This is the first of a series of posts with small tips and tricks of ExtJS that will also address its integration with Ruby on Rails.

In this release we are going to create a ComboBox that loads its items from a remote location (potentially a rails REST endpoint).

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There’s a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less “wow” moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here’s a list and some comments of the talks I attended:

An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs.

it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page.

• /security/: information security related content. Techniques, howtos, security advisories, etc.
• /ruby/: ruby and ruby on rails related articles.
• /nothing/: Any article that doesn’t fit in the previous categories goes here.

If the time comes were there is enough interest in a given area, a new branch can be created and the articles from this one moved to it.

On a recent project I was challenged with the task to create a Windows installer for Dradis, an application that I have been contributing to. After a bit of research it seemed like our answer was in using NSIS (Nullsoft Scriptable Install System) to assist us in this task.

NSIS in an open source platform for creating Windows installers. It has its own scripting language that you program all your installer logic in and then compiles to a Windows installer executable.

In this series of articles I will introduce you to:

• HM NIS IDE and it’s wizard (Part 1)
• Customising the wizard code (Part 2)
• Challenges with installing to user accounts without administrator rights (Part 3)

In the last article (middleware and me (part-1)) we looked at the concept of Middleware security and why it is often a neglected area. In this article we are moving on to look in detail at the security features that can be employed to protect this type of software. For the purposes of these discussions we are going to be focussing on the IBM Websphere MQ product, hopefully in the future I will be able to contrast these discussions against the security controls employed by a number of other messaging technologies.

The summary of the features of the v1.2 release:

• in the client:
  • export to XML module is now part of the standard module set.
  • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
  • fixed the window.rb:159 bug.
• in the server:
  • a slightly less annoying implementation of the web interface auto refresh functionality.
  • the services added through the web interface can have a name now
  • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

miniconomics.com is an easy-to-use tool designed to manage your personal expenses that we have been developing over the last few months. The key benefits of the tool at this point in time:

• It is alive, changing every day, release early, release often. miniconomics.com is under a never ending churning process.
• It is simple, a no brainer, you have categories and you have expenses, you put expenses in your categories and miniconomics.com gives you all sorts of useful information, stats and nice shinny graphs.
• Is accessible, forget about maintaing a spreadsheet with your data in your home computer or laptop. Use an online service, use it no matter where you are, no matter when, just log in and add your expenses.
• It is as geek as a tool can be. We are still developing it and we are keen on trying all sorts of approaches. We have some cool toughts on plugins and addons that we will be developing in the future. Give us your feedback and let us know what you do you want out of the tool, chances are we will develop it!
• miniconomics.com is free, free to use, free to register, free to enjoy, free to everything

I hope you decide to give it a try (you don’t have to register for a test drive) and let us know what you think. And of course if you like it, just spread the word.

Things that will be covered include:

• remove the need of a login
• the use of an activation email, the application will require it’s users to activate their accounts upong sign up.
• howto get rid of the remember me functionality (just in case you don’t need it).
• howto strengthen a bit the default security of the framework.

After years of thinking about, writing about, and filtering messages, I’ve decided that the best strategy for me is to not filter spam, but instead to filter non-spam

The full article at Reverse Spam Filtering: “Winning Without Fighting” by Nancy McGough.

• A no non-sense authentication: just email and password. No bells, no wistles.
• The system should send an activation email after the user signs up.

Let’s explore the alternatives

One morning, exactly at sunrise, a Buddhist monk began to climb a tall mountain. A narrow path, no more than a foot or two wide, spiraled around the mountain to a glittering temple at the summit. The monk ascended at varying rates of speed, stopping many times along the way to rest and eat dried fruit he carried with him. He reached the temple shortly before sunset. After several days of fasting and meditation he began his journey back along the same path, starting at sunrise and again walking at variable speeds with many pauses along the way. His average speed descending was, of course, greater than his average climbing speed. Prove that there is a spot along the path that the monk will occupy on both trips at precisely the same time of day.

This post is the first in a series on the subject of enterprise messaging and in particular on IBM’s flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.

The National Rail Live Departure Board Sidebar gadget provides users with the ability to view real time train departure boards for all main railway stations in the UK. The gadget allows users to choose a “Start Station” and a “Destination Station” in order to provide them with the most up to date live departure information for their chosen trip. The gadget requests this information from a web server, which responds to the gadget with live departure board information for the user’s chosen rail journey.

An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user, allowing the remote attacker to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.

Since this is not an easy choice we can mitigate the impact of making the decision upfront by doing some interface based design.

I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.

Briefings were held during the 27^th and 28^th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading…

As for the second question, the sort answer is that chances are that you really do not need one but for the shake of the experiment lets get our hands dirty!