So far on my spike into Rust we have been on a roll. Next on the bucket list is an embedded disk backed B-tree database to act as the Paxos journal for TRex. This is where I have hit my first bump in the road. Read the rest of this entry »
Those of you who have been following along will know that Scala on Linux is my preferred ecosystem. This past few weeks in the office I have been tinkering with the opensource C# ASP.NET ecosystem. What I came across shocked me to the dotnet core. I have posted some evidence of my findings up on GitHub. Read the rest of this entry »
A good friend of mine is working on a project which hosts media libraries in his cloud service. At the end of 2015, I integrated Cassandra into a big financial services platform. Cassandra is a great fit for my friend’s service. In this post, I will outline an appropriate Cassandra data model and along the way outline some of the killer features of Cassandra. Read the rest of this entry »
Today’s Morning Paper post is a must read for software engineers: “Designing software for ease of extension and contraction Parnas, IEEE Transactions on Software Engineering, 1979″
Detour: Why use JPA in this demo?
For the purposes of this demo, JPA is an officially supported part of the Java ecosystem and is a mature and well documented Java-to-relational mapping tool. Yes, it has quite a few quirks. If you fight it you will probably lose (your mind). If you learn how to do the basics and don’t deviate from that it can be a used as a rapid application tool to support an agile TDD build on Java against a relational database. Read the rest of this entry »
This morning I was dismayed to get an email from LinkedIn to say that emails and passwords stolen in 2012 were available online. So they had reset the passwords of all emails accounts that haven’t changed their passwords since 2012. Okay sounds like a solid precaution against dictionary attacks on the stolen encrypted password details, right? Wrong.
They then want on to say:
LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.
Wow so in 2012 they were not properly salting the passwords and so those passwords, which users may have used across different sites, were not properly encrypted. That’s shockingly bad.
Further more salting passwords isn’t state of the art security. LinkedIn are still having the password set over the network to then salt it and save it in the database. So they are safe again the database getting stolen again but not against any other form of compromises on their network infrastructure. They should have upgrade to the Secure Remote Password protocol.
For a professional social network site it would seem that Facebook is lacking knowledgeable engineers and don’t have security as something built into their software development lifecycle.
interesting analysis of the world of spam
Click Trajectories: End-to-end analysis of the spam value chain – Levchenko et al. IEEE Symposium on Security and Privacy, 2011
This week we’re going to be looking at some of the less desirable corners of the internet: spam, malvertisements, click-jacking, typosquatting, and friends. To kick things off, today’s paper gives an insight into the end-to-end spam value chain. If we really want to stop spam it turns out, talk to the banks…
As an advertising medium, spam ultimately shares the underlying business model of all advertising. So long as the revenue driven by spam campaigns exceeds their cost, spam remains a profitable enterprise. This glib description belies the complexity of the modern spam business…
There’s much more to spam than just the email! There are three key stages – advertising, click support, and realization – supported by a whole value chain.
Advertising concerns how…
View original post 1,531 more words
Uncovering bugs in Distributed Storage Systems during Testing (not in production!) – Deligiannis et al. 2016
We interviewed technical leaders and senior managers in Microsoft Azure regarding the top problems in distributed system development. The consensus was that one of the most critical problems today is how to improve testing coverage so that bugs can be uncovered during testing and not in production. The need for better testing techniques is not specific to Microsoft; other companies such as Amazon and Google, have acknowledged that testing methodologies have to improve to be able to reason about the correctness of increasingly more complex distributed systems that are used in production.
The AWS team used formal methods with TLA+, which was highly effective but falls short of checking the actual executable code. The Microsoft IronFleet team used the Dafny language and program verifier to verify system correctness and compile it to…
View original post 1,019 more words
The recent Heartbleed debacle had me remember a project a decade ago where the version of weblogic was upgraded but the script failed to deploy the matching version of the apache plugin. Fortunately we contracted a pen test firm who threw a load of custom perl script attacks at the site before we let the public in. They found that the error responses being thrown back to the attack scripts were just like Heartbleed; raw chunks of memory containing whatever was passing through the web server after having been decrypted. Read the rest of this entry »
In my last post we took a look at Immutable Session State in Scala. That outlined an immutable SessionState data structure suitable to wrap in an Actor running in the mighty yet diminutive Socko Web Server. In this post we will pick up where we left off and use the SessionState data structure wrapped in an Actor to implement user registration with openid4java. Read the rest of this entry »