Tobi Waves

taught by Dave Thomas

Programmers are like artists, they can only be successful if you have fun doing it. The programmer sitting in front of an empty editor buffer is like an artist in front if a blank canvas.

A good programmer picks the language appropriate for the problem.

Ruby as a language was created in 1994 by Yukihiro Matsumoto (Matz). He combined concepts from various other languages into a new language. Despite what one might expect, the new language is actually beautiful and coherent.

Ruby is similar to Perl in the sense that it does not force a programming paradigm on the user. It is rather a multi-paradigm language allowing procedural, object oriented, functional as well as meta programming.

About the language

All Ruby objects AND classes inherit from the default Class Object which has a default new method on the class that calls the default initialize method on the object. Each method can be overridden.

class Song
   def initialize(a_title)
     @title = a_title
   end   
   attr_reader :title
   attr_accessor :artist
end

a_song = Song.new("Hello")
a_song.title
a_sont.artist = "Sam"

The attr_* functions are meta programming elements, they create an attribute reader and an accessor method respectively.

def title
  @title
end

def artist=(val)
 @artist = val
end

In Ruby you always have to use accessor methods to get to object variables. The advantage is that your code will always stay the same regardless if you actually do something when a variable is set, or just set it directly. The = in the method definition is part of the method name. So even though it looks like an assignments it is actually a method call.

Strings can contain embedded ruby code

"string#{arbitrary ruby code}string"

Methods can be called with blocks of code

def example
  yield arg1,arg2
end
example {|var1,var2| puts var1 puts var2}

or

example do |var1,var2| puts var1 puts var2 end

The yield function will execute the block passed to the example call. In the block, arg1 and arg2 are accessible as var1 and var2.

Ruby does exception handling

def my_file_open(name)
  f= File.Open(name)
  yield f ensure f.close
end

my_file_open("file") do
 |file| line = file.gets
 puts line
end

this will make sure f.close gets called even when the block runs into problems and throws an exception.

Blocks can be nested ...

DBI.connect("DBI:Pg:my_db") do |db|
  db.transaction do
    db.execute("SELECT ..." do |stmt|
      stmt.each do |row|
        # process row
      end
    end
  end
end

In Ruby, variables are untyped while objects are typed by the thing they do (method names). The means if an object has the right methods, you can use it as a replacement for another object. In Ruby this is called Duck Typing (If it walks and talks like a duck it might as well be duck). This helps for things like unit testing. The type of an object is what it can do.

Meta programming

Ruby classes and objects are "open". This means you can add new methods or overwrite existing ones.

class String
  def encrypt
    tr "a-z","b-za"
  end
end

a = "cat"
puts a.encrypt

Adds a new encrypt method to rubies standard String class.

Languages should allow you todo cool things even when it would allow stupid people to horribly break everything.

Classes and Modules get executed at 'definition time'.

class Logger
 if ENV['DEBUG']
   def log(msg)
     STDERR.puts "LOG: " + msg
   end
 else
   def log(msg)
   end
 end
end

A module is a class that can not be instantiated (static method). Class methods in normal Classes have to be prefixed with the Class name to separate them from object methods.

module Dictionary
 WORDS = {}
 File.read("/usr/share/dict/words").split.each do |word|
   WORDS[word]= true
 end 

 def Dictionary.known_words?(word)
   WORDS[word]
 end
end

class Dave
  def Dave.hello
    puts "Hello"
  end
  Dave.hello
end

Method names can end in =, ! and ? in addition to the normal characters and numbers. By convention, = is for 'set' methods, ? is for test methods and ! is for dangerous methods.

Methods always get executed on an object (aka receiver) if no object is mentioned, then the default receiver 'self' will be used. Inside a class definition the default receiver is the current class.

class Dave
  def Dave.hello
    puts "Hello"
  end
  hello
end

Dave.hello

Subclasses inherit class and instance methods of their parents.

module ActiveRecords
  class Base
    def Base.set_table_name(new_name)
      @table_name = new_name
    end
  end
end

class Book lt ActiveRecord::Base
  set_table_name "volumes"
end

Note that @table_name is a variable of the class Base. This works because class Base is actually an object of the class Class.

