Marcello Barnaba Homepage (A Blog)

Creative Commons License
traffic feed

Panmind spin-offs presented at Ruby Social Club Milan

On July 22nd 2010, Mikamai hosted a Ruby Social Club in Milan, where nearly 50 people attended watching five speeches about Ruby, Web development and Startups. I was glad to be one of the speakers, and I presented a set of Rails plugins we spinned off from our latest (and greatest) project: Panmind (read more on the about page) and released as Open Source on GitHub.

The keynote is split in two parts: the first one explains why you should follow the sane software engineering principle of writing modular and interest-separated code and then how you could (and should) extract it from your Rails application by decoupling configuration and then prepare for the Open Source release, by writing documentation AND presenting to a Ruby event so, hopefully, someone else will write unit tests! :-)

We released an SSL helper plugin that implements filters (like Rails' ssl_requirement) but also named route helpers: no more <%= url_for :protocol => 'https' %>! You'll have something like plain_root_url and ssl_login_url - like they were built into the framework. Then, a Google Analytics ultra-simple plugin, with <noscript> support, a couple of test helpers and an embryo of a JS Analytics framework - hopefully it'll evolve into a complete jQuery plugin. Then, a ReCaptcha interface, with AJAX validation support and eventually a Zendesk interface for Rails.

We released also more code on Panmind's GitHub account, including the nifty AJAX Navigation Framework that implements all the boilerplate code for the ultra-fast AJAX navigation of panmind contents and projects.

The keynote follows, you can download it in PDF (no exploits, I swear! :-) from this link or view/comment it on slideshare here.

Final words: check out mikamai blog post on the Ruby Social Club to read the other keynotes (I will, hopefully, update this post with sum-ups of them when time permits :-)) and say hello on twitter or on GitHub if you're interested in contributing our open source projects or you want to work with us.

PS. The slideshare flash-based player sucks by design and relies on its app servers, on its CDN and on the S3 CDN to work properly - if any of these breaks, the whole thing will break. If you find it broken, download a PDF version of this keynote here.

Posted at 16PM on 08/05/10 | 2 comments | Filed Under: development

On the iPhone PDF and kernel exploit

As most of you already know, there are two open, critical vulnerabilities in iPhone OS versions from 3.x up. The first one resides in the Compact Font Format component of the PDF renderer and the second one an error in the kernel, allowing attackers to bypass the sandbox (SeatBelt) inside which applications are run on the iPhone.

The two vulnerabilities were discovered by @comex, @chpwn and other people.

Only few weeks later the .lnk design flaw on windows (guys, you’re using LoadLibraryW to load a damn icon!), these iPhone OS vulnerabilities are even more interesting, because of the way the release is being handled by the community and the vendor.

I spent 3 hours last night trying to find detalied information about the bug, and except confused (and propagandistic) blog posts the only bit of information is in this tweet, and in the actual pdf exploit running on jailbreakme.com. Where are the security lists posts? Where is the CVE? Even the CERT still doesn’t say anything about this vulnerability.

There’s something terribly wrong going on: the cat-and-mouse-game that is making the iphone-dev team researchers not disclose any of the vulnerabilities they find has become very dangerous for end users: an exploit that allows remote code execution and jail escape without no interaction whatsoever by the user, carried via something that’s used to consider “safe” (a PDF file) is what is called a critical hole; while the exploit that uses it is called a 0-day. It’s the first time in my life I see a 0-day packaged and distributed explicitly via a web site.

Anyway, the dev-team researchers did not have any other choice: if they had communicated with Apple prior to public disclosure, we wouldn’t have had a so easy jailbreak vector; OTOH now we have vulnerable phones and pads that can be very easily exploited by mailcious parties. It’s also funny that in order to be warned when a PDF is about to be loaded thus mitigating the risk, you should jailbreak your device and install the PDF Loading Warner afterhand.

My stand on this is that the real problem is Apple itself: they’ve crated a walled garden, outside any legislation, where they’re the absolute god and give and take whatever they want. It’s not gonna work forever. I really hope that people will understand think that it’s not the hackers’ fault, rather it’s the totalitarian companies’ fault, for not giving us control over the devices we buy from them. Hackers are only trying to liberate them, and it’s fair use under the DMCA, after all.

UPDATE 2010-10-05: I’ve posted a summary of this bug on the full-disclosure mailing list – you know, if it’s not on FD no one would think about it :-).

