cat slave diary

Blog

  • Baby Girl Makes 21,710,079

    Mackenzie is now an Australian citizen. Awesome.

  • The new dark ages are approaching

    When I left for America, I was surprised at how few places accepted electronic payment methods compared to our experience in Australia. By the time we left the USA barely two years later, that was not a problem – almost everywhere took cards.

    Except … now, we’re back in Australia, and things have gone backward. Few places have EFTPOS now. It’s actually hard to pay electronically. Where I live, it’s impossible to buy coffee using EFTPOS, debit or credit cards.

    I bet it is because the local Big 4 banks are cutting their noses off to spite themselves. It leads me to believe we are entering the downward spiral into luddite non-use of electronic payments. We may have seen “peak” EFTPOS rollouts, and it’s all downhill from here.

    We’ll be a cash society soon, and this is incredibly bad. So many things that were once trivial to do require effort to do. It will cut economic output. Folks like me who refuse to pay the “disloyalty” fees at ATMs just will not buy at places without card machines when I run out of cash.

    This is bad news for the local economy, bad news for the banks, and bad news for employment. And bad news for me because I do not get a good cup of coffee and I’m pissed off.

  • ESAPI for PHP news

    AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working:

    ESAPI for PHP tests passing

    This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE Set, List, HashMap, and many other basic data structures. What PHP does have is native associative arrays (somewhat like HashMaps), ArrayObject, and ArrayIterator from the SPL. The problem is that PHP doesn’t like sparse arrays with very long indexes:

    $foo[“THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX.”] = $value

    So I had to make up a workable hash function and hope for zero collisions. I tried using spl_object_hash(), but that actually is too good. It uses the object’s value AND pointer position, such that:

    $foo = “123”;

    $bar = “123”;

    spl_object_hash($foo) != spl_object_hash($bar)

    I think I still need to add a few more test cases as my hash function WILL collide when there are two direct object references of the same value, and thus will not be safe for some uses.

  • ESAPI for PHP – first tests passed

    I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class.
    PHP ESAPI Exception Test Suite pass

    This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes, it’s one test, but it tests the exceptions thrown by every single one of the Exception classes.

    This is key as ESAPI throws a lot of ESAPI exceptions when things go south. In addition to ESAPI exceptions, the PHP port will also throw SPL exceptions, such as InvalidArgument and so on as it makes sense to do so.

    To get this far, I’ve had to hand hack the Authenticator, User, Logger, and Intrusion Detection classes – currently no errors are sent out by ESAPI for PHP, but give me a bit of time and it will happen. String Utilities is also partially there. Authenticator is interesting as it actually does generate strong passwords, and actually reads from the resources directory for the user’s file and decodes it into an array. However, some of these behaviors are hard wired to allow more of the Milestone 1 classes to pass tests, rather than be part of the Milestone 3 build.

    I’ve started work on the RandomAccessReferenceMap class. It’s almost there; but unfortunately, I’ve got to go to bed as it’s 2 AM. It’s so close I can smell it. Once done, that class is a close relative of the IntegerReferenceAccessMap, and so there are likely to be two valid and useful ESAPI for PHP classes done soon. I’ll see if I can finish it and check it in before I have to go to work on Monday.

  • Web training news

    No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism.

    In some exciting news:

    • I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project finds a home for it. I’ll come back and link to it when it’s ready. Very rarely does an entire 1+ day deck escape into the wild, so I hope the OWASP Education community runs with it, and constantly improves it.
    • My deck is forming the basis of Pure Hacking’s new two day developer training! Obviously, we’ll be extending the deck and giving it the Pure Hacking spin, but fundamentally it’ll be the same focus on building secure applications and not breaking crap applications. Our new deck will be ready at the end of the month for your training pleasure!

    In other news, Pure Hacking is holding a one day WebEx (i.e. remote) training session on Testing Web Applications with Ty Miller as your host. If you’re interested, please drop me a line.

  • ESAPI for PHP

    Last night, I spoke to the phpMELB folks for an hour on ESAPI for PHP.

    The talk went well, and they taped it. When the video appears, I will link to it.

    More importantly, I worked on ESAPI for a couple of hours after returning last night, and finally have something to show everyone! ESAPI for PHP almost passes some tests:

    ESAPI for PHP build 1

    This means that folks can start cutting code as the test framework and the main framework are fully stubbed out and ready to go.

