Re: [The Java Posse] Re: Playbook is a more dev friendly than Xoom

2011-04-02 Thread Ryan Schipper 
Don't forget Windows CE (
http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ ).

My first job out of university involved maintaining desktop
cryptography software for use with online services. I recall the
bowels of CVS containing an OS/2 and a BeOS prototype.

On 29 March 2011 08:26, Scott Finnie  wrote:
> I'd bet more people than you realise.  It was the OS of choice for the
> majority of ATMs shipped from ~1990 to ~1995, then usage decreased steadily
> as winnt gradually took over.  So if you've ever taken cash from an ATM then
> you're most likely an unwitting OS/2 user.
>
> I'd bet there's still a good number of holes-in-the-wall dispensing cash
> under OS/2 control...
>
>
> On 27/03/2011 19:29, Vince O'Sullivan wrote:
>
> On Mar 25, 9:02 pm, Dominic Mitchell  wrote:
>
> Hey!  Running windows apps worked really well for OS/2.
>
> Did anyone ever actually use OS/2?
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Prevent jail-breaking on username/password stored on mobile device

2011-04-12 Thread Ryan Schipper 
Hi Vijay,

This is a Java-specific list. You may not get many responses as your
questions are largely language agnostic.

Regarding your questions:

(1) I assume that you mean you don't want jail broken devices to
access the application. Why? To do this, you will need to determine
whether the device has a legitimate operating system. If the device
APIs allow you to query the OS version and name, this will be helpful.
Of course, jail broken devices could report 'legitimate' values. What
level of assurance is required?

(2) HTTP over SSL is not an authentication method. It secures the
channel between the device and the server. From a quick look at the
website, Jersey supports the OAuth API. Read their documentation. It
will describe what the authentication protocol involves.

(3) To store secret data in iOS, you should be using the Keychain API.
I'm not sure about Android. Do some web based research.

Regards,

Ryan Schipper

On 13/04/2011, at 3:47 AM, "bvija...@gmail.com"  wrote:

> Hi,
>
> I am working on a mobile app for iPhone and Android. I need to be able
> to let users log in with username/password. I am using https.
> I want to prevent jail-breaking on the mobile device.I want to store
> the username/password on the mobile device. The mobile app
> will talk to a stateless REST service built in Java.Jersey on the back-
> end for authentication and data related calls.
>
> I looked at Digest authentication but I am already using https.I
> looked at using a shared secret or nonce(1 time token) but i am not
> sure how to proceed with that.
> I do need the username/password encrypted on the mobile device and
> sent to the REST  service which needs to be able to decrypt it.
> But this shared secret should be different across each mobile
> device.Can this prevent jail-breaking ? Do I have to do a 401 return
> with www-authenticate like in digest authentication to get the shared
> secret/nonce the 1st time round and store it locally too on the mobile
> device ?
>
> Can you please suggest some ways to do this ?
>
> TIA,
> Vijay
>
> --
> You received this message because you are subscribed to the Google Groups 
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to 
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: package.html vs. package-info.java

2011-05-05 Thread Ryan Schipper 
JAXB uses Package Annotations (@XmlSchema, for instance).

See http://wiki.eclipse.org/Dali/Indigo/JAXB_2.x/PackageAnnotations#.40XmlSchema

-- Ryan Schipper

On 6 May 2011 00:34, Eric Jablow  wrote:
> On May 5, 9:18 am, "hayden.paul.jo...@gmail.com"
>  wrote:
>> As often happens, I actually noticed that the jdk7 source had many
>> package-info.java files after I had posted my message.  :-(
>
>> On May 4, 6:00 am, Bruce Chapman  wrote:
>
>>
>> > > From:http://download.oracle.com/javase/1.5.0/docs/tooldocs/windows/javadoc...
>
>> > >      package-info.java - Can contain a package declaration, package
>> > > annotations, package comments and Javadoc tags. This file is new in
>> > > JDK 5.0, and is preferred over package.html.
>
> I have never seen a package annotation in the wild. I suppose someone
> might
> @Deprecate[d] a package, but I've never seen it. Perhaps a package-
> info.java
> file might include annotations for per-package versioning and sealing:
> @ImplementationTitle, @ImplementationVersion, @ImplementationVendor,
> etc.
>
> A smart JAR tool could scan packages for these annotations
>
> Respectfully,
> Eric Jablow
>
> --
> You received this message because you are subscribed to the Google Groups 
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to 
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/javaposse?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Java7 and loops - Before FUD gets out of hand...

2011-08-03 Thread Ryan Schipper 
Presumably it's part of their change process to have bug-specific unit
tests (I've personally been doing it for years).

-- Ryan

ps. OpenJDK documentation seems to agree:
http://openjdk.java.net/guide/changePlanning.html#bug

On 3 August 2011 08:03, Mark Derricutt  wrote:
> If it was just "a broken lucene" then maybe, but this revealed bugs in
> Hotspot itself.
> I'd be curious to know how/why these bugs never revealed themselves earlier
> in whatever tests hotspot currently has, and whether or not any test cases
> have since been added to cover this now.
> Mark
>
> On 3/08/2011, at 9:11 AM, Kirk wrote:
>
> Bottom line, everyone knew it was coming the builds were freely
> avaliable. I've been using 7 on my Mac for months so I don't have much
> sympathy in this case.
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Supporting non Javascript websites

2011-09-29 Thread Ryan Schipper 
Hi Rakesh,

By the reference to the DDA, I'm assuming you're in Australia.

By law, all services and information provided through the Internet
require DDA compliance (where reasonable). This is not surprising
considering the statistics: in 1988, 16% of Australians were disabled
(http://www.abs.gov.au/ausstats/abs@.nsf/9ba0bb65ce08ccc6ca2570820081db23/1618215db8a5c6abca25692d0083019d!OpenDocument).
Given the increasing capabilities in curative and palliative medicine
in 1st world countries, this number is only going to climb.

There are a lot of resources available online to assist you in
designing and implementing DDA-compliant web sites.