Posted at 12PM on 08/04/10 | 0 comments | Filed Under: politics

Spent my day on Erlang-Ruby-Marshal today ;-)

In a nutshell, it adds support for unmarshaling 1.9 strings, and implements the last missing type (TYPE_LINK) that was missing from the code. Tests still lack, can someone help ? :-)


Added TYPE_LINK, needed because of how ruby 1.9 marshals strings.

In 1.9, Ruby marshals the string encoding in the binary output, and
uses an Ivar construct (TYPE_IVAR) to wrap the string and adds an
"encoding" instance variable (notice: without a leading @) whose
value is the encoding itself.

While the Ivar code worked correctly, the values of the encodings
are actually *strings*, that are being reused via the TYPE_LINK
construct, that wasn't implemented.

So, the get() and put() primitives are being used to store not
only tuples {id, sym} for symbols, but now store either

  {{symbol, ID}, sym}

  OR

  {{value,  ID}, val}

for the other types that use TYPE_LINK.

By reading the ruby marshal.c source code, it looks like that MANY
data types save their values in the arg->data hashtable, but by
inspecting the binary marshal output of, e.g, an array of floats,
links aren't used.

Thus, in this unmarshaler, links are considered, for now, only for
strings and regexes.

Fork me on GitHub: http://github.com/vjt/erlang-ruby-marshal

Posted at 19PM on 05/11/10 | 2 comments | Filed Under: development

CouchDB 0.11 Invalid UTF-8 JSON: Solved

If your CouchDB 0.11 gives you the “Invalid UTF-8 JSON” error on every POST or PUT you issue to it, make sure that in your $prefix/usr/lib/couchdb/erlang/lib there aren’t leftovers from previous installations.

On our dev server, I found there two directories (“couch-0.10” and “mochiweb-r97“) from the old 0.10 setup that were causing this issue.

This applies if you upgraded from source, as you’ve probably did, because there aren’t too many packages of CouchDB 0.11 as of April 2010 :-).

Huge thanks to @couchdb for hinting me in the right direction after reading a report on the dev mailing list but I didn’t want to “remove and reinstall” because I like to understand what’s going on ;-).

Footnote: could this be the end of Hiatus? I hope so ;-p

Posted at 19PM on 04/03/10 | 0 comments | Filed Under: development

Hiatus

Dear blog,

I’m so sorry I’ve abandoned you: I don’t write anything on you from 6 months ago. :-(. But I promise you I’ll write articles, technical dissertations, and other kinds of stuff with my usual logorrhea… soon.

It would be also nice that your readers (anyone?) suggest something, as I am quite sad that you receive so few comments, even if Google Analytics says you receive circa 30 visits per day.

Anyway, it’s time to say “bye for now”.

Truly yours,

~Marcello

Posted at 12PM on 01/11/10 | 0 comments | Filed Under: number 42

Doing something is always better than doing nothing

From the stage of web2.0 Expo 2008 in San Francisco, Clay Shirky talks about the social revolution carried by web2.0 into contemporary society, from TV to Wikipedia and World of Warcraft. And twitter still had to be globally recognized, in 2008.

Original video file and related discussion here (courtesy of blip.tv). Score: 5 (insightful)

Posted at 15PM on 06/12/09 | 0 comments | Filed Under:

Rails3: Better, Faster, Stronger

For those who understand italian, I’ve just published an article on therubymine.com on the upcoming Ruby on Rails framework release, version 3.0: the big news is the merger with another ruby web framework, merb.

Have a nice read! :-)

http://therubymine.com/2009/06/04/rails3-better-faster-stronger/

Posted at 14PM on 06/04/09 | 0 comments | Filed Under: development

It just takes one person to get the party started

  • The sad conclusion: «humans are such herd animals»
  • The good conclusion: «virality has always existed, it’s not an invention of Web2.0. Social networking is just a powerful tool for everyone that wants to change the world»
  • The mean conclusion: «how much does it take to get people from their computers to the real world after a virtual “heads up” by some “dancing man”?»
Posted at 10AM on 05/31/09 | 0 comments | Filed Under: number 42

About

This is sindro.me, a weblog by Marcello Barnaba (vjt) about technology, ruby, development, software, the internet, entertainment, politics, sociology, and the answer to Life, Universe, and Everything (42).

Links

Previously

Categories