OWASP Code Review

OWASP Code Review has been released. Here is the announcements:

The Open Web Application Security Project (OWASP) today announced the official release of the free OWASP Security Code Review Guide v1.1. The Code Review Guide provides details on how to review code for all sorts of application vulnerabilities. Together with the OWASP Security Developer Guide and OWASP Security Testing Guide, OWASP has created a powerful suite of books that covers most of what people need to know about application security. The 216 page book can be downloaded from the OWASP website or a bound copy can be ordered for the cost of printing.

The Code Review Project is led by long time OWASP participant Eoin Keary from Dublin, Ireland. Like all OWASP projects, the work is performed by Eoin’s team in a free and open manner, and coordinated via the OWASP wiki and project mailing list. Everyone is welcome to download the guide and benefit from OWASP’s research. You can also join the project and contribute to making the guide even better.

“Despite the many claims that code review is too expensive or time consuming, there is no question that it is the fastest and most accurate way to find and diagnose many security problems. There are also dozens of serious security problems that simply can't be found any other way.” said OWASP Chair Jeff Williams. “Still, code review is no panacea. Static tools, dynamic tools, and manual testing all have an important role to play in verifying the security of an application.”

There is overwhelming evidence that the vast majority of web applications contain security holes that are increasingly putting people and organizations at serious risk. Our Code Review Guide is one part of OWASP’s strategy to make application security visible and enable the market to support the development of secure application software.

Happy Code Reviewing....

Big Surprise in April Mop

As usual, April Mop is full of tricks, even by big companies such as Google. It's H-2, so i believe most people will have prepared their surprises for this year. Will it be as boom as previous years? We will find out in the next 2x24 hours

Manage Your MODs

If you maintain several forum boards using phpBB, then you will all know the pain you get when new version comes out. You will have to upgrade the engines and also re-check the MODs that you have installed to make sure it works with the new changes. In phpBB 3, things are getting better, as the automatic updates has a diff feature which can be used to compare and merge those differences, but in some case, manual look must be done.

If the MODs has a new version or you would like to remove the MODs, then here comes another nightmare. You will have to manually edit the files changed and delete the unnecessary files. Is there any tool to help you create installation package for MODs?

The answer is there is. It's called UMIL (Unified MOD Install Library). Here's the snippet from the main website:

This utility enables MOD Authors to create simple installation scripts for their MOD that allow the user to install, update, or uninstall a modification quickly. Released under the GNU GPL license, UMIL is included within MOD Packages to make MOD Installations simple and automatic.

What are the features of UMIL?

1. Add, update, or remove configs
2. Add or remove modules
3. Add or remove permissions
4. Set or unset permission options from roles and groups
5. Add or remove database tables
6. Add, update, or remove table columns
7. Add or remove table keys/indexes
8. Purge / Refresh Caches

It's not yet released as a final version (still 1.0.0 RC2 per 29 March), but this tool will soon help administrators to manage their MODs

Lynis: Audit Your System

Ever since you installed your operating system, have your audit your system? Auditing is very important, as you don't know what happened with your system, mostly if more than one users are allowed to logged in and the computer is connected to the Internet all the time.

There could be files which are no longer needed, but still resides in many places, insecure configuration leading to security holes, incorrect file permission leading to compromised system, and many other things which could endanger your system from attackers.

If you are using Linux/Unix operating system, then you are quite lucky, as you can use Lynis. This application is an auditing tool for Unix which can help you audit your machines and then generate a report to be analyzed later. Basically it's a collection of shell scripts which tests your system against several test (like unit tests) and then report it to you. This application can work on many operating system as the website said and i have proven it to be working in Slackware without any modification at all. All i need to do is extract the archive and run it as root (or use sudo). It's very small application, as it's only around 96 KB. Get it HERE.

One more thing: It's running on console/terminal, so don't think about fancy graphical reports

PHP 5.3.0 RC 1

PHP team has just released their first release candidate which will eventually became PHP 5.3.0. This version will soon obsolete 5.2 series which has been used for years and it's proven to be stable.

What's new in PHP 5.3.0 ? A LOT
If you look at this NEWS, you will see lots of changes included in this release (roughly 3796 lines).