Click here for more info:
http://www.hreoc.gov.au/disability_rights/standards/www_3/www_3.html

-- Ryan Schipper

On 30 September 2011 08:06, Rakesh  wrote:
> well its certainly true the foundations are probably shaky.
> From what I can gather, it seems to be an interpretation of the Disability
> and Discrimination Act (DDA).
> Fortunately, the senior architect spoke to me earlier and says he is close
> to having the decision reversed. The only down side is that we probably
> aren't DDA compliant anyway!!
> Rakesh
>
> On 29 September 2011 18:48, Robert Casto  wrote:
>>
>> You could try to make the case based on something they understand.
>>
>> MONEY
>>
>> Tell them how much more it will cost, wasted time, and that no sales come
>> from it. If you lay it out in a very logical way such that they understand
>> it is a waste of time and money and won't affect the bottom line, then you
>> have a chance.
>>
>> Or, you need to do some asking around to figure out why the company wants
>> non-JS functionality. They might have a good reason or it could be something
>> deeply seated that will be very hard to root out.
>>
>> I used to work for a company that mandated IE6 compatibility. It caused
>> nothing but trouble with the development. It was to ensure everyone could
>> continue to use the application, but there was a catch. Users used IE6
>> because that was the only browser that the site would work with. So of
>> course that was what all the reports would show and thus management thought
>> they had to support that. There was no discussion of regressing nicely or
>> changing requirements to use a new browser. That site was stuck in IE6 and
>> nothing could be done to free it from those shackles.
>>
>>
>> On Thu, Sep 29, 2011 at 8:30 AM, Rakesh 
>> wrote:
>>>
>>> Hi folks,
>>> I would be interested in experiences/opnions about supporting non JS.
>>> My current. commercial, company insists that we need to maintain non JS
>>> functionality on our site. What this has done is complicate enormously the
>>> front end and the back end.
>>> Going forward I would like to propose moving our architecture to GWT but
>>> that would mean losing non JS support (but gaining so much more in other
>>> areas).
>>> What do others do? Maintain a separate site? Choose not to support non JS
>>> browsers (perhaps showing a page to call instead)?
>>> BTW, according to the stats we make zero sales from non JS visitors - and
>>> it seems all the visitors are from our won testing dept!!! Somehow the upper
>>> levels of business have got it into their heads that non JS version of our
>>> site is mandatory (maybe even illegal not to do so).
>>> Thanks
>>> Rakesh
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "The Java Posse" group.
>>> To post to this group, send email to javaposse@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> javaposse+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/javaposse?hl=en.
>>
>>
>>
>> --
>> Robert Casto
>> www.robertcasto.com
>> www.sellerstoolbox.com
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "The Java Posse" group.
>> To post to this group, send email to javaposse@googlegroups.com.
>> To unsubscribe from this group, send email to
>> javaposse+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/javaposse?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Mozilla thinks of blocking Java

2011-10-02 Thread Ryan Schipper 
Casper,

(1) That study concludes that most exploits are a result of unpatched
software and then suggests I download the patch management software their
company developed. Personally, I'll take their results with a grain of salt.

(2) Mozilla freely admit that all plugins are problematic (Flash has been
subject to countless exploits over the years)

(3) Not many people use java? I will assume that you mean Java Applets
specifically. Even then: Oracle delivers all their web seminars and web
based training using Webex (as do other companies I'm sure). Citrix is
prolific (here in Australia, correct me if I'm wrong about the rest of the
world) and applet based corporate VPN clients are quite popular. That's just
the most common uses I've seen. I've also seen time management applications,
web-based visualisations scientific principles, 3d floor planners, games,
teaching aids. Thats just in the past six months.

I'd wager that if Firefox disables the Java plugin, one of two things
happen:
- customers begin migrating back to other browsers (that retain support for
it), or
- customers revert to a version of Firefox without the ban (assuming this is
possible).

Regards,

Ryan Schipper

On 02/10/2011, at 3:05 AM, Casper Bang  wrote:

The JRE is a major security risk and has been for quite a while. A recent
study by the Danish security company CSIS concludes 37% of exploits are
caused by the presence of the JRE:
http://www.csis.dk/en/csis/news/3321/

So in that light, and considering how few people actually needs Java, it
makes good sense from Mozilla.

-- 
You received this message because you are subscribed to the Google Groups
"The Java Posse" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/javaposse/-/F8PB4ZqnwfUJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Hiring developers outside the development offices country

2011-10-17 Thread Ryan Schipper 
Language and work culture.

The first - language - is an issue for the obvious reasons.

The second - culture - is the more difficult issue to deal with.  I've
worked with staff from abroad (several countries) and attitudes have
varied

The following will help:

1. Indicate that you are only interested in applicants with a high
degree of proficiency in your shared language. Test this at the
interview. Use complex grammar. By all means, don't rule people out if
they are otherwise brilliant, but keep it in mind that if you staff
have difficulty communicating, every molehill can become a mountain.

2. Set clear expectations about pay and conditions, work hours and
team dynamics - one of the key issues I have had to deal with is
hiring developers from countries with a caste system into a workplace
that was entirely merit-based.

3. If you can, try to get staff who aren't entrenched in their current
job; you're looking for flexibility and adapatability (at least
initially) and not necessarily long term commitment, which may result
in a more relaxed attitude.

4. Learn as much as you can about the work practices and culture of
the countries you are hiring staff from =D

Finally, good luck! I've met plenty of excellent developers from
abroad so I hope your experience is as positive.