Additional Ruby Stuff

A good IDE for ruby is Freeride

Rails THE is Ruby framework for web applications. (www.rubyonrails.org < ...)

Ruby has a database interface called DBI (equal to the one in perl) and it also has a much more powerful one called ActiveRecord that maps databases to classes, objects and methods.

class Book ltActiveRecord::Base
end

will access the database "books" and create all sorts of useful methods for accessing the information inside the database. For dumb database like mysql which do not allow to define a internal consistency rules, you can use ActiveRecord to define restrictions on what the database should accept.

Why Ruby

Lightweight

Transparent, Ruby is obvious and easy to read

Portable

OpenSource (MIT, Artistic)

Easy to learn, things work the way you or rather Mats expects.

Ruby is fun.

Stable Language. The language has not changed much over the recent versions, most action happens in the extension libraries.

Resources

Websites (www.ruby-lang.org ...) and (www.rubygarden.org ...) and the newsgroup comp.lang.ruby

Ruby Programmer guide ... (www.pragmaticprogrammer.com ...) (1st edition is available for free online)

taught by Bill Dudney

About Eclipse

Eclipse is a rich-client-platform (rcp) that gives you a lot of functionality for building rich clients, this means that a lot of functionality is contained in the client. Eclips itself is such a "client".

Currently there are about 100 companies who donate resources to eclipse development.

The main focus of Eclipse is still Java, but there is a growing number of plugins for using Eclipse to write code in other languages.

Eclipse consists of 1000s of tools. A perspective is Eclipses way of only showing the tools required to do the task at hand. Eg the Java perspective only shows the tools relevant for Java development.

The Java editor is aware of the Java language and has lots of java specific functions like context help and command completion. It can even help to fix bugs by suggesting fixes to common errors.

Eclipse is fully integrated with JUnit. It can automatically generate JUnit test skeletons for any class you select. The Eclipse Java editor has lots of functions fo code generation. At the touch of a button it can generate all that fluffy code that does not do anything and still has to be repeated many times. (Ruby solves this problem with its META programming functionality in the language itself.)

Eclipse can deal with Ant (the java make alternative) files, but internally Eclipse has its own build system, so it does not keep Ant files in sync. NetBeans on the other hand, uses Ant internally as its build system so if you are into Ants, you may want to look an NetBeans.

Debugging Java with Eclipse

Eclipse can remote debug java applications. With this it is possible to fully separate the application from the eclipse environment. This comes especially handy with big java apps like Tomcat. Use options -Xdebug and -Xrunjdwp: to start the application with remote debugging hooks enabled (this is a special function of the Sun JDK, so it will only work when running with the Sun JVM.

The Eclipse debugger can be enhanced with custom java code (toString methods) to teach it how to represent custom types when printing variables.

J2EE development with Eclipse

If you are doing web application development you should get WTP (Web Tools Project) which provides full J2EE integration for Eclipse.

Installing WTP: First get GEF (Graph Editor Framework), EMF (Eclipse Modeling Framework) and Visual Editor Project and only then you can install WTP successfully.

taught by Alex Russell

What is AJAX?

An acronym for Asynchronous JavaScripts AND XML

Ever wondered how Google does their cool new apps like (maps.google.co ...) or how something like (shared.snapgrid.com ...) works? There is no real standard yet but a keyword: AJAX. Wikipedia has an evolving page about it: (en.wikipedia.org ...)

The key to AJAX applications is that everything happens on the same page. No page reloading is required.

The browser turns from a dumb page renderer into a protocol client.

Where to use AJAX

AJAX is for interactive applications, for static documents, the current xhtml pages are perfect: Accessible, fast, ... only use AJAX when you can make the users lives better and not worse.