Here are some of the highlights taken from PHP's website:

• Support for namespaces
• Under the hood performance improvements
• Late static binding
• Lambda functions and closures
• Syntax additions: NOWDOC, limited GOTO, ternary short cut "?:" and __callStatic()
• Optional garbage collection for cyclic references
• Optional mysqlnd PHP native replacement for libmysql
• Improved windows support including VC6 and VC9 binaries
• More consistent float rounding
• Deprecation notices are now handle via E_DEPRECATED (part of E_ALL) instead of the E_STRICT error level
• Several enhancements to enable more flexiblity in php.ini (and ini parsing in general)
• New bundled extensions: ext/phar, ext/intl, ext/fileinfo, ext/sqlite3, ext/enchant
• Countless bug fixes and improvements to existing extensions in particular to: ext/openssl, ext/spl and ext/date

This release also drops several extensions and unifies usage of internal APIs. Users should be aware of the following known backwards compatibility breaks:

• Parameter parsing API unification will cause some functions to behave more or less strict when it comes to type juggling
• Removed the following extensions: ext/mhash (see ext/hash), ext/msql, ext/pspell (see ext/enchant), ext/sybase (see ext/sybase_ct)
• Moved the following extensions to PECL: ext/ming, ext/fbsql, ext/ncurses, ext/fdf
• Removed zend.ze1_compatibility_mode
• See the upgrading guide for other minor changes

Another Redesign

After FB launched their new design, many people complaints about how the new look. So today, i logged in to FB and then i see some changes again. The new notifications which was locate on top of our status are now back to the right side. The people you may know feature is also on the top right side, but with less number (it was previously 3 and now it has been decreased into 1 even though there's a link in which we can see all the people suggested by FB).

One of my colleague has posted a note about the heavy load on Facebook lately and i agreed. The page stalled for a few seconds after loading all the page. Let's just hope it will be fixed ASAP.

I Need Some Break

For the last few days, i have been so busy working and working and i think i'm at the limit right now. I haven't got enough sleep for days and the result is i'm getting easily tired or sleepy.

Tomorrow is a good day to take a rest and do less work and i'm hoping to get a new mood on Friday and then we shall have a nice weekend
So forgive me if i don't reply your message (YM, FB, email) or answer your call tomorrow.

Linux Kernel 2.6.29 Released

The long awaited Linux Kernel 2.6.29 has been released by Linus today. As always, new kernel brings new features and also bug fixes along roughly ten millions of codes. Here's some summary of what this version gives to you (Taken from KernelNewbies):

Linux 2.6.29 adds kernel based graphic mode setting, WiMAX support, Access Point support in the wifi stack, the inclusion of the btrfs and squashfs filesystems, ecryptfs filename encryption, ext4 no journaling mode, ocfs2 metadata checksums, a more scalable RCU implementation, filesystem freeze support, swap management in the memory controller, many new drivers and many other improvements.

OOo Translation Project Updated

I haven't post anything about OOo translation project which i maintain since few year ago. In the past, we used CVS server hosted at Sourceforge to help us coordinate the work of translating OpenOffice.org 2.x source which consists approximately 12000 words and it's increasing into nearly 17000 on OpenOffice.org 3.x.

The translation works well, even though we had several time a vacuum condition due to lost of interest (probably) and busy doing our daily task (besides it's a voluntary project). We managed to get around 80% of the translations before OOo 3.0 was released.

Sun Microsystem has generously facilitates the work for OOo 3.x translations and onwards by hosting a Pootle site which can be used to translate OOo 3.x online via web browser. The big advantage of using Pootle is that we can do this anytime and anywhere, as long as we have Internet connection and browser (which i assume it's always available on every computer). It reduces the maintainer's work to syncronize with the upstream source as OOo translations are very quick to change. By using Pootle, we don't have to worry about such merging with newer version as it was done by the administrator.

So finally i joined Pootle and Aijin Kim helped me with the administration for Indonesian section. I pushed the translation that were done on OOo 2.x into Pootle so that we didn't have to start over from 0. In short, we can start working on OOo 3.x translations very fast.

In Pootle, there are two sub project for OOo, which are OOo UI and OOo Help. The UI deals with the main menus, options, dialog, and so on, while the Help deals with the Help section. Today, i have just committed the last update for OOo UI project and we finally managed to get it done 100%.

I'm not saying that the work is over, because there were a lot of inconsistency during our translation, because lots of people are working on this project. So our next step is to review all of our translations and use similar terms in all translations so people will not be confused.

By the way, i have updated the Indonesian OOo Translation Project Wiki entry with Pootle and removed the SF entry to reflect the latest changes. You can help us by joining Pootle and contribute for OOo Help or review our work on OOo UI.

Evaluation

As usual, in most universities, we most likely to have mid test and final test. Since last week, students in UKDW were having their mid test until next week. I have four classes who had a mid test and so far there has been one class who have finished their mid test and it's time to have an evaluation on those.