-- Ryan

On 17 October 2011 21:28, staa...@gmail.com  wrote:
> Hi all.
>
> I work for a company with a small team off 6 developers. It looks like
> in the not to distant future we will have a lot more work to do than
> we can handle with such a small staff. Our management want to hire
> developers in another country to either assist us off-site, or fly
> them over to work with us. This is because we can get 3-5 developers
> there for the price off one locally.
>
> I am wondering if others have had experience with hiring people in a
> different country with cheaper labor to support in development. Our
> opinion is that we will produce better results by hiring great
> developers locally than going to a different country to hire. Maybe I
> don't have an open enough mind about this, or maybe management is all
> wrong in thinking that a developer is a developer, and we just need to
> find the great ones in a different country at a lower price.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to 
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/javaposse?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] ZDNet article about online security advises users to uninstall Java

2012-01-12 Thread Ryan Schipper 
On 13 January 2012 04:48, Fabrizio Giudici
 wrote:

> Apple itself is working on an official feature for OpenJDK 7 which is a
> pre-cooked JRE bundle to be embedded in apps.
>

Those interested can already build a JRE bundle as part of the OSX
Java 1.7 build from Oracle. Or, download one built by others:

http://code.google.com/p/openjdk-osx-build/

You can get more information about the status of the Mac OS X Java 1.7
port here:

http://java.net/jira/browse/MACOSX_PORT
https://wikis.oracle.com/display/OpenJDK/Mac+OS+X+Port+Project+Status

Or join the mailing list (which will also keep you aware of upcoming bug fixes):

http://mail.openjdk.java.net/mailman/listinfo/macosx-port-dev

>
> The fun thing is that in this way, unless the application developer cares by
> himself for upgrades, the JREs won't be automatically updated for the latest
> fixes. As it often happens, people believe to act smarter and ends up
> dumber.
>

The existence of a system JRE never negated the need for secure
development practices.

In some respects it made patch management easier (one place to
update), but it adds complexities when the JRE introduces bugs in one
application but not another (or worse, fixes bugs in one application
and introduces them in another).

Meanwhile, the trend in commercial application development is to have
an application-specific automatic update feature.

I'd argue that, assuming responsive development processes, the
combination of an embedded JRE and an application-specific automatic
update feature could result in more secure client systems.

> --
> Fabrizio Giudici - Java Architect, Project Manager
> Tidalwave s.a.s. - "We make Java work. Everywhere."
> fabrizio.giud...@tidalwave.it
> http://tidalwave.it - http://fabriziogiudici.it
>
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Developing a transformation component

2012-01-25 Thread Ryan Schipper 
I'm not familiar with MongoDB, but if it was an Oracle database I'd be
writing a stored procedure in PL/SQL. The proc would run on the target
DB and perform remote selects on the source.

Are remote connection capability common in this brand new NoSQL world?

Regards,

Ryan Schipper

On 26/01/2012, at 8:04 AM, Rakesh  wrote:

> Hi,
>
> I need to develop an app that will take data in one database and
> transform it and put it into another database.
>
> The databases are MongoDb storing JSon data.
>
> I could just do it in Java, converting the Json in Java objects,
> transform them and then convert the resulting objects back into JSon
> for inserting into the other database.
>
> Anyone have any ideas for doing it any other way? The requirements:
>
> 1. Developed using proper tooling - none of this Vi/Emacs/Non-GUI
> crap. I use IntelliJ.
> 2. Needs to be unit testable
> 3. Performance is key
>
>
> Thanks
>
> Rakesh
>
> --
> You received this message because you are subscribed to the Google Groups 
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to 
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Developing a transformation component

2012-01-26 Thread Ryan Schipper 
Fyi

http://www.mongodb.org/display/DOCS/Server-side+Code+Execution#Server-sideCodeExecution-Storingfunctionsserverside

Regards,

Ryan Schipper

On 26/01/2012, at 9:39 AM, Rakesh  wrote:

> pretty sure there's no concept of stored procs with MongoDb.
>
> On 25 January 2012 21:50, Ryan Schipper  wrote:
>> I'm not familiar with MongoDB, but if it was an Oracle database I'd be
>> writing a stored procedure in PL/SQL. The proc would run on the target
>> DB and perform remote selects on the source.
>>
>> Are remote connection capability common in this brand new NoSQL world?
>>
>> Regards,
>>
>> Ryan Schipper
>>
>> On 26/01/2012, at 8:04 AM, Rakesh  wrote:
>>
>>> Hi,
>>>
>>> I need to develop an app that will take data in one database and
>>> transform it and put it into another database.
>>>
>>> The databases are MongoDb storing JSon data.
>>>
>>> I could just do it in Java, converting the Json in Java objects,
>>> transform them and then convert the resulting objects back into JSon
>>> for inserting into the other database.
>>>
>>> Anyone have any ideas for doing it any other way? The requirements:
>>>
>>> 1. Developed using proper tooling - none of this Vi/Emacs/Non-GUI
>>> crap. I use IntelliJ.
>>> 2. Needs to be unit testable
>>> 3. Performance is key
>>>
>>>
>>> Thanks
>>>
>>> Rakesh
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups 
>>> "The Java Posse" group.
>>> To post to this group, send email to javaposse@googlegroups.com.
>>> To unsubscribe from this group, send email to 
>>> javaposse+unsubscr...@googlegroups.com.
>>> For more options, visit this group at 
>>> http://groups.google.com/group/javaposse?hl=en.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "The Java Posse" group.
>> To post to this group, send email to javaposse@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> javaposse+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/javaposse?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to 
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] AIDE, a Java IDE running on Androd...

2012-03-07 Thread Ryan Schipper 
Agreed.

With a Motorola Atrix and laptop dock...

On 8 March 2012 06:20, Mark Derricutt  wrote:
> This looks pretty awesome, especially for those using an Android tablet,
> however - just watching the video using a phone…   ug - I really can't see
> myself coding on my SGS2 much.
>
> --
> Mark Derricutt
> Sent with Sparrow
>
> On Thursday, 8 March 2012 at 4:41 AM, Fabrizio Giudici wrote:
>
> ... or, how we enjoy reinventing the wheel every time. It's cool to have a
> first, primitive way to develop entirely on Android, but when you look at
> the millions man hours behind projects such as NetBeans or Eclipse, and
> realize that everything has to be reinvented for Android, you can't but
> thinking that we love to waste our time. Just because we can't have
> regular Java on Android.
>
>
> http://www.engadget.com/2012/03/07/develop-android-using-aide-video/
>
>
> --
> Fabrizio Giudici - Java Architect, Project Manager
> Tidalwave s.a.s. - "We make Java work. Everywhere."
> fabrizio.giud...@tidalwave.it
> http://tidalwave.it - http://fabriziogiudici.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Choosing a better software stack

2012-03-19 Thread Ryan Schipper 
In a similar vein, have you tried deploying Grails to Tomcat instead of
Jetty?

