cat slave diary

Month: March 2009

  • Texas School Board of Education ^W Dumbasses

    SHAME! SHAME! SHAME!

    Texas’ Board of Education will be ridiculed by pretty much everyone (including me in this post). I would make more fun of them if the consequence of their gross incompetence didn’t lead directly to irreparable harm to the next ten year’s worth of students who will be unemployable in any medical, bio medical, biology, DNA testing, stem cell research, drug research, geology, paleontology, farming, animal husbandry, crop research, or pretty much any field which requires them to understand the basics – or indeed, fine detail – of evolution.

    Modern medicine, to name but just one field, doesn’t make ANY sense except if evolution is true. It’s as simple as that. There’s about as much doubt regarding evolution as there is doubt the planet is round and is orbiting our sun.

    In my view (and IANAL), these students have due cause to sue the asses off the Board of Education for future earnings loss. What does a specialist medical doctor make per year? Half a million? Million per year? Multiply by all the number of students in each of these fields… whoa that’s a lot of moolah.

    I call on all biology text book authors to refuse to allow “updated” editions to be issued with the forthcoming Texas changes. If the schools can’t buy any books, so be it. They can use the ones they have today that have the facts, instead of sowing doubt. Scientists everywhere should make it incredibly clear to their congress critters and senators, as well as their local Boards of Education, that this decision is about as dumb as they come.

    I’m actually struggling to understand how “educated” folks, charged with the incredible responsibility of educating their state’s children could be so abusive. They should be sacked immediately and this terrible position stuck down for all time.

  • Baby Girl Makes 21,710,079

    Mackenzie is now an Australian citizen. Awesome.

  • The new dark ages are approaching

    When I left for America, I was surprised at how few places accepted electronic payment methods compared to our experience in Australia. By the time we left the USA barely two years later, that was not a problem – almost everywhere took cards.

    Except … now, we’re back in Australia, and things have gone backward. Few places have EFTPOS now. It’s actually hard to pay electronically. Where I live, it’s impossible to buy coffee using EFTPOS, debit or credit cards.

    I bet it is because the local Big 4 banks are cutting their noses off to spite themselves. It leads me to believe we are entering the downward spiral into luddite non-use of electronic payments. We may have seen “peak” EFTPOS rollouts, and it’s all downhill from here.

    We’ll be a cash society soon, and this is incredibly bad. So many things that were once trivial to do require effort to do. It will cut economic output. Folks like me who refuse to pay the “disloyalty” fees at ATMs just will not buy at places without card machines when I run out of cash.

    This is bad news for the local economy, bad news for the banks, and bad news for employment. And bad news for me because I do not get a good cup of coffee and I’m pissed off.

  • ESAPI for PHP news

    AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working:

    ESAPI for PHP tests passing

    This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE Set, List, HashMap, and many other basic data structures. What PHP does have is native associative arrays (somewhat like HashMaps), ArrayObject, and ArrayIterator from the SPL. The problem is that PHP doesn’t like sparse arrays with very long indexes:

    $foo[“THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX.”] = $value

    So I had to make up a workable hash function and hope for zero collisions. I tried using spl_object_hash(), but that actually is too good. It uses the object’s value AND pointer position, such that:

    $foo = “123”;

    $bar = “123”;

    spl_object_hash($foo) != spl_object_hash($bar)

    I think I still need to add a few more test cases as my hash function WILL collide when there are two direct object references of the same value, and thus will not be safe for some uses.

  • ESAPI for PHP – first tests passed

    I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class.
    PHP ESAPI Exception Test Suite pass

    This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes, it’s one test, but it tests the exceptions thrown by every single one of the Exception classes.

    This is key as ESAPI throws a lot of ESAPI exceptions when things go south. In addition to ESAPI exceptions, the PHP port will also throw SPL exceptions, such as InvalidArgument and so on as it makes sense to do so.

    To get this far, I’ve had to hand hack the Authenticator, User, Logger, and Intrusion Detection classes – currently no errors are sent out by ESAPI for PHP, but give me a bit of time and it will happen. String Utilities is also partially there. Authenticator is interesting as it actually does generate strong passwords, and actually reads from the resources directory for the user’s file and decodes it into an array. However, some of these behaviors are hard wired to allow more of the Milestone 1 classes to pass tests, rather than be part of the Milestone 3 build.

    I’ve started work on the RandomAccessReferenceMap class. It’s almost there; but unfortunately, I’ve got to go to bed as it’s 2 AM. It’s so close I can smell it. Once done, that class is a close relative of the IntegerReferenceAccessMap, and so there are likely to be two valid and useful ESAPI for PHP classes done soon. I’ll see if I can finish it and check it in before I have to go to work on Monday.

  • Web training news

    No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism.

    In some exciting news:

    • I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project finds a home for it. I’ll come back and link to it when it’s ready. Very rarely does an entire 1+ day deck escape into the wild, so I hope the OWASP Education community runs with it, and constantly improves it.
    • My deck is forming the basis of Pure Hacking’s new two day developer training! Obviously, we’ll be extending the deck and giving it the Pure Hacking spin, but fundamentally it’ll be the same focus on building secure applications and not breaking crap applications. Our new deck will be ready at the end of the month for your training pleasure!

    In other news, Pure Hacking is holding a one day WebEx (i.e. remote) training session on Testing Web Applications with Ty Miller as your host. If you’re interested, please drop me a line.

  • ESAPI for PHP

    Last night, I spoke to the phpMELB folks for an hour on ESAPI for PHP.

    The talk went well, and they taped it. When the video appears, I will link to it.

    More importantly, I worked on ESAPI for a couple of hours after returning last night, and finally have something to show everyone! ESAPI for PHP almost passes some tests:

    ESAPI for PHP build 1

    This means that folks can start cutting code as the test framework and the main framework are fully stubbed out and ready to go.