While it's only a simple test, but there are about 170 results which i have to mark, so it will take some time to finish. I still have few days before my next test will be held on Tuesday. I think i can finish one class for today and leave the rest for tomorrow.

Great Job Guys

In the last few days, i have been busy preparing for the seminar and today it finally paid off. All the hard work that we have done has been finished as the show has been held this morning and around 200 people came into this event. I myself was giving the last session and the presentation materials can be downloaded at my lecturer page. I would like to say my big thanks to the students who have helped during this preparation and Great Job Guys

Tomorrow we will have another show, which is called Sunday Sonten, hosted by Jogja IT and the place is set in UKDW. It will be started at around 7 PM and probably the main topic is about IPhone hacking by students outside UKDW.

Live Feed on Mobile Facebook

I tried to logged on onto Facebook when i was away from my computer by using my cellphone, so i accessed it via Mobile Facebook. What surprise me is that it refreshed automatically, so i can get live feed of my friend's status.

Does it happened on my cellphone or do you also experienced this?

Please Welcome Tuz

In Linux kernel 2.6.29, you will see that tux, the famous penguin mascot for Linux kernel will be temporarily replaced by Tuz, a new mascot after Linus pulled the request from Rusty Russell during the development of Linux kernel 2.6.29. Why would Linus changed the logo anyway?

The background of this idea is about Tasmanian Devil, which is a species in danger of becoming extinct. The Tasmanian Devil is native to Australia and during this year's Linux.Conf.Au conference it was decided that Tuz will stand in for Tux for one kernel release in order to raise awareness for this creature. Some people were raising money to help the preservation for the tasmanian devil.

Don't worry, Tux will be back in the next Linux Kernel Release, 2.6.30, which is approximately 3 months after 2.6.29 is released.

Ladies and Gentlemen, Please welcome, ...... Tuz

More Option

Telkomsel has given an opportunity for people who wanted to buy IPhone 3G to pay with their credit card or debit card after announcing that they are working with BCA, Mandiri, and Citibank. IMHO, this will only make you spend more money than you should, because they charge 0-0,99% per month (depends on which option you pick) if you pay using credit card or debit card.

It seems that i'm done with IPhone 3G for now. I'm aiming for E71 for now

Brisingr

I just came back from Galeria Mall and i just bought a new novel called Brisingr. It's the third novel by Christopher Paolini after Eragon and Eldest. I have bought those two novels before and now i'm buying the third one. I saw the last page and it says that it will have the fourth novel.

Let's just hope i have enough time to read before the fourth one comes out . I even haven't finished reading second novel of Twilight, Two Moon and the third one, Eclipse. The fourth novel, Breaking Dawn has come out, but i haven't bought it yet.

Online Dating Service

There are so many ways to find your boy/girlfriend. People posted in a newspaper, join TV shows, ask for "smart" people by asking via SMS and so on. Some people are so eager to find it, so they are willing to pay as long as they got a match on what they expected too.

That's why there are some online service who listened to this "call" and responded by making this online dating service in which people can join and date online. I don't know here in Indonesia, but it is a popular service in other countries outside Asia, mostly in Europe and US.

Because there are lots of player on this area, people may get confused which service should they use, so here comes Free Dating Sites which helps them to have a look on those kind of services. It gives you a comparative details about most services available, including the monthly price and also countries where it applies.

You can see lots of criteria which can be used to limit your search, so you will (hopefully) limit your search and then focusing on small people rather than having billions of people matching your criteria.

Credit Card

Credit card is now a common thing in Indonesia, as it is in other countries as well. When people traveled to other places, they don't have to carry too much money on their pocket as with a single credit card, they can be used to pay lots of items they bought (as long as the limit still available).

For some people outside Indonesia, they usually have a good reference on how to select the best credit card bank issuers. It's an online credit card consultant, where you can get lots of information about credit cards available. Unfortunately, most of it's service doesn't apply (yet) in Indonesia, for example paying for gas. We usually use cash instead of credit cards

Getting Used to New Design

OK, after one day using new design of FB, i'm getting more used to the new design. New design usually does take some time to be as comfortable as the old one, but it's pretty easy if you have used FB before.

There are some drawbacks that i have noticed on the new design. The first one is we can't see our current status. The second one is about the birthday section. I think the old design has better information about birthday status then the new one.

They have added Plurk, Twitter, and Ping.FM as the default feature, which is great, but unfortunately, i didn't have all those account and for now, i'm not too interested.