http://grails.org/doc/latest/guide/gettingStarted.html#supportedJavaEEContainers

On Tuesday, March 20, 2012, phil swenson  wrote:
> "Our platform is not about typical CRUD. We do not have a html
> front-end for example. Or a relational db. We use Mongodb.
>
> We are also concerned about the runtime performance of Grails as well
> as how long it takes to startup in Jetty."
>
> I don't know Grails very well,  but I am certain that you are not
> forced into a CRUD model.
>
> Check this out:  http://grails.org/plugin/mongodb
>
> And of course run this search:
>
https://www.google.com/webhp?sourceid=chrome-instant&ix=seb&ie=UTF-8&ion=1#hl=en&output=search&sclient=psy-ab&q=grails%20mongo&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&gs_l=&pbx=1&fp=d6dedd7a89ce7f98&ix=seb&ion=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf
.,cf.osb&biw=1442&bih=1018
>
> My other question is:  why do you think that the web stack is going to
> be your bottleneck?  It usually isn't.  And don't forget that Grails
> largely wraps up spring (which is written in java).
>
> But that all being said:  check out the Play framework.  If you prefer
> Java, it's your best bet IMO.
> http://www.playframework.org/modules/mongo
>
> --
> You received this message because you are subscribed to the Google Groups
"The Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups "The 
Java Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Why is Oracle so slow?

2012-08-29 Thread Ryan Schipper 
Based on extensive experience in large organisations, the likely culprits
are:

- Assessment and Prioritisation (anyone with visibility of Oracle's
security team size and load, here?)
- Regression Testing
- Motivation ($$$)

To a lesser degree, their change control workflow could also be a barrier.
Organisations generally  expediate security patches, but in the wrong
(right?) environment, the end-to-end approvals process could still take a
week. Fancy a visit to your local Change Advisory Board, anyone?

Frankly, 'Java' isn't really the problem - the problem is the prevalence of
unpatched Java (and Flash and more generally, third party software)
installations.

The Australian DSD (our version of the NSA) indicated recently that 85% of
the incidents they investigated could have been avoided through:
- effective patch management (3rd party and OS)
- applying the least-privilege principle
- implementing application whitelisting

See http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm for more
details.

-- Skip

On 30 August 2012 15:14, Casper Bang  wrote:

> Forget about spending a decade debating closures - I'm talking about
> patching security holes here! The last couple of years, Java has become
> the predominant vector of attack, to the point that I recommend friends and
> family *not* to run it at all. Life is rarely that simple however, as i.e.
> the case with a Danish national SSO solution (taxes, banks etc.), for all
> practical purposes requiring applet functionality to be enabled for every
> citizen.
>
> The latest vulnerability already seems to have the Poison Ivery trojan
> spreading all over. It seems however, we're far from zero-day vulnerability
> attacks, as these were brought to Oracle's attention some 4 months ago:
> http://www.security-explorations.com/en/SE-2012-01-press.html
>
> I have now stitched together Chrome plugin to only allow certain trusted
> applets to run, but your average Joe don't have that option. There's still
> no fix available and that's just not good enough!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/hJTW5OLDg6wJ.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

[The Java Posse] Why is Oracle so slow?

2012-08-30 Thread Ryan Schipper 
It is an inherent problem of the software industry.

Secure software costs increasingly more money for decreasingly tangible
benefit.  Security is (more often than not) secondary to functionality,
profit and time to market.

Ask your mum/sister/brother/uncle/neighbor if they want 'the Internet' to
be secure. Ask them how much more they want to pay for that security.

Compare the amount of money people are willing to pay for security with the
amount of profit a malware author will make by writing an exploit.

There's your metric.

On Thursday, August 30, 2012, Fabrizio Giudici wrote:

> On Thu, 30 Aug 2012 10:15:41 +0200, Kevin Wright 
> wrote:
>
>  Isn't that a bit like saying: "Well okay, snails may seem slow, but you
>> only think that because you haven't seen the sloth yet!".
>>
>
> Np, it isn't. My security is menaced by the slowness of Oracle as well as
> of Apple and others, so things must be put in context. Furthermore, if
> Oracle is the only one to be slow, one might think that it's their specific
> faulty process. If
> all manufacturers are slow, perhaps it's a inherent problem of technology
> or such.
>
>
> --
> Fabrizio Giudici - Java Architect, Project Manager
> Tidalwave s.a.s. - "We make Java work. Everywhere."
> fabrizio.giud...@tidalwave.it
> http://tidalwave.it - http://fabriziogiudici.it
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Why is Oracle so slow?

2012-08-31 Thread Ryan Schipper 
The same team that reported these issues (
http://www.security-explorations.com/ ) has just notified Oracle of another
security issue resulting in full sandbox escaping.

Let the games continue.

On Friday, August 31, 2012, Fabrizio Giudici wrote:

> On Fri, 31 Aug 2012 13:33:02 +0200, Ben Smith-Mannschott <
> bsmith.o...@gmail.com> wrote:
>
>  On Fri, Aug 31, 2012 at 10:37 AM, Fabrizio Giudici
>>  wrote:
>>
>>> On Fri, 31 Aug 2012 10:20:10 +0200, Casper Bang 
>>> wrote:
>>>
>>>  Very good news! I hope automatic updates soon will render the security
 issue moot for the general public.

>>>
>>>
>>> So in the end Oracle wasn't so slow this time, right? :-)
>>>
>>>
>> Yea... sure, after doing nothing for four months, they sure hurried in
>> the last four days.
>>
>> :-/
>>
>> // Ben
>>
>
> You're right, I've just read this:
>
> http://arstechnica.com/**security/2012/08/critical-**
> java-bugs-reported-4-months-**ago/
>
>
>
>
> --
> Fabrizio Giudici - Java Architect, Project Manager
> Tidalwave s.a.s. - "We make Java work. Everywhere."
> fabrizio.giud...@tidalwave.it
> http://tidalwave.it - http://fabriziogiudici.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Why is Oracle so slow?

2012-09-04 Thread Ryan Schipper 
Java applets are also used in Australia to access the Tax Office and other
departments online services using digital certificates.