  • Training coming along nicely

    For those of you sitting on the fence about coming to OWASP AU 2009, it’s time to book. 🙂

    The training materials I’ve developed using OWASP ASVS covers all the ground in the ASVS in one day, from a developer perspective:

    • About the Application Security Verification Standard
    • What you need to verify code
    • About Risk 
    • The ASVS Levels
    • Verifying Architecture
    • Verifying Authentication
    • Verifying Session Management
    • Verifying Access Control
    • Verifying Input validation
    • Verifying Output encoding / canonicalization
    • Verifying Cryptography
    • Verifying Error Handling / Logging
    • Verifying Data Protection
    • Verifying Communications Security
    • Verifying HTTP Security
    • Verifying Configuration
    • Verifying Malicious Code
    • Verifying Internal security controls
    • How to write a decent report and how to communicate (good and) bad news 

    It’s going to be a long day, so bring your game to the sunny Gold Coast, Australia. OWASP AU is a true bargain compared to commercial offerings.

    If you have some training budget, book a ticket and come see me and have a blast!

    Book my course now

    All about OWASP AU 2009

  • Back in Australia

    It’s a bit of a shock coming back. Some things are the same, many things are very different. 

    I had been homesick for some time, and I was glad to meet up with my family and my cat(s). Unfortunately, Greebo either did not remember me or worse, didn’t want to talk to me. Meebles was not to be found. I hope I can look after them again soon. Mackenzie is a universal hit here with everyone, which is awesome. She’s also taking well to so many new faces. 

    The weather changed from being icy and snowy -5 C (20 F) to a scorching 47.9 C (118.2 F), with the worst fires on record raging about 200 km from where we now live. We’re okay – even if so many are not. My thoughts are with those affected by the fires. 

    The sunsets are glorious – I’ve missed them. You can only work this out once you actually viscerally experience something old you fondly remember. The light is different here, and not just because the air is tinged with burnt ash and smoke. 

    The shopping hours shortened, the online shopping options that were in Australia seemed to have disappeared. I remember far longer hours in the past, and many more options … but they’re gone. Oh well. 

    I managed to drive on the correct side of the road with no real issues – still haven’t turned into the wrong lane, although shopping center car parks are still interesting. 

    TV is still crap, and yet awesome. I had missed good news coverage, and weather forecasting that is within 1 degree C of the actual temperature a few days out, and now I have it back. I miss the ease of watching what I want on my Tivos, but then again, I know have a lot more time to do stuff with my family. I always found US TV a bit odd – almost everything was bleeped, but there was no diminuition in the number of bleeps. Tonight, I watched a depression special with one of the world’s best comedians, Stephen Fry, and he dropped the c word, and various other words that would be bleeped in the US. I will not miss the bleeping.

    We’re well on our way to restarting our life here. Life is good.

  • Speaking at OWASP AU

    I will be speaking at OWASP AU 2009 this year!

    I am conducting a one day training session on how to BUILD secure applications using ESAPI and verifying the same using Application Security Verification Standard (OWASP ASVS). If you are a builder, you will want to attend that class, which is very reasonably priced at USD $650. Typical instructor led training is $2500 per day – at least. The main conference is only USD $425, which is a bargain compared to Black Hat or RSA. 

    During the two day main agenda, I will be speaking about why you should be protecting your VALUE, and not worrying so much about THREATS. It’s time we stopped worrying so much about XSS and so on, and move on to something that actually pays some returns. 

    Get your registration fingers happy here:

    See you there!

  • Andrew: Cultural Learnings of America Benefit Glorious Nation of Australia

    Well, it’s time to go home.

    We’re leaving the USA at the end of the month, and should be back in Australia February 2-4.

    It’s going to be a bit busy over the next few weeks whilst we pack, sell all our worldly goods, and organize our new life in Australia.

    I’ve had a blast whilst in the USA, and I’ve been to (at last count) 25 states. I will update my Google Map and find out for sure. I’ve seen lots of places I’d never come to by myself, like Pittsburgh, and loved every bit of it. I’ve been to places that I would have been, and loved it – like Miami, SF, NYC, and DC. Recently, we started exploring Baltimore, but unfortunately, that’s going to be cut short. I hope to make the Air and Space Museum before we go, but the amount of stuff we have to do, including sell the car, may simply preclude that.  

    I don’t have a job lined up yet, so if you are in a position to hire a remote worker or have a position in Melbourne or Geelong, Australia, I’d love to hear from you. You can find me on Linked In, and I’d be happy to give you my current resume.