Any other comments for the new design of Facebook?

FB Redesigned

Few weeks ago, Facebook team has given a small notice on the home page that they are redesigning their page and today, i got an error when i tried to access my accounts.

Few minutes later, i refresh the page and i got a different layout of the Facebook. It seems that the error that i encountered is part of FB redesign process. They were uploading new files, so probably it causes some glitches to some users (including me).

According to the news, the headlines will be real time, meaning that it might reload the data every few seconds/minute to gather all the updates from your friends. I haven't confirmed this feature yet, but it gives you better view of your friend's status. Also the event or notes or anything besides status updates and comments are being put on the right side of the page.

The People You May Know feature doesn't get too much changes, only some minor tweak, which is very good, because it's already working as it is.

I feel it a little bit awkward to see the new layout, but it's just a matter of time before i'm used to it.

So, what do you think about the new design?

Usability Workshop

Today i attended an usability workshop, presented by Lukas Karrer, founder of Stimmt, a consultant company in Switzerland who focused on usability. He came to Indonesia along with two other people which are now our guest for about a week. They have been involved in some class, especially in software engineering classes and also conducted several workshop and today's workshop is one of them.

Tomorrow, Thomas will give a Java 3D workshop. It will be a two session workshop and it will be started at around 9 AM until 4 PM. Unfortunately, i can't attend this workshop as i have another thing to do.

By the way, UKDW will host a security awareness seminar next week on March 21. I will be one of the speaker and the topic for the seminar are "Hackers are here. Where are you?". We are partnering with EC-Council for this event. Check the event on Facebook.

New Studio

Tomorrow will be a grand opening of a new movie theater in Jogja. We already have one Cineplex in Ambarrukmo Plaza and we will get another one in a place where the previous 21 theater was on fire a couple years ago (when i was in high school).

From some leak that i got from my student, it will have 5 XXI studios and 1 Megaplex studio. It's still unclear whether it will only display foreign movies or it will have a mixed movies. The rumor said that the theater in Amplaz will only have Indonesian movies, while the new one will only contains non-Indonesian movies.

Let's find out tomorrow

Image Positioning

It's been a while since Blogger team released new features which comes from Blogger Draft, a special service for people who wanted to test new features in future Blogger. So far, i haven't had a major complaints about Blogger, except for image positioning. When i add new image, the text will be placed next to the image. This is not a problem when you only have one image, but when you have multiple images, this will be a nightmare. Try it and you will know what i mean.

Let's hope Blogger team have a solution for this.

PHP 5.2.9 Works on Windows (Again)

In the past, i have been upgrading my PHP version on both of my Windows and Linux system. In Linux, i didn't encounter any problem, but in the other hand, Windows version stopped working since 5.2.7 on my system. This forced me to use the old 5.2.6 which was still working until 5.2.9 came yesterday. I tried to upgrade to 5.2.9 and the installer is now working again.

Thanks to the PHP team who have done better work on Windows installer this time. Let's hope they won't break it again in the next release

PHP 5.2.9 Released

PHP 5.2.9 has been released with several security fixes along with usual bug fixes. The changelog for detailed changes has been published. As usual, the PECL is not distributed with this release on Windows, but PECL that comes from PHP 5.2.6 is still working with this version. I just hope they didn't break the Windows installation script again (i tested 5.2.8 and it's not working after i enabled some of the extension).

Photo Storage Problem

Facebook is very popular with it's collaboration features. Members can upload photos and/or videos, comment on other's status, and many more. This morning, i read about Facebook's announcement in form of a note about photo storage problem:

You may have noticed in the past day that some photos aren't appearing or are displaying a "question mark" graphic when you go to view them. We have experienced some problems with our photo storage that affected between 10 to 15 percent of already uploaded photos.

So far, my photos aren't affected by this storage problem. My photos are not that much, compared to my students who usually have more than 500 photos (i know someone who has uploaded more than 1000 photos on FB).

Let's face it: every one has limitations, including Google and Facebook, two of the biggest player on virtual world right now

Updated Emoticons For Blogger

In the past, i collected a javascript code to put YM's emoticons on Blogger. I modified the script to suit my need and now, i'm updating it with the new emoticons since YM 9 was released (including the new hidden emoticons).