I worked in the responsible team for 5 years. For obvious reasons I can't
discuss in detail. That said, its hard to refute that implementing a single
Java applet is a lot more cost effective than developing and maintaining
native add-ons (or plugins) for two platforms and six different browsers.

As far as I know, the EcmaScript standard doesn't define an interface for
x.509 / pkcs#11. If it did, there would be significantly fewer applets in
the world. Mind you, people would then ring up and complain when their key
store doesn't persist between browsers (due to a lack of CAPI / Keychain
integration).

=)

On Wednesday, September 5, 2012, Casper Bang wrote:

> Unfortunately the same applies in Denmark, where it's needed even to log
> in. To make things worse, its primary purpose seems to be to be able to
> bootstrap unknown lazily-loaded code and use JNI to launch native stuff.
> *Head down in embarrassment*
>
> On Tuesday, September 4, 2012 10:30:06 AM UTC+2, Jim Cheesman wrote:
>>
>> They're still used for things like browser-based digital signing, at
>> least here in Spain. The official ID card (which everyone over 16 is
>> legally obliged to possess) includes a digital certificate (actually 2) for
>> access to government services online. This is commonly implemented using a
>> Java applet. (OK, the access doesn't require an applet, but signing any
>> official request does.)
>>
>>
>>
>>
>> On Thursday, 30 August 2012 23:39:53 UTC+2, Jon Kiparsky wrote:
>>>
>>> I thought applets had died out years ago...
>>>
>>> On Thu, Aug 30, 2012 at 5:36 PM, phil swenson wrote:
>>>
 That's a great solution.  Kill Applets/JWS.  Maybe they could put those
 resources into something useful.  They lost the UI wars (esp in the
 browser) many years ago.


 On Thu, Aug 30, 2012 at 12:33 PM, Puybaret  wrote:

> The most weird thing is that Oracle didn't communicate on its web site
> about his issue yet. :-(
> Do they want to kill Applets and JWS or what?
>
> --
> You received this message because you are subscribed to the Google
> Groups "Java Posse" group.
> To view this discussion on the web visit https://groups.google.com/d/*
> *msg/javaposse/-/Hd0qa0F-uyAJ
> .
>
> To post to this group, send email to java...@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+...@googlegroups.com**.
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en 
> .
>

  --
 You received this message because you are subscribed to the Google
 Groups "Java Posse" group.
 To post to this group, send email to java...@googlegroups.com.
 To unsubscribe from this group, send email to
 javaposse+...@googlegroups.com**.
 For more options, visit this group at http://groups.google.com/**
 group/javaposse?hl=en .

>>>
>>>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/TO_UlkRyrDEJ.
> To post to this group, send email to 
> javaposse@googlegroups.com 'javaposse@googlegroups.com');>
> .
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com  'javaposse%2bunsubscr...@googlegroups.com');>.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Why is Oracle so slow?

2012-09-04 Thread Ryan Schipper 
This isn't the forum for a full blown discussion of the financial, policy
and legal reasons that SSL is not appropriate. Off the top of my  head,
consider:

- does SSL support transaction signing or granular encryption?
- The technical and support implications of end user key generation
requirements
- accountability for a single credential which can be installed on more
than one computer
- support for password caching and it's effect on non-repudiation

On 05/09/2012 8:01 AM, "Kevin Wright"  wrote:

> EcmaScript might not, but I'm pretty sure that HTTP does.  Is there a
> browser/OS combo out there nowadays that WON'T offer to install a
> certificate in a well-known format?  Even cUrl has certificate support.
>
> Personally, I think that web devs should be legally obliged to download at
> least 10% of their content using cUrl.  We'd lose the most painful redirect
> chains in a week, and halve the burden on mobile broadband networks as a
> result (yes, t.co and bit.ly, I'm looking straight at you!)
>
>
>
> On 4 September 2012 22:16, Ryan Schipper  wrote:
>
>> Java applets are also used in Australia to access the Tax Office and
>> other departments online services using digital certificates.
>>
>> I worked in the responsible team for 5 years. For obvious reasons I can't
>> discuss in detail. That said, its hard to refute that implementing a single
>> Java applet is a lot more cost effective than developing and maintaining
>> native add-ons (or plugins) for two platforms and six different browsers.
>>
>> As far as I know, the EcmaScript standard doesn't define an interface for
>> x.509 / pkcs#11. If it did, there would be significantly fewer applets in
>> the world. Mind you, people would then ring up and complain when their key
>> store doesn't persist between browsers (due to a lack of CAPI / Keychain
>> integration).
>>
>> =)
>>
>>
>> On Wednesday, September 5, 2012, Casper Bang wrote:
>>
>>> Unfortunately the same applies in Denmark, where it's needed even to log
>>> in. To make things worse, its primary purpose seems to be to be able to
>>> bootstrap unknown lazily-loaded code and use JNI to launch native stuff.
>>> *Head down in embarrassment*
>>>
>>> On Tuesday, September 4, 2012 10:30:06 AM UTC+2, Jim Cheesman wrote:
>>>>
>>>> They're still used for things like browser-based digital signing, at
>>>> least here in Spain. The official ID card (which everyone over 16 is
>>>> legally obliged to possess) includes a digital certificate (actually 2) for
>>>> access to government services online. This is commonly implemented using a
>>>> Java applet. (OK, the access doesn't require an applet, but signing any
>>>> official request does.)
>>>>
>>>>
>>>>
>>>>
>>>> On Thursday, 30 August 2012 23:39:53 UTC+2, Jon Kiparsky wrote:
>>>>>
>>>>> I thought applets had died out years ago...
>>>>>
>>>>> On Thu, Aug 30, 2012 at 5:36 PM, phil swenson wrote:
>>>>>
>>>>>> That's a great solution.  Kill Applets/JWS.  Maybe they could put
>>>>>> those resources into something useful.  They lost the UI wars (esp in the
>>>>>> browser) many years ago.
>>>>>>
>>>>>>
>>>>>> On Thu, Aug 30, 2012 at 12:33 PM, Puybaret  wrote:
>>>>>>
>>>>>>> The most weird thing is that Oracle didn't communicate on its web
>>>>>>> site about his issue yet. :-(
>>>>>>> Do they want to kill Applets and JWS or what?
>>>>>>>
>>>>>>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] So, nobody uses Java on the desktop, right?

