Saturday, April 24, 2010

2010-04-24 Saturday - Storing Passwords

2011-06-25 Update:
Today I came across this article by Coda Hale:
http://codahale.com/how-to-safely-store-a-password/

...which referenced this paper:

Proceedings of the FREENIX Track:
1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999
http://www.usenix.org/events/usenix99/provos.html
http://www.usenix.org/events/usenix99/provos/provos.pdf





A fellow consulting colleague was chatting with me over a cup of coffee a few weeks ago, and the topic of application security came up.

Some of the obvious things to avoid:
- storing passwords in plain-text in databases
- storing passwords in plain-text in property/configuration file

Using a unique salt for each user's password is one of the optimal mechanisms.

Here are some interesting postings that review various strategies:

http://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way

http://dustwell.com/how-to-handle-passwords.html 
http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
http://apiwiki.twitter.com/Security-Best-Practices



Some resources that might be of interest to developers:
http://oauth.net/
http://www.cert.org/cert/information/developers.html
http://www.cerias.purdue.edu/
http://isis.poly.edu/
http://www.dwheeler.com/secure-programs/
http://msdn.microsoft.com/en-us/security/default.aspx
http://stackoverflow.com/questions/420843/need-some-help-understanding-password-salt
http://stackoverflow.com/questions/536584/non-random-salt-for-password-hashes/536756#536756

You might think that at this point in the evolution and maturation of Computer Science and Software Analysis and Design - that no commercial software vendor would store passwords in plan-text.  Apparently you would be wrong...

http://rondam.blogspot.com/2010/03/danger-will-robinson-rackspace-cloud.html
http://ronrothman.com/public/leftbraned/password-security-its-not-that-hard-but-you-still-cant-get-it-right/
http://web.archive.org/web/20070109023445/http%3A//reddit.com/blog/theft

Event those that don't store passwords in plain-text, still have trouble getting security right...
http://blog.sucuri.net/2010/02/godaddy-store-your-passwords-in-clear.html
 more great stories at...http://blog.sucuri.net/



Credit Union National Association, Inc. has a nice write-up on Password Safety Tips:
http://www.nihfcu.org/filestore/section/227/Password_Safety_Tips.pdf

Microsoft Online Safety
Check Your Password - is it strong?
https://www.microsoft.com/protect/fraud/passwords/checker.aspx



2010-04-24 Saturday - Android Development

Tom Thompson recently published an article in Dr. Dobbs Digest, The iPhone Isn't Easy (April 2010) - which led me to one of his previous articles: The Android Mobile Phone Platform (September 2008).

Some further reading led me to:

http://developer.android.com/resources/tutorials/hello-world.html

http://developer.android.com/sdk/installing.html





http://developer.android.com/sdk/eclipse-adt.html


http://developer.android.com/sdk/android-2.0-highlights.html


http://code.google.com/android/
Android is a software stack for mobile devices that includes an operating system, middleware and key applications. The Android SDK provides the tools and APIs necessary to begin developing applications that run on Android-powered devices.


http://code.google.com/android/add-ons/google-apis/mapkey.html

Friday, April 16, 2010

2010-04-16 - Interview with ZeroTurnaround.com (JRebel 3.0 Release)

The JRebel team (http://www.zeroturnaround.com) is scheduled to release JRebel 3.0 on Friday, April 16th, 2010. I had a chance to meet David Booth, the CEO of ZeroTurnaround, in San Francisco last year during JavaOne – and he was kind enough to arrange for me to spend some time talking with him and Jevgeni Kabanov (Founder, and Chief Technical Officer) about their upcoming release.

Why should someone care about JRebel?

DB: JRebel is one of those tools that every Java EE developer should have in their toolbox. We've seen reports like these two that show that JRebel saves hours of development time right from the first day that it's setup. There are new reports of people reducing their dev time everyday, just search twitter for JRebel and you'll see. But I guess it's probably a good thing to say what JRebel actually is and does eh? Here's the short story: JRebel maps your project workspace directly to your running application. When you change any class, configuration, or resource in your IDE, you can immediately see it in your application, skipping the build and redeploy phases. Last year we surveyed 1100+ java EE developers and found out that most people are spending 3 to 7 weeks on the redeploy phase alone... We consider that to be wasted time, which can be spent better. The flip side of using JRebel to eliminate redeploys is that development actually becomes more fun.. you get to see the results of your changes right away, instead of waiting for an average of 2.5 mins, just to find out that you've gotta fix some tiny detail. Change code - see changes - fix it - move on.


What are the major changes in JRebel 3.0?

JK: JRebel 3.0 has focused on three key areas: ease of use, more support of key Java EE technologies, and new features. To be more specific, we now support changes to EJB 1.x-3.x interfaces, JSF configuration, JPA entities, JSP scriptlets and even CDI annotations. All of those are picked up on-the-fly, without any visible delay. We also now support changes to Seam beans and configuration as well as to Hibernate entities. Another cool new feature is that now if you add a new static field or enum value, it will be properly initialized. And lots of work went into making the installation and configuration easier, starting with the new GUI editor for the only necessary JRebel configuration file -- rebel.xml.


Last year you changed the name of the product - what prompted that?

DB: Right, in August of 2009 we followed our community's advice, and changed the name JavaRebel to JRebel. I'm sure you've heard that some firms, groups, and even conferences got in trouble for using the trademarked word "Java" in their names.. we just wanted to pre-emptively avoid any issues. We received about 190ish comments and suggestions for names, some of which we quite creative.. like Diponegoro (a Javanese prince that led the rebels in the Java Wars of 1825-1830).. but the most often voted for name was JRebel - so that's what we went with.