One of the big challenges is cross-browser compatibility. While MSDN and Mozilla provide good references for their browsers, they obviously do not talk all that much about compatibility problems. There is a good resource for such information on (www.quirksmode.org ...)

Getting XMLHttpRequest working

In order to be able to make http requests from within a JavaScript you need a XMLHttpRequest object. While it is readily available in modern browsers, it is not so trivial in IE. The most popular way of doing this today is to use conditional compilation in IE.

/@cc_on @/
/@if (@_jscript_version gt= 5)
... code ...
@end @/

Here is a tutorial (www.webpasties.com ...)

More Code Snippets on (www.fiftyfoureleven.com ...)

innerHTML vs DOM

The fastest and most simple way for altering webpages on the fly is to use the innerHTML propperty of a node. The problem is, that setting innerHTML will replace the node completely and with it all it's properties. So a new node will have to have its properties re-attached, even if it has the same ID as the old node.

If you use DOM for manipulating content, your code on the browser side will have to do more, since that data from the server arrives in XML and not pre-generated HTML as you would with innerHTML. The advantage is that you can do much more fine grain manipulations of the content.

DOM vs innerHTML benchmark (www.quirksmode.org ...)

Send JavaScript from the server?

The fastest way of communicating with the server is to send data encoded as JavaScript from the server and using eval() on the client. The advantage of this is that we do not have to parse the data actively on the client side, but we can use the browsers JavaScript parser to interpret the data. The client side can then access the data structures in JavaScript directly to generate the relevant HTML/XML code. This is especially efficient if you are dealing with large tabular data structures.

There is a standardized subset of JavaScript called JSON (JavaScript Object Notation) for this lightweight data exchange method. More about this on (www.crockford.com ...)

REST API

Communication between an Ajax-style UI and your Server should happen via the REST (Representational State Transfer) API of your Web application. (en.wikipedia.org ...) and (www.xfront.com ...)

Debugging JavaScript

The most simple way is to open the JavaScript console of your browser to see any errors the JavaScript engine generates. For automated testing you may want to use a JavaScript implementation that can be started from the command line like Mozillas Rhino (www.mozilla.org ...) project. There are also several Mozilla extensions that help:

LiveHTTPHeaders (livehttpheaders.mozdev.org ...) shows the HTTP headers exchanges between Mozilla and the server.

Venkman a graphical JS debugger (www.hacksrus.com ...)

Ethereal is also helpful as you can see what really happens on the wire. If you do not have the necessary permissions to sniff data off the wire, you may want to redirect your browser through a proxy where you can dump the data that traverses it.

Links

Examples (dojotoolkit.org ...)

Simple AJAX Toolkit (www.modernmethod.com ...)

About using Ajax on Rails the Ruby web toolkit (www.onlamp.com ...)

Ruby on Rails (www.rubyonrails.org ...)

An evolving browser UI toolkit with pluggable widgets that separate HTML from JavaScript Code (dojotoolkit.org ...)

CPAN for Java Script (www.openjsan.org ...)

Wiki with AJAX Framework overview (www.ajaxpatterns.org ...)

Nice widget and screen effects library for ajax applications (openrico.org ...)

taught by Evan Lenz

XSLT is a language for processing XML documents. XSLT itself is written in XML. The output generated by an XSLT 'program' can be anything, but normally it is used for generating (X)HTML documents which can then be displayed by a browser.

XSLT uses the XPATH language for addressing 'nodes' in an XML document.

XPATH Expressions

An XPath expression is made up from several steps separated by /.

step/step/step

A step consists of three elements: The axis to identify a set of nodes relative to the current-context node. The node test to filter out relevant nodes from the set of nodes selected by the axis and finally any number of optional predicates to further filter which nodes get selected.

axis::node-test[predicate][predicate]

XPath expressions can return 4 types of data:

node-set which is a number of zero or more nodes without duplicates

number a floating point number

string a unicode string

boolean true or false

XPath knows seven different types of nodes:

Root - the toplevel node of a document is called "/"

Element - 'tags'

PI - Processing instructions lt?xml ...?gt

Comment - Comment tags

Text - Character data, including white space!