2012-10-19 Thread Ryan Schipper 
I donated blood yesterday. The nurse was clearly using a Swing application
to record patient data.
On Oct 20, 2012 7:48 AM, "Fabrizio Giudici" 
wrote:

> On Fri, 19 Oct 2012 22:30:26 +0200, Robert Casto 
> wrote:
>
>  You turned it into a philosophical discussion which is kind of boring now.
>>
>> I was adding other uses of Java to your original post. Tried to help but I
>> see your more interested in semantics.
>>
>
> Well, my first post of the thread was pretty dead on "nobody" vs
> "somebody". Yes, it's about semantics.
>
> I'm interested in other uses of Java too, of course. You don't have to
> convince me that there are, and I think that the assertion is easy to
> demonstrate. Ricky added more examples, and I'm working with desktop
> industrial applications for years with big corporates. It's the end-user
> segment that, I think, need to be clarified.
>
> So, I figure that the US judiciary system has some requirements similar to
> the one of auto-dealers you mentioned, or perhaps there's a technical
> problem with HTML and signed uploads (it looks as it's the same strict
> requirement for italian business consultants). Architecturally speaking,
> and considering that upgrade problems aren't rare circumstances, I'd
> probably prefer to see a webapp for that kind of software if I was in
> charge of it. So, it might even be *bad* to have Java there, but it's
> there. The presence of Java on the desktop is mostly underestimated, this
> is my point.
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] dexia kantoor vinden

2012-10-26 Thread Ryan Schipper 
oops?
On Oct 26, 2012 6:43 PM, "Jan Goyvaerts"  wrote:

> TERVUURSESTEENWEG 156
> 3060 BERTEM
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Coordinating jobs

2012-10-29 Thread Ryan Schipper 
Jgroups - http://www.jgroups.org/ ??

No affiliation. I have used it before for grouping and notifications
(member leaves, member joins, etc). No significant issues.

On 29 October 2012 18:53, Phil Haigh  wrote:

> I recently worked on a Grails app that ran as four nodes; one node
> performed job scheduling and announced itself as the 'master' via a UDP
> broadcast. If I remember correctly it would send a UDP periodically; when
> other nodes stopped receiving, another would assign itself as master, start
> broadcasting and run the jobs instead.
>
> I can't remember if we rolled our own Java plugin, or used something off
> the shelf, I'll see if I can remember but I do know it worked very well.
>
>
> On Sunday, 28 October 2012 15:58:01 UTC, rakesh mailgroups wrote:
>
>> thanks guys for the recommendation to use Quartz Jdbc thingy.
>>
>> Unfortunately, I am not using a relational db!! I'm using MongoDB.
>>
>> Rakesh
>>
>> On 27 October 2012 16:59, Wesley Hartford  wrote:
>>
>>> I've been using quartz for years and love it. The JDBC job store can be
>>> a little tricky to get working, but it gives you just what you're looking
>>> for, and once it is set up, it is rock solid. Reply if you are having
>>> trouble setting it up and I'll post the settings I've used.
>>>
>>> Wesley
>>>
>>>
>>> On Wednesday, October 24, 2012 1:37:14 AM UTC-7, rakesh mailgroups wrote:

 Hi,

 I have some batch jobs running and am using Quartz Schedular. They run
 based on a specific time schedule (eg 55 and 25 minutes each hour over 24
 hours).

 Thing is, I have (at a minimum) 2 nodes running the same software for
 disaster recovery reasons. So I need a way to only run a job by one of the
 nodes.

 Turns out its quite tricky to get right and I keep finding bugs which
 are hard to reproduce!

 The current implementation requires each node to write to the db first
 to say its going to run the job, then read back the record to see if
 it succeeded in the write (there's a unique key on the job name) and if so,
 run the job.

 However, there seem to be issues with overlapping jobs (I think, hard
 to diagnose after the fact and they are intermittent).

 I was wondering if there was an easier solution out there I could
 easily use?

 Thanks

 Rakesh

>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Java Posse" group.
>>> To view this discussion on the web visit https://groups.google.com/d/**
>>> msg/javaposse/-/ZjGaaSih0SAJ
>>> .
>>>
>>> To post to this group, send email to java...@googlegroups.com.
>>> To unsubscribe from this group, send email to javaposse+...@**
>>> googlegroups.com.
>>>
>>> For more options, visit this group at http://groups.google.com/**
>>> group/javaposse?hl=en .
>>>
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/IMcGnkXuL70J.
>
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Public agencies and open source

2012-11-21 Thread Ryan Schipper 
The Australian Taxation Office performs this sort of profiling also - no
application has been made available.

On 22 November 2012 05:28, Fabrizio Giudici
wrote:

> On Wed, 21 Nov 2012 11:41:20 +0100, Ricky Clarkson <
> ricky.clark...@gmail.com> wrote:
>
>  I can tell you that Argentina does that kind of profiling but without any
>> such app available to my knowledge.  They 'get you' at random times or
>> times of large transactions such as buying a house.
>>
>> Argentina's style would be to provide a webapp where you enter your
>> national ID (no password) and they tell you your status.
>>
>
> Yes, we have that too. In this case a web app, other than needed, it's not
> a privacy problem as it would handle data that you know and agree to be
> shared.
>
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: New Opera Browser - Very Strange

2012-11-23 Thread Ryan Schipper 
it's an apple dialog.

they present a similar one for lunascape on ios.

