• Lift XML Vulnerability

    March 22, 2015

    A Serious Vulnerability

    Security testing at a large Lift-powered site revealed a serious XML-related security vulnerability.

    The core issue is that Lift prior to recently patched versions 2.5.2, 2.6.1, and 3.0-M4 are vulnerable to a XML eXternal Entity attack. The attack allows access to the local filesystem via XML entities:

     <?xml version="1.0" encoding="ISO-8859-1"?>
      <!DOCTYPE foo [
         <!ELEMENT foo ANY >
            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

    The root cause of the problem is that Lift uses Scala's scala.xml.XML library for parsing and the default configuration of that library is insecure.

  • Pixie: stunningly good

    March 8, 2015

    A sweet Clojure-ish language

    It's likely no secret that I really dig Clojure. It's the first unityped language I've used since Objective-C in the early 90s that I really like. Yes, I still love Scala, but I think Clojure is pretty much the best designed computer language I've ever used... and maybe that's because Clojure is mostly "less is more" but in a few places, it's not.

    The things I really like about Clojure are:

  • What I Travel With

    March 7, 2015

    The Right Gear is Important

    I travel a fair amount and I like to have the right gear to travel will. Here's my current set-up:

    dpp's travel stuff

    Most importantly, a Traser Code Blue Watch. This watch is light and comfortable on the wrist and has a tritium light source so it's always visible. I can half wake on a dark airplane or in a dark hotel room, check out the time, and go back to sleep. I can do this without pushing buttons or doing something that's going to annoy others around me.

  • Slurping data from NeXT drives

    January 23, 2015

    Getting Old

    Yep... I'm getting old and so are my computers. I used to do a lot of coding on NeXT cubes and slabs.

    I have a bunch of NeXT machines laying around and so do some of my friends.

    But how does one get old data, programs, mailboxes, etc. off a NeXT machine? Turns out that it's not so hard.

    NeXT machines used SCSI drives.

    So, to get data off a NeXT drive, one has to put together a setup that supports SCSI-1 drives.

    I purchased:

    And I had a 50 pin micro to Centronics SCSI cable.

  • Orlando 2014

    January 4, 2015

    2014 Winter Break in Orlando

    I took my kids to Orlando Florida over winter break. They are 10 and do a lot of reading and play a lot of iPad. Here's the report.

    Caribe Royal Hotel

    We stayed at the Caribe Royale in a two bedroom suite. The room was almost 1,300 sq. ft and really nice. The kids had their own room with two queen sized beds. I had a room with a king bed and a jacuzzi tub. The room had a full kitchen and a washer/dryer.

    In terms of utility, the room was perfect. I did a grocery run the first night and we ate breakfast and some dinners in the room.

  • How Visi uses Weave and Docker

    October 31, 2014

    It's a Virtual Piece of Cake

    I've gotten a bunch of questions about how Visi, the simple web front end to Spark works. This blog post is an overview.

    Hosted Spark with a Simple Front End

    Visi is a hosted Spark cluster with a simple web-based front end that allows Excel-savvy folks to enter formulas that get turned into Spark jobs.

    The Spark cluster and front end are built on demand, hosted in Docker containers, and communicate over the network using Weave. The web UI is presented to the user via a dynamically updated HAProxy routing table.

    Nuts and Bolts

  • Keeping the Meaning with the Bytes

    October 29, 2014

    Back to the Future...

    This post was from November 2006. I had just started playing with Scala and was trying to figure out an ORM... the one that ultimately became Lift's Mapper.

    Keeping the meaning with the bytes

    One of my criteria for a good web framework is having security and access control built it. As I was driving friends and relatives to and from Thanksgiving dinner, I was thinking to myself, "It's nice to have goals, but how do you implement then?"

  • For All You Know, It's Just a Java Library

    September 24, 2014

    Blast from the past...