Attribute - lttag attrib="xxx"gt

Namespace - lt?xml-stylesheet ...?gt

When selecting XPath nodes, you can use different 14(!) axis. By default, you use the child:: axis. Default means, that you don't even have to mention it. So an expression like section is actually child::section. The other common axis is attribute:: it also has an abbreviation, called @ so instead of writing attribute::section you can write @section

The other 12 axis are: descendant-or-self:: which can be abbreviated as // and parent:: aka .. and self:: aka . the remaining axis do not have abbreviations: ancestor:: following-sibling:: preceding-sibling:: following:: preceding:: namespace:: descendant:: ancestor-or-self::

XPath example

XPATH looks at an XML document as if it was a filesystem. Like when navigating a filesystem, there is a context node where from where XPATH looks at the document.

ltarticlegt
ltheadinggtHellolt/headindgt
ltparagtParagraph ltemphgt1lt/emphgtlt/paragt
ltparagtParagraph 2lt/paragt
lt/articlegt

If the first para node is the current context node the expressions would return the following:

* - emph
emph - emph
.. - para
../* - heading,para,para
../para[2] - the second paragraph
/article/* - heading,para,para

The XSLT Processing Model

The most important command in xslt is xsl:apply-templates. A lot of people do not use this function properly since they write only one big template, instead of writing many small ones for different purposes.

If you use multiple templates, xslt will invoke a conflict resolution protocol when several templates match for a particular element.

Selection happens by priority:

-0.5  match=""
-0.25 match="xyz:" 
 0    match="name"
  .5  match="nameA/nameB" 

You can override the priority of a template by setting the priority attribute explicitly.

Whenever XSLT processing is stared, the processor executes the template-rule for /. If you do not supply a template-rule the processor will use its built-in template rules (there is one for each of the seven node types).

Tim O'Reilly

While many building blocks of software are now freely available (OS, database, web servers, browsers, ...) there is a growing number web based applications that take a more and more important role in everyday life that are not open at all. What about google-maps, what if google changes it APIs and you built a business on google maps?

The next wave of big applications will be web integration apps that pull data from existing websites and integrate, filter, consolidate it in new and interesting ways.

Kim Poleses of SpikeSource

She talks about the trend from "Do it yourself" to "Do it together" in OpenSource. We are moving from an EGO system to an ECO system with OpenSource makeing DIY-IT possible. Today, traditional companies start putting OpenSource tools into their business critical applications. IT organizations start putting packages together from a large number of OSS components. The challenge is that these components are all on different release schedules. The bigger the packages get, the more resources have to be invested into keeping these packages tested and up-to-date as new features are added. These custom software packages/stacks have become a competitive advantage for these companies, so they are going to stay. The problem the companies are facing is, that they have to become their own software company with its own testing, release system and everything a normal software vendor does. This costs a lot of money and thus opens new business opportunities for a new kind of service companies. They supply services where companies can offload part of their work in creating and maintaining their own software stack.

SpikeSource is specializing in OpenSource testing. They offer software testing services to companies, but also free testing resources to OpenSource developers.

Andrew Morton, Kernel Integrator with OSDL

How will Linux succeed on the Desktop? It will happen in the same way it worked with other OSS things, they are creeping from the bottom up along the food chain. Do not expect Linux taking the Windows Powerusers desktops by storm. These are the most difficult people to cater for, but they are not the majority, even though they can be very vocal. Linux is in use on many special purpose desktops today: Point-of-sales, trading floor, data entry. As companies see Linux working well in these specialized applications the interest in using Linux on more general purpose desktop applications will grow.

by Damian Conway and Larry Wall

We are almost there, yet! Despite the naysayers. We are close to finishing the design of the language that was never going to be finished. We are close to finishing the implementation of the language that was never going to be implemented.