I imagine it is because the web browser allows you to visit unsavoury sites
such as protonazi.sausage.com , arstechnica.com and themirror.co.uk
On 23/11/2012 6:30 AM, "Vince O'Sullivan"  wrote:

> Yes, I downloading it from the Apple store.
>
> On Thursday, 22 November 2012 11:53:04 UTC, fabrizio.giudici wrote:
>>
>> On Thu, 22 Nov 2012 12:42:40 +0100, Phil Maskell 
>> wrote:
>>
>> > The chrome browser on the iPhone has the same pop-up, might be Apple
>> > rather
>> > than the browser like you said.
>>
>> Just to understand, Vince, are you upgrading Opera from the App Store,
>> right?
>>
>> --
>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
>> "We make Java work. Everywhere."
>> http://tidalwave.it/fabrizio/**blog -
>> fabrizio...@tidalwave.it
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/YpwZETEhPj4J.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

2012-12-18 Thread Ryan Schipper 
Password Maker supports both of those scenarios. Check out their FAQ.

That said, I would advise against using Password Maker.

I've just had a quick browse of the source and the software uses your
master password as direct key material for their HMAC algorithms. This is a
direct violation of HMACs security assumptions (specifically, that the key
derivation function is a pseudo-random function). These sorts of errors
make me nervous regarding the general security posture of the application.

If you're still thinking about PasswordMaker (or already using it), the
default settings are quite weak (
http://passwordmaker.sourceforge.net/help/account-settings.xhtml).

I would advise altering these settings to the following:
  - use the SHA256 algorithm
  - increase the default generated password length to at least 12, if not 16
  - update the default character set to include symbols

This will decrease the chance that a vulnerable service (eg facebook) is
retaining a stored hash which can be trivially brute forced using
oclhashcat and 8 GPUs.

-- Ryan Schipper

On 19 December 2012 10:22, Fabrizio Giudici
wrote:

> On Tue, 18 Dec 2012 23:30:30 +0100, clay  wrote:
>
>  Every recommendation is a system based on some secure server storing
>> passwords.
>>
>> How about hash systems? I use http://passwordmaker.org/
>>
>> You only need to remember one password, the hash system generates new
>> passwords for every new site, and there is no server-storage involved.
>> Nothing to hack, protect, or lose access to.
>>
>
> I didn't know passwordmaker and I'll have a deeper look at it in the next
> days. In the past I've thought of a similar approach, but with some doubts:
>
> 1. In case one password is compromised (e.g. by eavesdropping) you have to
> change the password and give up with this approach, at least for the
> compromised site.
> 2. Sometimes the URL might change. For instance, one of my banks
> introduced a redesigned website. The original URL was www.bank.it, for
> some time it redirected to new.bank.it (transitory period in which the
> original website was still available). This would have caused at least some
> annoyance (forced to change the password) at least temporarily.
>
> Still, it is of some interest.
>
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog> -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>.
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Is retaining failed credentials legal?

2013-01-14 Thread Ryan Schipper 
As to the legality, I think the correct question is: is it legal to store
the password (as entered or some derived form, such as a hash)?

Auditing failed login attempts (the username, a timestamp, etc) is an
extremely common practice - in fact, Australian information security
standards require it and common professional security certifications (CISSP
etc) recommend it. I'd be very surprised if it illegal to track this sort
of information within the EU. These logs are invaluable in conducting
internal fraud or security investigations.

That said, why does the password (in particular) need to be tracked? I can
think of a very good reason not to track it: mistyped passwords. Consider
how many times you mistype your password. If a computer system were to
track my mistyped passwords, the database containing those would become a
treasure trove for internal fraudsters.

I can't think of a sane security professional that would recommend tracking
passwords in this manner - usernames and timestamps, absolutely, but not
passwords.

PS. As usual, if you or your client are legitimately concerned, you should
be consulting a practicing lawyer, not a list of Java doods. =)

-- Ryan

On 15 January 2013 08:30, Fabrizio Giudici wrote:

> On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright 
> wrote:
>
>  That depends on what you mean by "retain".
>>
>
> I suppose he means the credentials are logged, or stored somewhere not
> just in order to re-render a page.
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Is retaining failed credentials legal?

2013-01-16 Thread Ryan Schipper 
Definitely the more purist approach. Less value for investigations.

In reality, Most organisations choose to take the chance on this in order
to assist investigations when necessary

Smart software could also check whether the username is valid prior to
including it in the log. Though this could open the possibility of timing
attacks. The whirling dervish of security strikes  again
On 15/01/2013 10:13 AM, "Josh Berry"  wrote:

> I thought it was actually best practice to not even record the username.
> Since a very conceivable mistake is to forget to tab over to the password
> field and then submit the form after typing username and password into the
> same field.  Perhaps only storing a hash might be safe.
>
> Regardless, does seem in the questionable category of even being useful,
> and instead just opening you up to further attacks.  I view it (in what I
> do not think of as a controversial view) as the username/password of users
> is actually valuable information.  As much so as credit card numbers.
> Treat it as such.
>
> (None of this is to say Ryan's answer is incorrect in any shape form or
> fashion.)
>
>
> On Mon, Jan 14, 2013 at 5:16 PM, Ryan Schipper wrote:
>
>> As to the legality, I think the correct question is: is it legal to store
>> the password (as entered or some derived form, such as a hash)?
>>
>> Auditing failed login attempts (the username, a timestamp, etc) is an
>> extremely common practice - in fact, Australian information security
>> standards require it and common professional security certifications (CISSP
>> etc) recommend it. I'd be very surprised if it illegal to track this sort
>> of information within the EU. These logs are invaluable in conducting
>> internal fraud or security investigations.
>>
>> That said, why does the password (in particular) need to be tracked? I
>> can think of a very good reason not to track it: mistyped passwords.
>> Consider how many times you mistype your password. If a computer system
>> were to track my mistyped passwords, the database containing those would
>> become a treasure trove for internal fraudsters.
>>
>> I can't think of a sane security professional that would recommend
>> tracking passwords in this manner - usernames and timestamps, absolutely,
>> but not passwords.
>>
>> PS. As usual, if you or your client are legitimately concerned, you
>> should be consulting a practicing lawyer, not a list of Java doods. =)
>>
>> -- Ryan
>>
>> On 15 January 2013 08:30, Fabrizio Giudici > > wrote:
>>
>>> On Mon, 14 Jan 2013 22:24:35 +0100, Kevin Wright <
>>> kev.lee.wri...@gmail.com> wrote:
>>>
>>>  That depends on what you mean by "retain".
>>>>
>>>
>>> I suppose he means the credentials are logged, or stored somewhere not
>>> just in order to re-render a page.
>>>
>>> --
>>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
>>> "We make Java work. Everywhere."
>>> http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog>-
>>> fabrizio.giud...@tidalwave.it
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Java Posse" group.
>>> To post to this group, send email to javaposse@googlegroups.com.
>>> To unsubscribe from this group, send email to javaposse+unsubscribe@**
>>> googlegroups.com .
>>> For more options, visit this group at http://groups.google.com/**
>>> group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>.
>>>
>>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Java Posse" group.
>> To post to this group, send email to javaposse@googlegroups.com.
>> To unsubscribe from this group, send email to
>> javaposse+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/javaposse?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Digest for javaposse@googlegroups.com - 25 Messages in 1 Topic

2013-01-24 Thread Ryan Schipper 
Really?

