David Pollak's blog... and such.Lots of DPP's thoughts here...
March 22, 2015
A Serious Vulnerability
Security testing at a large Lift-powered site revealed a serious XML-related security vulnerability.
The core issue is that Lift prior to recently patched versions 2.5.2, 2.6.1, and 3.0-M4 are vulnerable to a XML eXternal Entity attack. The attack allows access to the local filesystem via XML entities:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
The root cause of the problem is that Lift uses Scala's
scala.xml.XMLlibrary for parsing and the default configuration of that library is insecure.
March 8, 2015
A sweet Clojure-ish language
It's likely no secret that I really dig Clojure. It's the first unityped language I've used since Objective-C in the early 90s that I really like. Yes, I still love Scala, but I think Clojure is pretty much the best designed computer language I've ever used... and maybe that's because Clojure is mostly "less is more" but in a few places, it's not.
The things I really like about Clojure are:
March 7, 2015
The Right Gear is Important
I travel a fair amount and I like to have the right gear to travel will. Here's my current set-up:
Most importantly, a Traser Code Blue Watch. This watch is light and comfortable on the wrist and has a tritium light source so it's always visible. I can half wake on a dark airplane or in a dark hotel room, check out the time, and go back to sleep. I can do this without pushing buttons or doing something that's going to annoy others around me.
January 23, 2015
Yep... I'm getting old and so are my computers. I used to do a lot of coding on NeXT cubes and slabs.
I have a bunch of NeXT machines laying around and so do some of my friends.
But how does one get old data, programs, mailboxes, etc. off a NeXT machine? Turns out that it's not so hard.
NeXT machines used SCSI drives.
So, to get data off a NeXT drive, one has to put together a setup that supports SCSI-1 drives.
And I had a 50 pin micro to Centronics SCSI cable.
January 4, 2015
2014 Winter Break in Orlando
I took my kids to Orlando Florida over winter break. They are 10 and do a lot of reading and play a lot of iPad. Here's the report.
Caribe Royal Hotel
We stayed at the Caribe Royale in a two bedroom suite. The room was almost 1,300 sq. ft and really nice. The kids had their own room with two queen sized beds. I had a room with a king bed and a jacuzzi tub. The room had a full kitchen and a washer/dryer.
In terms of utility, the room was perfect. I did a grocery run the first night and we ate breakfast and some dinners in the room.
October 31, 2014
It's a Virtual Piece of Cake
I've gotten a bunch of questions about how Visi, the simple web front end to Spark works. This blog post is an overview.
Hosted Spark with a Simple Front End
Visi is a hosted Spark cluster with a simple web-based front end that allows Excel-savvy folks to enter formulas that get turned into Spark jobs.
The Spark cluster and front end are built on demand, hosted in Docker containers, and communicate over the network using Weave. The web UI is presented to the user via a dynamically updated HAProxy routing table.
Nuts and Bolts
October 29, 2014
Back to the Future...
This post was from November 2006. I had just started playing with Scala and was trying to figure out an ORM... the one that ultimately became Lift's Mapper.
Keeping the meaning with the bytes
One of my criteria for a good web framework is having security and access control built it. As I was driving friends and relatives to and from Thanksgiving dinner, I was thinking to myself, "It's nice to have goals, but how do you implement then?"
September 24, 2014
Blast from the past...
I wrote this in May, 2008... and I've gotta say, I was pretty spot-on including Java 8 adopting some of Scala's better features:
It's starting to happen... the FUD around Scala. The dangers of Scala. The "operational risks" of using Scala.
It started back in November when I started doing lift and Scala projects for hire. The questions were reasonable and rational:
August 30, 2014
It's the chat demo
Check out the demo!!
As I've been working through the Dragonmark stuff, I decided to use the same Chat app as a demo. Why? 'cause the same concepts are present in Dragonmark... the abstraction of the cross-address-space plumbing.
core.asyncacross address spaces
August 16, 2014
Distributed Communicating Sequential Processes (CSP)
However, very few programs run in a single address space. Web applications run in a combination of the browser and one or more servers. Very often, applications will span a cluster of servers.
Dragonmark Circulate provides a mechanism for distributing
core.asyncchannels across address spaces while providing the same semantics to all the address spaces.
I've written some macros to make writing
core.asynccode easier and more linear.
July 22, 2014
I've started working on a series of open source library code for Clojure called Dragonmark that roughly falls into three categories: utilities, a distributed CSP library, and a sample web app that demonstrates distributed CSP.
Mostly, I think that the semantics for interprocess communication should be the same as the semantics for local communication. Clojure's core.async library provides a really nice set of APIs to communicate asynchronously, have backpressure, and in general "do the right thing."
July 14, 2014
Not my cup of tea
I went to Yes & over the weekend and it was disappointing. I was drawn in by:
The theory was, if you get a group of smart, engaged individuals together in the right place that great things would happen.
Sadly, the conference was not that.
I was expecting more of a Strange Loop experience. Something is a far away place where each interaction leaves me thinking, pondering, and expanded.
Instead, Yes & is a big, fun partay.
If you'd like to hang out in the pool, get drunk, share new strains of medical marijuana, and go to a fun prom with all the hipsters from the Mission, Brooklyn, LA, and Portlandia, Yes & is the place to be.
May 14, 2014
When we use Java
There is a lot of confusion about my We all Infringe post. So, I'm going to walk everybody (especially the lawyers) through the mechanics.
Until last week, all developers and most lawyers operated under a simple rule. APIs are not subject to copyright, but code implementating APIs is subject to copyright. It was a simple dichotomy and allowed developers to operate under a brightline set of rules.
On May 9, 2014, the Circuit Court of Appeals changed the law to include copyright coverage to include APIs. Specifically (page 5):
... we conclude that the declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection...
May 12, 2014
Okay, everybody who touches Java bytecode
The Oracle v. Google holds that copying the Structure, Sequence, and Organization of the Java APIs is a copyright violation. And a copyright violation is not just the act of copying, but also applies to all the intermediate parties that have a copy of the work.
That's anybody who writes/compiles any JVM language and anyone who has a JAR file on any device they posses... including a Java ME applet on your old Motorola flip phone. In fact, the JVM in all its incarnations is so pervasive, it's likely that every adult in every industrialized nation has some JVM running someplace.
May 11, 2014
I have been developing software professionally since 1978. I went to law school (BU Law '91). I think that computer programming technology and the law are really, really similar.
At the end of the day, both law and computing is about wrapping abstractions around very complex interactions such that the rules are comprehensible and the outcomes are predictable.