What is new in Perl 6

Strict and use warnings are always on

No strict refs necessary since the language use a different syntax

No strict subs since Perl6 has no barewords

No raw assignments in conditionals. Since there is a new operator for that.

if ($a = max()){...} becomes if (max() -gt $a) { ...}

String interpolation is much simpler. No more problems with user@address.ch still there are many more sensible interpolation possible with the new syntax. The most simple approach is to add braces in a string their contents will be executed as perl code.

say "The current time is {localtime}";

Every scalar has a method to sprintf it ...

$score.as('%6.2f')
%hash.as('%-10s %2f',"\n");

Single quotes can be modified with 'adverbs' to interpolate some things.

The heredoc syntax has been modified to

print q:to/END/
  blablbalb
  END

Note that the indation of the END marker specifies the left margin of the heredoc.

Indexkeys do not auto quote

 %hash{larry}

would call the larry function. Now use

 %hashltlarrygt 

for autoquoted keys. This creates a problem with filehandles. Use this instead

 while $fh.shift() {...}

or rather with the unarry iterator operator

 while =$fh {...} 

this operation is lazy, so you can use

 for =$fh {...}

and

 while (ltgt) {...} becomes  while =$ARGS {...} 

or rather

 while =ltgt {...} 

aka the fish operator. Filehandles automatically chomp any input.

In Perl6 every object has a perl() method that produces a perl representation of the data structure.

say $file.perl()

no more Data::Dumper.

There is a new reduction operator

$dot_prod = [+] @vec1 gtgt*ltlt @vec2

Perl6 has much better introspection capabilities via question referents

$?SUBNAME $?LABEL @?LABEL

The tell about almost any aspect of perls run-time as well as compile-time environment.

Play with Perl6 today, try pugs.

by Brian Ingerson

Online (www.kwiki.org ...)

Pugs is just another CPAN module but it is a fully working Perl 6 interpreter. Pugs is implemented in Haskell which is a purely functional language.

Currently there are about 100 people with commit access to pugs and it is growing at a startling rate.

If you want to help with perl6 you do not need to know haskell, since a lot of code these days is written in perl6 already.

by Mike Shaver

Extensions for Firefox do everything from Add-Blocking to on the fly Website alteration with GreaseMonkey.

Extensions are composed of 4 elements. A manifest, Chrome (user interface components), Components (non-ui), Default settings.

If Extensions are popular and non intrusive to people who do not use them, they may get integrated into the default firefox.

User interface components are written in XUL, the same xml language Firefox uses for its own UI. XUL can insert new elements into the browser UI, it can add and alter attributes of existing UI elements and it even remove elements completely.

The best way to learn about writing extensions is to take a simple existing extension apart and modify it. Extensions are stored in .xpi files, these are just simple zip files with their file name extension changed. Unzip the file and off you go.

Extension writing in Firefox 1.5 was much simplified, so if you are starting out now, you may want to use the current firefox 1.5 snapshots (deer park) for development.

When you have created a usefull extension upload it to (addons.mozilla.org ...)

Analytical tools for extension writers: DOM Inspector, Venkman the JavaScript debugger.

Links

(xulplanet.com ...)

Books are ok as well, but things evolve, so while the base concepts are all the same you may have to adapt paths and node names to work with current versions of FireFox.

by David Heinemeier Hansen

Rails is a Ruby based Webapp framework that came out of the development of Basecamp. Basecamp is a commercial Web based project management software written by (www.37signals.com ...)

Davids idea when designing rails was to pull out the good ideas from other languages and platforms into a context adapted to small resources available to David at 37signals (0.25 programmers and 1 designer).

Instead of designing the framework before writing Basecamp, David decided to write Rails by creating a method of extracting the framework from Basecamp. So instead of making assumptions about what he would need in the future, he writes Rails in parallel with Basecamp. He calls this application driven development.

How to be successful with an OpenSource project:

Be visible. If no one cares for your OOS project you could as well not "opensource" it, since the cost for publishing will never be recovered.

