Saturday, 14 August 2010

Deploy WebSphere Plugin - Working on next release

It is time to return back to work, after a well deserved break. Following the release 1.0 is time to think about the next release. Well, version 1.0 is available and up-and-running but I bet a lot of people wouldn't find it really useful. This because for to use it, you need to disable the WAS security. It can be acceptable if both Hudson and WAS seat in the same (well protected) LAN and, for example the, WAS is a machine used from the developers as Reference box. But if WAS needs to be well secured and/or in production alas.
Now next release should cover WAS 6.1/7 with security enabled. I have already a working proof of concept so it is just matter of polish a bit the code. Here start the "bad news". For having the deploy websphere builder to work with security enabled you need an IBM JRE. This sounds as a big limitation and infact it is. To overcome it you need to install the hudson.war in WAS rather than in Tomcat for example. Well to be perfectly honest though whoever use this plugin is suppose to be a WebSphere user so it shouldn't be so huge deal... Any way more to come soon, so stay tuned!!

Thursday, 3 June 2010

Deploy Websphere Plugin released

As promise:

More to follow!!


Sunday, 30 May 2010

Hudson deploy-websphere plugin ready to ship

Ready to ship!
Eventually I have decided to go for a new plugin having a dependency with the existing deploy plugin. This, in my opinion, is the best solution because, being WebSphere a proprietary product and being some jar not redistributable there is a needing of a little extra configuration (just copying a couple of proprietary jar on the classpath) at the end of the plugin installation. Anyway more details will be on the wikis (either my personal one and the one of hudson if I can publish my plugin) once I got the right to check-in on the hudson repository.
So hung on for a little while....


Saturday, 29 May 2010

Hudson and WebSphere

It has been a while I have been playing with Hudson. It is way better than any other integration server I have seen and is crazily simple to extend. I'd love to use it at work but for the moment we are still stucked with Cruise Control. Said that, I think the integration with the "WebSphere world" can be kind of improved.
I mean Hudson war file can be installed on WAS; moreover there are already few WebSphere/IBM plugins as the WAS Builder and the RAD Builder. But either these than the out of the box deploy plugin don't support any WebSphere server. The WAS Builder plugin allow you to deploy on WebSphere but for what I undestood you need to write your own script.
I know WebSphere is a proprietary product and is a kind of closed world, and WAS itself has been defined from Hudson users "exhotic" but, being working with WebSphere for a while, and predicting I'll be working with it for yet another while, I'd like to have an out of the box mechanism to deploy the artifacts to WAS and even WebSphere Portal. Being this not existing at the moment I did decide to write it myself. :)
The solution will be havily JMX based and I am taking freely hints from the java file here.
At the moment, until I undestand if I can extend the already existing plugin, I am going toward this direction as you can see from the picture below:

otherwise I will start my own plugin.
My plan is to build up the complete solution in 3 steps:

  1. release the WebSphere deploy plugin for WebSphere Application Server 6.1/7 (with security disabled)
  2. release the WebSphere deploy plugin for WebSphere Application Server 6.1/7 (with security enabled)
  3. release the WebSphere deploy plugin for WebSphere Portal Server 6.1
The steps 2 and 3 might have some extra complication due to some extra proprietary IBM jar files needed and moreover, for be able the plugin to work, an IBM JRE is needed.
I did decided to push these extra complication back and focus on the point 1 for the moment that seems "easier".
I should say I am not really far away to have a "golden candidate", I just need to undestand the gotcha relative to extending the existing plugin. So what to say, if you are a WebSphere and Hudson user waiting for a mechanism to deploy your build artifacts with an out of the box solution to WAS 6.1/7 and WPS 6.1 stay tuned!!


Tuesday, 9 March 2010

On the subject of Facebook

Somebody might think Facebook became and obsession for me. In reality is not true! I do like it. While creating some dummy accounts from my previous post though something caught my attention and I thought it might deserve at list a quick mention.
Basically what I notice is that you can do a lot of things even if your mail is not confirmed. Is true that a lot of options as write on other people walls, send messages and stuff like this is blocked. But you can do at least 2 things that associated with a trusted but not verified mail are potentially dangerous:

  • add a friend
  • post on the wall
Now as usual I leave you with a question. Would you trust a link in a wall from a user called William (Bill) Gates having his mail

Stay tuned!!

Saturday, 27 February 2010

Facebook vulnerability #1.5

Update (to follow all the story see the comments below)

@Tom point taken on board (see the new post title :))... I got a lot of hypothesis about the xxxxxx part but no real solution just yet.. i hope to restore the title to 2.0 though

Apologies for all the people that thought chunck 2 was already being "discovered" if discoverable, my mistake not being enough clear. Still working on it though! :) So, stay tuned!!

Orignal article

Here we go again...
I have been playing, at this point, for a while with Facebook's security as you can see here and here. Not too seriously though, also because, as who knows me well knows, that I am far away to be a security expert. I tend to observe though, and do a bunch of questions to myself . Sometimes I am able to find an answer as in the case of this post.
I have tried to go further. Can anyone guess the email address in order to pretend to be the real account holder? The answer surprisely is YES!!! :-S
As long you have any kind of access to the wall though (this happens either if you are friends of the account holder or the account holder has the wall public). Here how to reckon it :

All you need is:

  • know how to convert a number from base 10 to base 36 (if you don't know how use this)
  • the profile_id of the account holder (available on the URL of the account holder facebook page)
  • story_id and story_type (again easily accessible from the URL on the wall)
  • the current date (yes you undestood well the current day :D, e.g. today 27/02/2010)
That all you need!! Now follow this steps:

let try to do a reverse engineer approach. This is our final goal:


N.B. note the 6 "avoid spam" xxxxx :D

Any way lets split the email address as follow:
  1. c+2
  2. xxxxxx
  3. 000000afwdwo
  4. 0m
  5. 00003c6efyz2
  6. 000000afwdwo
  7. 000000000000
  8. 1eu
  9. 1i
So here the magic reckon trick:

  • chunck 3 and chunck 6 come directly from my profile_id: (631367016) base10 = afwdwo base36 (adding 000000 6 zeros to arrive to 11 digits)
  • chunck 4 comes from story_type : story_type= 22 base10= 0m base36
  • chunck 5 is the story_id (again in base 36): 261600937166 in base 10= 3c6efyz2 in base36 (adding 0000 4 zeros to arrive to 12 digits)
  • chunk 8 is a counter incrementing every day (still in base 36):
  • e.g. Jan 20 (day of the post on the wall)==> 1830 base 10 = 1eu

  • Jan 21 will be iev etc
    • chunck 1,9,10 are always the same
    • chunk 7 will be the topic for my next post but for this purpose consider as a constant as above (always 000000000000, is 12 digits it is any hint ? :D)
    And chunk 2? Well I leave to you the fun to find out :D

    Well that's it. I hope I you find this interesting and I leave you with a question :

    Is base 36 enough cryptic :D? And is Facebook using this great alghoritm anywhere else?

    Cheers and stay tuned