    I wrote this in May, 2008... and I've gotta say, I was pretty spot-on including Java 8 adopting some of Scala's better features:

    It's starting to happen... the FUD around Scala. The dangers of Scala. The "operational risks" of using Scala.

    It started back in November when I started doing lift and Scala projects for hire. The questions were reasonable and rational:

  • Dragonmark Chat: core.async over the web

    August 30, 2014

    It's the chat demo

    Check out the demo!!

    Way back when I was focused on Lift and explaining why Lift was different, I created the Lift chat app. The chat app was short, sweet, and highlighted how Lift was different.

    As I've been working through the Dragonmark stuff, I decided to use the same Chat app as a demo. Why? 'cause the same concepts are present in Dragonmark... the abstraction of the cross-address-space plumbing.

    core.async across address spaces

  • Introducing Dragonmark Circulate

    August 16, 2014

    Distributed Communicating Sequential Processes (CSP)

    Communicating Sequential Processes (CSP) provides excellent patterns for building concurrent systems. Clojure's core.async provides a Clojure implementation of CSP in a single address space.

    However, very few programs run in a single address space. Web applications run in a combination of the browser and one or more servers. Very often, applications will span a cluster of servers.

    Dragonmark Circulate provides a mechanism for distributing core.async channels across address spaces while providing the same semantics to all the address spaces.

    Some macros

    I've written some macros to make writing core.async code easier and more linear.


  • gofor it

    July 22, 2014

    The gofor macro

    I've started working on a series of open source library code for Clojure called Dragonmark that roughly falls into three categories: utilities, a distributed CSP library, and a sample web app that demonstrates distributed CSP.

    So, why?

    Mostly, I think that the semantics for interprocess communication should be the same as the semantics for local communication. Clojure's core.async library provides a really nice set of APIs to communicate asynchronously, have backpressure, and in general "do the right thing."

  • Saying No to Yes &

    July 14, 2014

    Not my cup of tea

    I went to Yes & over the weekend and it was disappointing. I was drawn in by:

    The theory was, if you get a group of smart, engaged individuals together in the right place that great things would happen.

    Sadly, the conference was not that.

    I was expecting more of a Strange Loop experience. Something is a far away place where each interaction leaves me thinking, pondering, and expanded.

    Instead, Yes & is a big, fun partay.

    If you'd like to hang out in the pool, get drunk, share new strains of medical marijuana, and go to a fun prom with all the hipsters from the Mission, Brooklyn, LA, and Portlandia, Yes & is the place to be.

  • Yes, we do all infringe

    May 14, 2014

    When we use Java

    There is a lot of confusion about my We all Infringe post. So, I'm going to walk everybody (especially the lawyers) through the mechanics.

    Until last week, all developers and most lawyers operated under a simple rule. APIs are not subject to copyright, but code implementating APIs is subject to copyright. It was a simple dichotomy and allowed developers to operate under a brightline set of rules.

    On May 9, 2014, the Circuit Court of Appeals changed the law to include copyright coverage to include APIs. Specifically (page 5):

    ... we conclude that the declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection...

  • Every one us is an Infrigner

    May 12, 2014

    Okay, everybody who touches Java bytecode

    The Oracle v. Google holds that copying the Structure, Sequence, and Organization of the Java APIs is a copyright violation. And a copyright violation is not just the act of copying, but also applies to all the intermediate parties that have a copy of the work.

    That's anybody who writes/compiles any JVM language and anyone who has a JAR file on any device they posses... including a Java ME applet on your old Motorola flip phone. In fact, the JVM in all its incarnations is so pervasive, it's likely that every adult in every industrialized nation has some JVM running someplace.

  • Lawyers and Developers, not so different

    May 11, 2014


    I have been developing software professionally since 1978. I went to law school (BU Law '91). I think that computer programming technology and the law are really, really similar.

    At the end of the day, both law and computing is about wrapping abstractions around very complex interactions such that the rules are comprehensible and the outcomes are predictable.