Release only once the culture of the project is fairly set, so that new influences through new users will not bend the project out of shape. Make sure you can handle the contributions and bug reports from your users.

Increase your visibility by taking on the 'leader-of-the-pack' be careful about aggressiveness though, since if you are aggressive towards others, you will also attract aggressive people to your project.

Nick Gall and IT Analyst

Nick talks about how to design an architecture that is sustainable over the long term? The secret of sustainable architectures is that they are using simple protocols that enable extensibility above as well and below. Simple and successful applications are identified by three properties.

               identifier    format            protocol
               ------------  --------------    ---------------------
examples        ip address    ip packet        ip protocol
email           @ address     rfc 2822         SMTP
web             URL	      HTML/MIME         HTTP
Web Service     URI	      SOAP              SOAP Processing Model
Containerized
Shipping        Container ID  20t Container    Porthandling Protocol 

David Heinemeier Hansson from 37signals

David talks about the "Secrets behind Ruby on Rails". Ruby on Rails is a integrated stack of web-applications frameworks. Basically a framework of frameworks that makes the Webapplication developers lifes fun.

Rails has sparked a huge interest in Ruby for Webapplication development since its publications. There are currently 7 books on Rails in the works and the first one is already published.

The three guiding principles behind Rails design and thus its success are:

Convention over Configuration - As long as you follow the golden path, Rails does things automatically. This results in less code and faster development. You only have to add explicit configuration information when you deviate from the golden path.

Change is instant - This allows a "Use it, break it, fix it, trash it, change it" work pattern. There is no compilation, deployment, server-restarts, and code-generation. This is mainly due to Rubies excellent introspection and open classes that can be extended and modified from user code.

Rails ships as a complete, integrated and familiar stack - this means once you have installed rails, it will start working right away and take care of all the tires of a web application.

Flexibility is highly overrated. Rails trades flexibility for ease of use.

Constraints are liberating! Because you do not have to think about it and take the decisions on your own.

Katik Subbarao from HP

He takes inspiration from the four elements and compares OpenSource to "Water" and closed source to "Earth". Water flows everywhere and is transparent. Earth is solid, opaque and it has to be transported explicitly from one place to another. He draws a 4 quadrant graph:

 Earth
 ^             |
 |  Desert     | Venice 
 |             |
 | -------------------------
 |             |
 |  Swamp      | Ocean
 |             |
 ----------------------------gt Water

You should aim to be in Venice with your IT organization. Buy and build your environment, taking the best from both worlds and become part of the eco system. Contract OpenSource developers to add the Features you need and pay them for support. This will give you contract security and OpenSource transparency at the same time.

Robert Lang on Computational Origami

Today origami designs are created with specialized computer software. Lang showcases spectacular dasigns, all done from a single sheet of paper without cutting. (www.origamidatabase.com ...) and (www.langorigami.com ...)

Dick Hardt from sxip

Dick has a exceptional presentation style. While showing about 10 slides a second he completely captures the audiences attention. See it to believe it.

Dick makes a case for Identity2.0, an electronic equivalent to drivers license, passport, national identity cards to enable Web2.0. Currently you have to register on every website seperately, and most of them rely only on your eMail for identification.

There are several solutions for this in the works, but nothing is widely accepted. Dick predicts that only a solution which leaves control with the individual (I choose whom I show my ID, and the state will never know whom I showed it to) will have a chance.

(www.sxip.com ...)

by Jorand Hubbard and Kevin van Vechten (from Apple)

All OpenDarwin sources are on-line and Google indexed.

One of the most prominent component is (webkit.opendarwin.org ...) the rendering component used in Safari.

If you want to put other OSS software onto your mac go to (darwinports.opendarwin.org ...) which is similar to freebsd ports. Use this to build software from source. If you want to get pre-built packages have a look at (fink.sourceforge.net ...)

OS X ships with many different version of gcc ... use gcc_select to switch the default compiler.