To use the script, you must have Greasemonkey installed on your Firefox or Semonkey and then make a new script based on this. Activate Greasemonkey and go to Blogger. Go to writing tab and choose the Compose tab and voila..... there's your YM emoticons

The problem with this script is that it doesn't use the real size. Every emoticons gets a similar size, so you will have to edit the image size manually. If you can hack the script and and add the size based on the real size, i would be happy to modify it

Update (9 March 2009: 1:03 AM): I have updated the script so that it will count the correct width based on the real size on Yahoo's server. Go get the script on this page. It will be expired in 30 days

Linux Version of PSI

Secunia, one of the most well-known website related to security has some tools which helps their users to identify vulnerable application on their system by using online scanner (Java-based) or an offline application (called Secunia Personal Software Inspector). I used this application periodically when i logged into my Windows system, because i rarely logged in to Windows. This is when i mostly do monthly updates for my system and also my application.

Unfortunately, they do not have Linux version up to now. I am hoping that they will start considering Linux users as well. This might help Linux users to minimize the risk as soon as possible when new threats are available.

Quintuple

Every MU fans are so happy to see MU's performance this season. So far, they have won two cups, European World Club and Carling Cup. They are aiming for five trophies, which is called quintuple. It's very hard to accomplished, as they will have to compete in three different league. But, when it's all accomplished, they will make a new record. MU's best record so far is still Treble, which have been done twice.

The biggest chance to win another trophy is in the Premier League. They have quite a big gap with other teams and still they have one match to play. The next one is FA cup, but there are still big teams competing on this league. The hardest one is Champion league, where there will be the best teams from different league around Europe. In the last match, MU got a draw with Inter Milan.

Let's hope for Quintuple, but don't hope too much. Be realistic

KDE 4.2.1

The first monthly update to KDE 4.2.x series has been released, dubbed "Cream" (aka KDE 4.2.1). It gives translations updates along with bug fixes in most component of KDE. For a summary of what has been changed or fixed in this release, please have a look on the Changelog. For detailed changes, please refer to the SVN commit, even though it's a little bit daunting to see every SVN commit logs

First English Class

Today i taught my first class in IDDIT program. This is an international class, so i must speak in English. In the past, i never taught in class using English, even though i did often give presentations in English while i was working in Jakarta (we made a weekly tradition where one of use would share something and give small presentation in front of other colleagues. It's almost like Google TechTalk, but in smaller scale).

The class i taught was Business Intelligence. It was a nice topic and i'm enjoying it. Looking forward for the next class

Anti Aliasing Feature on OOo 3.1

Armin Le Grand has posted a report of one feature that will be available on OOo 3.1, which is anti aliasing. This is one of the most voted features by many people who have signed up in the OOo website and voted in their issue tracker. It took merely five years to complete this feature, but finally it's there on the code. This feature will make your drawing looks better compared to previous OOo version.
Another feature that are already in place are:

• Easier dragging with graphics
• Improved file locking for use on networks
• Zoom slide in Calc (previously only in Writer)
• Easier to rename sheet in Calc by double-clicking
• SQL Syntax highlighting in Base
• Translucent selections in Writer
• Chart axes and labels
• Ability to reply a notes
• Easier to resize fonts by adding new button on the main toolbar
• Better grammar checking
• Improved hyperlink management
• Improved document revision by new context menu facilitating acceptance or rejection of recorded changes
• Better control in multimedia slides
• Sorting improvements
• Improvements on macros
• Internationalization
• Lots of bugs cleaned up

Thanks to Andrew Z who writes this on OOoNinja and John who pointed new features in OOo 3.1 (still in draft).

There are still time for you to put a request to OOo team or votes for a features that should be included in the next major release of OOo 3.1.

Expensive Laptops

I just read a news in DetikInet and a little bit shocked. There will be 450 laptops given to the new prosecutors for their daily work. What makes me surprise is the budget for each laptop. It's agreed that they will use Dell Latitude D630c which is around USD 1399. If we used a rate USD 1 = IDR 13.300, it will be IDR 18.606.700, but in the article, it is said that it will cost IDR 20,3 million. In total, it will cost around IDR 10 billion

The basic question: is it worthed and useful to spend those money just to buy laptops with those specifications? I believe you can get good laptop with less than IDR 10 million each

There's a potential for misuse of funds here

First Trophy

After winning on penalty shootout at Carling Cup final, Manchester United got their first trophy this season. They ended goalless even after extra time, forcing a penalty shootout to be taken. From MU,four of their executors, Ryan Giggs, Carlos Tevez, Cristiano Ronaldo, and Anderson did their job, while from Totenham, only Vedran Corluka who did his job while the others got denied by Ben Foster, MU's goal keeper.

Keep winning and you will have a chance to get 5 trophy this season