I think you just failed your responsible service of crazy certification.

On 24/01/2013 7:45 AM, "Mark Haniford"  wrote:
>
>
> Simon is german so his people are used to insulting and doing much worse
things to people.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Digest for java...@googlegroups.com - 25 Messages in 1 Topic

2013-02-03 Thread Ryan Schipper 
Nothing like starting the day with some fire up your arse :)
On 04/02/2013 5:47 PM, "Fabrizio Giudici" 
wrote:

> On Mon, 04 Feb 2013 01:47:34 +0100, Simon Ochsenreither <
> simon.ochsenreit...@gmail.com**> wrote:
>
>
>>
>>> Mark Haniford  9:52 PM (3 hours ago)
>>>
>>> No wonder everybody hates your nazi german ass, you piece of shit.
>>>
>>>
>>
>> Hi Mark,
>>
>> I think you forgot to CC the mailing list. Let's allow everyone to
>> participate!
>>
>
> Ahhh... great way to start the new day.
>
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> javaposse+unsubscribe@**googlegroups.com
> .
> To post to this group, send email to javaposse@googlegroups.com.
> Visit this group at 
> http://groups.google.com/**group/javaposse?hl=en
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out
> .
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to javaposse+unsubscr...@googlegroups.com.
To post to this group, send email to javaposse@googlegroups.com.
Visit this group at http://groups.google.com/group/javaposse?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [The Java Posse] Useless topic: Hudson/Jenkins blue balls

2013-03-29 Thread Ryan Schipper 
In Australia, the middle light *is* orange (sometimes called amber)
On 30/03/2013 6:01 AM, "Fabrizio Giudici" 
wrote:

> On Fri, 29 Mar 2013 16:36:37 +0100, Ricky Clarkson <
> ricky.clark...@gmail.com> wrote:
>
>  And the English call it amber, even though traffic lights presumably
>> On Fri, Mar 29, 2013 at 7:02 AM, Cédric Beust ♔  wrote:
>>
>>  On a related note, French call the middle light orange, and not yellow.
>>>
>>
> It's fun... After Cédric said the orange thing, I was going to answer that
> even in "old" italian (decades ago) the middle light was "orange". I
> googled for searching for a reference, and discovered that somebody is
> still using "orange" today - to give numbers, 70k results for the italian
> equivalent of "semaphore orange" versus 197k results for "semaphore
> yellow". Even though I've never heard of it in spoken language.
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> javaposse+unsubscribe@**googlegroups.com
> .
> To post to this group, send email to javaposse@googlegroups.com.
> Visit this group at 
> http://groups.google.com/**group/javaposse?hl=en
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out
> .
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to javaposse+unsubscr...@googlegroups.com.
To post to this group, send email to javaposse@googlegroups.com.
Visit this group at http://groups.google.com/group/javaposse?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [The Java Posse] Re: The spammer is gone

2013-08-05 Thread Ryan Schipper 
Now we know the truth! Dick becomes a spammer when on holidays.
He'll claim it isn't him of course, but with all this evidence...

- Concerned Citizen

On 5 August 2013 05:21, Dick Wall  wrote:

> Thanks Tor - these things always happen while I am on vacation it seems -
> I didn't have internet, nor (if I am honest) the inclination to administer
> the spammer while on my hols :-).
>
> Dick
>
>
> On Thursday, August 1, 2013 2:01:28 PM UTC-7, Cédric Beust ♔ wrote:
>>
>> Courtesy of Tor.
>>
>> --
>> Cédric
>>
>>   --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to javaposse+unsubscr...@googlegroups.com.
> To post to this group, send email to javaposse@googlegroups.com.
> Visit this group at http://groups.google.com/group/javaposse.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to javaposse+unsubscr...@googlegroups.com.
To post to this group, send email to javaposse@googlegroups.com.
Visit this group at http://groups.google.com/group/javaposse.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [The Java Posse] JRE rejecting website certificate

2014-03-19 Thread Ryan Schipper 
Hi Rob

Can you send the console trace and website address and/or public
certificate through?

It could just be that the Java trust store is out of date or doesnt contain
the trust point. But without the logs its hard to be sure.

- Ryan
On 19/03/2014 3:54 PM, "RobZ"  wrote:

> Hello,
>
> I searched the internet but didn't see anyone else having this problem, so
> I thought I'd ask here.
>
> When our applet loads in our website, which uses HTTPS, the JRE rejects
> the website's certificate, even though Internet Explorer itself is happy
> with the certificate. The certificate is signed by Thawte. The JRE says it
> doesn't recognize the certificate authority, even though the Java console
> trace output shows the applet checking the certificate authorities in IE.
> We get the error with JRE 8 and several versions of JRE 7, on different
> Windows operating systems and versions of IE.
>
> Any thoughts on where I could look further for a solution?
>
> Please note I'm not discussing the certificate used to sign the applet.
> The JRE is happy with that certificate.
>
> Thanks,
> Rob
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to javaposse+unsubscr...@googlegroups.com.
> To post to this group, send email to javaposse@googlegroups.com.
> Visit this group at http://groups.google.com/group/javaposse.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to javaposse+unsubscr...@googlegroups.com.
To post to this group, send email to javaposse@googlegroups.com.
Visit this group at http://groups.google.com/group/javaposse.
For more options, visit https://groups.google.com/d/optout.