When building Darwin Kernel components, note that while Tiger ships with gcc-4.0 the kernel and its tools are compiled with gcc-3.3. Kernel compilation is governed by a number of environment variables which you have to set explicitly prior to compilation. There are also a number of missing header files.

To resolve all the potential problems you might run into when building Darwin components you may want to use the DarwinBuild Environment from (opendarwin.org ...)

With the darwinbuild command you can easily download and rebuild individual components of the OSX System.

If you are into hacking, OSX you will find all the normal communications from apple rather fluffy. This has mainly todo with the standard audience for this kind of material. Make sure you subscribe to the mailinglists for opendarwin, since all the important and knowledgeable tech people (from apple) are there too and you should be able to get answers at a high technical level. Also if you find a problem, make sure you do file a bug with apples bugreporting system. These bugreports go directly to the responsible technical people within apple.

The main problem with security scanners is that they produce a lot of false positives. If you work with a closed source tool there is no way for you to figure out where the false positives come from. With OSS tools these issues can be resolved easily.

Penetration Methodology

a) Discovery stage with whois, traceroute, google

b) Scanning to figure out which boxes exist

c) Service enumeration (service identification and banner grabbing) do not get confused by services running on the wrong port

d) Exploit known vulnerabilities if you can identify versions of services.

e) Install rootkits and log cleaning tools

Obviously only steps a) to c) are executed by security testing companies.

Google as Security tool

Google does not discriminate private information. Often you can find xsl and doc files in google which had not been put there intentionally.

Another great resource are Webserver directories without index files.

Error messages also get indexed by google. Especially php apps are very helpful in this respect, revealing lots of internal information like path and file names.

Webcams use standard file names, so if you search for these strings you can easily find lots of them.

If you find htpasswd files via google you can pull them, crack the passwords using john and then try password user name combinations on yahoo, google, hotmail. Since users often reuse user names and passwords, these things have a high probability of being successful.

The biggest advantage of google though, is that doing google queries is anonymous and will not be detected by the target.

For greater efficiency one could write a script that uses google webservice apis for automatically doing interesting queries in connection with a certain target.

Nessus

The coolest thing about nessus is that it is very easily extensible. It comes with its own optimized scripting language NASL. The advantage to writing NASL scripts as opposed to writing them in a random scripting language is that NASL scripts plug right into the comprehensive Nessus user interface.

SQL Injections for Web applications

Many web application have only rudimentary input validation.

$sql = " select * from users where user'$a' and password  '$b' "

how about trying to login with

' or true

This would end up as

select * from users where user'ddd' and password '' or true;

The possibilities are limitless. By adding a '; you could even start a completely new command.

Absinthe from (0x90.org ...) is a tool that tries to automate these attacks.

Tools

Metasploit is a point click root tool (metasploit.com ...)

Wikto is an automated google enabled website vulnerability scanner (www.sensepost.com ...)

Ettercap Network MITM attacks, content filtering, sniffing, etc: (ettercap.sourceforge.net < ...)

Whax is live linux distro with lots of AampP tools (iwhax.net < ...)

Asa Dotzler from Mozilla foundation on Linux on the desktop

There are 4 key factors to Linux success on the desktop

migration - the migration path for users must be as simple as possible. This means that there should be a way to copy complete user environments over from windows to linux, including bookmarks, last open files, everything.

stability - there must be a simple unified binary package format across all distros. Backward compatibility between releases must be absolute. API changes must not break existing applications. Mozilla today runs from Windows 98 to Windows 2003 with a single binary distribution.

simplicity - to multiple choices in setup and configuration frighten new users. Installers should not offer choices since new users can not answer these questions. In general the developers should offer a good solution instead of a bag of selectable ones.

comfort - fulfill peoples expectations of how things should work. And what people expect today is largely influenced by windows.

There is increasing incentive for people to move over from windows, because

a) constant expensive windows updates

b) windows is so malware ridden that it approaches the state of un-usability for average users.

So the time to bring more users to Linux on the desktop has never been better than now. The technology is ready.