Has the product name change been well received?

DB: You know, a year ago from today, we got 70%+ of our keyword-driven site traffic from words like JavaRebel and Java Rebel, and none from JRebel, since it didn't exist yet. Now, we get about 8% of our keyword traffic from those words. "JRebel" has been adopted quite naturally - probably due to the similarities with it's old name, and the fact that this isn't a new naming convention - you see "J"something products all over the place.

JK: I think the biggest #fail was that the "jrebel" Twitter account was taken by someone, so we ended up using the "javarebel" Twitter acount, which is a source of some confusion.


Any interesting case studies / success stories to share since we talked at JavaOne last year?

DB: It's been a busy year for us, and we've gained a lot of new customers, as well as seen major customers renew their licenses. I wish I could name names, but that's not something that the big US banks allow too often. I can say that one of the major East Coast financial institutions told us that they have developers who save 2-3 hours per day, just by using JRebel. European banks are more open, and we've got a multi-year licensing agreement with DnB NOR, Norway's largest financial services group. They're using Jetty for development and WebSphere for test and production, and even though Jetty is one of the fastest containers in terms of turnaround time, they've found success with JRebel. I've been told that what makes JRebel attractive for them is " more than just saving time spent on waiting. The problem is that when the developer is waiting for the container to start - he is doing a "context switch" and starts to do something else. And when the container is restarted - he has to switch his attention back to the development. The benefit of JRebel is both saving time and the advantage of the developer staying in "programming mode" all the time. " - IT Department Manager, former Sr. Developer, DnB NOR Bank


What are your plans for the next release?

DB: We'd like to take what we're doing for development teams with JRebel, and apply similar principles to live production applications, with our LiveRebel product line (currently in Private Beta). We envision being able to make small changes to live running applications, while maintaining state, and not affecting user experience. JRebel development will continue as well, and we'll continue to focus on supporting key Java technologies & making JRebel easier to use.

JK: There's no such thing as the next release, cause that would imply that this one isn't perfect :) Truthfully we don't really have plans yet, though we have a feature request list contributed by our users and the team. At the moment all our focus is on kicking 3.0 out of the door.




What is your impression so far of how Oracle has handled the acquisition of Sun? Do you want to comment on Gosling's departure from Oracle?

JK: So far we haven't heard anything conclusive on the governance of Java and JCP, which is the most interesting part for the Java community. If the same confusion keeps going on, Java will continue to stagnate.

As for James' departure -- I have no idea what his responsibilities were at Sun, so I'm not sure if it will have a significant impact on Java. I do know that Java badly needs a BDFL, but I don't think James wanted to fill that role.


Will you have a booth at JavaOne this year?

DB: We will. We've been at JavaOne for the last few years, and always get a lot of people talking about either how awesome they think JRebel is, or saying that they can't belive something like this exists and they hadn't heard about it before. It will be interesting to see how the Oracle folks merge the JavaOne + Develop communities & events. They've got big shoes to fill! Among other places, there's a LinkedIn group for JavaOne for folks who are interested in discussing JavaOne.

Any suggestions you would like to share with Oracle on the direction Java?

JK: Well, not so much suggestions as some hopes :) I really hope that Oracle will end the design-by-comittee nature of Java and assign a single person to oversee its development. Another hope is that the JCP would be transformed into an Eclipse Foundation-like entity. The Eclipse Foundation managed to bring together a lot of partners who are innovating at a truly stupendous pace, I'd like to see the same happen to Java middleware. I don't think that the Apache meritocracy model works as well.


Will JRebel 3.0 work with other languages such as Scala?

JK: JRebel has been working with Scala since the first Scala liftoff in May 2008, in fact, we provide free licenses of JRebel for Scala use. JRebel supports a few other languages as well, with Groovy, we had to integrate with the inline caching to support all the changes that we wanted. Clojure was also recently tested with JRebel, but results were mixed. We might take a closer look in the near future and figure out what went wrong.


Are there any new major collaboration efforts with other vendors in the works?

DB: ahhh yes.. how can I answer this one? We've got something big that we're working on, a collaboration that has been in the works for about a year now, and it's all starting to come together. It's probably not a pairing that you'd expect, but it's with a well-recognized name, and the project is ambitious. It's going to shake up a few folks once released, and make a lot of end-users really happy, since we'll be tearing apart what we consider a customer-insulting business model (even though it makes certain firms quite wealthy). Unfortunately, that's all I can say for now, but stay tuned in early 2011 for an announcement on that.


Summary

I’ll have more to report on the JRebel 3.0 within a few weeks - as I work through an evaluation for a current large-scale client engagement.
The company offers a free 30-day evaluation of their product (http://www.zeroturnaround.com/jrebel/current/).


Wednesday, April 14, 2010

2010-04-14 Wednesday - JRebel 3.0

My friends over at zeroturnaround.com will release JRebel 3.0 on Friday, April 16th.


JRebel 3.x Changelog


5 JRebel features you couldn’t do in the JVM

2010-04-14 Wednesday - AWS SDK for Java

AWS SDK for Java
http://aws.amazon.com/sdkforjava/
The AWS SDK for Java provides a Java API for AWS infrastructure services, making it even easier for developers to build applications that tap into the cost-effective, scalable, and reliable AWS cloud. Using the SDK, developers can build solutions for Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon SimpleDB, and more. With the AWS SDK for Java, developers get started in minutes with a single, downloadable package that includes the AWS Java library, code samples, and documentation. Eclipse Java IDE users can get started with the SDK easily using the AWS Toolkit for Eclipse.

Copyright

© 2001-2021 International Technology Ventures, Inc., All Rights Reserved.