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

    Impact: Multiple vulnerabilities exist in Java 1.4

    Description: Multiple vulnerabilities exist in Java 1.4, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating Java 1.4 to version 1.4.2_16. These issues are already addressed in systems running Mac OS X v10.5 and later.

  • CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232

    Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

    Impact: Multiple vulnerabilities exist in J2SE 5.0

    Description: Multiple vulnerabilities exist in J2SE 5.0, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating J2SE 5.0 to version 1.5.0_13. These issues are already addressed in systems running Mac OS X v10.5 and later.

|

Larry Wall For President

In just one article (his annual State of the Onion), Larry Wall gives the reader a full introduction to programming languages, compiler design and explains the current state of programming and scripting with elegance and style. It’s the data equivalent of at least two college courses.

I’m now, dare I say, almost excited about Perl 6, despite having been osmosing Python over the past couple of years and Lua more recently. If sufficient work is done to provide the hooks into Apple’s new Scripting Bridge feature of Leopard, it would make Perl the killer development tool for OS X as well.

| »

Great Quicksilver/MetaMark Python Script!

Great little script here for using the MetaMark URL shortening service in conjunction with Quicksilver.

Some enhancements…

For FireFox users, replace the Safari-laden AppleScript lines with:


applescript = '''tell application "Firefox"
	set ff to properties of front window as list
	get item 3 of ff
end tell'''

For those who also cannot partake of system beeps for notification upon shortening completion here’s a Growl replacement for the end beeping:

popen('growlnotify -n "surl" -m "URL Shortened\n' + url + ' :: ' + shortURL + '"') ;

(that requires installing the growlnotify support - which you probably did if you’re a Growl user - and having “/usr/local/bin in the appropriate path (you can just pre-pend that onto the growlnotify command just to be sure.

Technorati Tags:
|

PowerShell 2.0 CTP

PowerShell was a huge improvement over CMD.EXE and the features in 2.0 seem to provide even more functionality. Not enough hours in the day to look at all of these shiny new toys…

Windows PowerShell : The Community Technology Preview (CTP) of Windows PowerShell 2.0: “This CTP release helps developers to more easily layer their runtime or GUI on top of PowerShell, leveraging its cmdlets and remoting infrastructure.  It includes APIs to create and use a pool of Runspaces (engines) to run cmdlets.  This release also presents very early looks at Restricted Runspaces (the ability to declare a script, cmdlet or variable public or private) and the Graphical PowerShell (a script editor and a Unicode-enabled console).  These are just a few of the new features I think are interesting in Windows PowerShell 2.0 CTP.  Additionally this CTP includes some simple updates… like new parameters to select-string (Context, AllMatches, NotMatch and Encoding) and new operators like –split and -join!”

|

Rogue Amoeba - Under The Microscope

No doubt some moron will require license codes to have an ESRB rating now…

Rogue Amoeba - Under The Microscope: “One of the professional hazards of being a programmer is the cold sweat which comes when you suddenly realize that some code you’ve written has a terrible bug. It’s worse when you realize that the bug has already been there for months.

The cold-sweat moment came the other day as I was entering a license key into a copy of Fission. The way some of the letters lined up almost looked like a word, how funny. Hey, you could even get a whole license code made up of four-letter words. Four. letter. words”

(Via Daring Fireball.)

|

Garmin Opens Platform Access & API's to Developers

Garmin announced the launch of their new developer web site which provides information on and access to “free and licensed Garmin resources and a library of Application Programming Interfaces (APIs), toolkits and web services broken into 4 main categories”:

Device Communications

Start connecting with Garmin devices today — whether you want to send and receive location data directly from your website using the Garmin Communicator Plugin or whether you want to create custom POIs that can be sent to Garmin navigation systems using our Content Toolkit.

Web Services

Access data and utilize core features provided by MotionBased — Garmin’s web-based activity portal. Enable your website to store, manipulate and display Garmin GPS data with little or no development.

Smartphone/PDA Services

Provide mobile applications running on Windows Mobile or Palm OS with access to GPS information, interactive maps and intelligent routing including SMS-based messaging that can be used to transmit position information to supported devices.

Location Based Services

Get Garmin to work for your business solution. Add location-based services to any Java-based mobile phone application and enable fleet tracking, messaging, dispatch and navigation directly on Garmin’s portable navigation devices.

When I get some time to poke around the site, I’ll report back on what you can/cannot do with this new offering from Garmin. On a surface scan, tho, it looks very promising and is a welcome surprise from Garmin.

|

Nike+ & Perl Goodness

Alex Lomas has released a very cool Perl module that gives you programmatic web-service access to your Nike+ running data.

I haven’t had time to play with it yet, so you’ll have to live with the author’s description for the moment:

You can: Authenticate to Nike+ and obtain the login token and cookie Retrieve your last run Retrieve your personal settings (name, perferred units, avatar etc.) Retrieve data on all your runs, ever Get specific pace information on a run (not yet implemented, sorry!) List all your goals and whether you’ve completed them or not List all your challenges See who’s taking part in your challenges, and how they’re doing Display direct URL links to home page/runs/goals/challenges that use the token to bypass login (CAUTION!)

|