In the QampA afterward, an Ubuntu person said that the next Ubuntu release will have full HW support for current DELL, HP and IBM laptops.

Edny on OpenSource Genetics

Edny makes a case for the difficulty in getting anything done at all in genetics today because of the devastating effects of patents on all sorts of tiny bits of genetic information. He mentions two websites that are working against this problem by sharing open genetic information: (parts.mit.edu ...) and (www.biobricks.org ...)

Danny O'Brien on CA releasing Ingress as OpenSource

After lenghty details about licensing choices there is an interesting QampA which boils down to: CA has NOT given up Ingress. They are building all their tools on Ingress today, there are more CA people working on Ingress today than before the release.

Tony Gaughan

Talks about creating instructions. He is on of the makers of Howtoons, a excellent series of cartoons on "How To ..." for kids: (howtoons.com ...)

by Yared

ActiveGrid is a IDE for building WebApplications. It is written in python, but it supports not only Python as a language but also PHP and Perl (in progress).

ActiveGrid has support for different databases and graphical representations for database structures, page flows. It uses stadard xml formats (mostly from w3c and oasis) for the representation of all the things you edit graphically. In contrast to other tools ActiveGrid is not a code generator, it works by looking at the structure of tables and processes and works out what todo at runtime. This allows to adapt to the browser that is using the app.

There is built-in support for web services. Web services can be accessed like databases. Or rather databases can be accessed like web services.

The server side runs on in python (currently), php (soon), perl (soon). There is also a special apache module called mod_activegrid. The server side has an elaborate caching architecture to minimize processing at every stage.

(www.activegrid.com ...)

by Aron Boodman

Greasmonkey grew out of bookmarklets where bookmarks contain little bits of javascript instead of webpage urls.

GM is a Firefox extension that lets users alter webpages as they come in. Since you can not really control what the website providers do, this whole website adaption process is a very fluid process. Sort of shell scripting for websites.

Greasemonkey scripts are just normal javascript with a special header section added that gives greasemonkey additional information about where to use the script.

// =UserScript=
// @name	 User Script Template
// @namespace	 (younpup ...)
// @description Test script
// @include     google.com
// @exclude     mail.gmail.com*
alert('Hello World')

Read more on Greasemonkey in (diveintogreasemonkey.org ...)

Get greasemonkey from (greasemonkey.mozdev.org ...)

Web site providers seem to like Greasemonkey since it gives them higher user loyalty. Some websites have eve integrated features that were pioneered by greasemonkey scripts.

Greasemonkey has had several security issues in June, these were fixed with Greasemonkey 0.5. On top of that special changes made to Firefox Deer Park to further improve the security by protecting document and windows globals. Also in FF 1.5, Greasemonkey will be executed in a Sandbox that even better separates it from the influence of malicious documents.

The ultimate book on Javascript "JavaScript: The definitive Guide" (www.amazon.com ...)

Miguel de Icaza about Linux on the Desktop

Novel (5500 people) is moving itself away from Windows. The first stage with a move from MS Office to OpenOffice is already complete. The OS migration has progressed to 50% and should be at 80% by November. This dog food approach gives them a lot of insight into the linux on the desktop problem.

Major tasks are: Making Hardware work and implementing missing functionality in the OS.

All the new Applications Novel does for Linux are implemented in MONO this makes porting from Windows much simpler. MONO currently supports the following CPUs Itanium, Sparc, StringARM, x86-64, s390 and runs on Linux, Solaris, OS X.

Gnome is being migrated to Cairo based vector rendering and to further accelerate things, the X11 display is moved into running on top of OpenGL meaning all rendering is becoming hardware accelerated.

Miguel shows a number of neat demos of the new desktop. Like for example a mplayer windows wrapping around the edge of a 3d box shaped desktop (each side of the box is a desktop) as the mplayer window is moved from one desktop to another. The new desktop stuff will debut in SuSE 10 due in October.

Novell will start something called OpenSuSE in the next few weeks where you can download ISOs of the running system as it is being developed.