Herding Code 177: Anthony vander Hoorn on Glimpse Internals

At NDC, K Scott and and Jon talked to Anthony vander Hoorn about the how he and Nik built Glimpse and how it’s evolved over time.

Download / Listen:

Herding Code 177: Anthony vander Hoorn on Glimpse Internals

Show Notes:

  • Glimpse internals
    • (00:50) Jon asks Anthony about the JavaScript work they’ve done to enable Glimpse. Anthony starts with their initial implementation – just injecting a div into a page. He then talks about some of the issues they ran into over time with a large JavaScript download and a complex codebase to maintain.
    • (02:39) Jon asks if it’s still jQuery based. Anthony says it is, though they’ve thought of removing that dependency. It’s mostly used for click event handling. They include a scoped, local copy of jQuery to prevent any conflicts with the host page’s use of jQuery.
    • (03:50) K Scott asks about some of the impacts of injecting their Glimpse content into the DOM. Anthony discusses issues with CSS, since the host page’s resets and selectors can affect Glimpse’s display. Glimpse includes a custom CSS reset and they scope their CSS rules.
    • (05:50) K Scott asks if the shadow DOM and HTML5 specifications for widgets would help. Anthony says yes and talks about how people are doing things now using iframes and how things would be improved. Anthony compares it to the XAML concepts of the visual and logical trees.
    • (07:45) Jon asks how things have changed from just injecting a div. Anthony explains how they use another div to reserve space at the bottom of the page and introduced a message bus to allow publishing and subscribing rather than handling events and callbacks.
    • (10:33) K Scott asks about patterns used to allow for extensibility and plugins. Anthony talks about how they’ve refactored, first to separate files and then to modules.
    • (12:40) Jon asks if they’ve looked at using some common single page application frameworks or other JavaScript frameworks. Anthony says they looked at require.js, but it didn’t really buy them anything. They also looked at backbone, but again it wasn’t worth the tradeoff of download size and complexity.
    • (15:39) K Scott asks what unit testing frameworks they use. Anthony says they’ve just got a test harness at this point, but a lot of the testing is manual. They’re looking at using TestSwarm and BrowserStack to do browser testing.
    • (18:06) Jon asks about mobile browsers. Anthony explains the current mobile support that’s been in Glimpse for a while. He discusses some other features they’ve looked at in the future.
  • Hobbies
    • (20:30) K Scott asks Anthony about his hobbies. Anthony talks about his new interest in growing his own food and a renewed interest in woodworking.
    • (21:55) K Scott asks Anthony about what he’s got coming up. Anthony talks about his summer conference schedule and that he’s moving to New York to keep a closer eye on Nik.

Show Links:

Herding Code 176: Jon McCoy on Hacking .NET

At NDC, Jon and K Scott talked to JonĀ  McCoy about hacking .NET and .NET developer security.

Download: Herding Code 176: Jon McCoy on Hacking .NET

Show Notes:

  • Intro and NDC talks
    • (00:30) Jon McCoy overviews his NDC talks, explaining how he got into security and some of the amazing things he’s found out about .NET about along the way, like using Java JARs inside .NET applications.
    • (02:55) Jon McCoy says that understanding IL and how the JIT works allows him to directly use assembly code and C++ from within .NET applications.
    • (03:45) K Scott asks Jon McCoy about some of the tools he showed during his talks. Gray Dragon is a memory injection program which allows injecting code and remapping while an application’s running. Gray Wolf allows editing an application’s IL code. In his talk, he demonstrates extracting his admin password from biometrics password with six clicks.
  • Developer security practices: obfuscation, unit tests, monitoring
    • (05:20) Jon G asks if obfuscation helps hide his code. Jon McCoy says it’s always reversible and there’s about a three month lag between obfuscator releases and workarounds. Just about anything that can be automated can be reversed.
    • (06:44) Jon McCoy recommends security unit tests for practices like SQL cleaning and throwing security exceptions. Monitoring for security exceptions will let you know someone’s attacking you – if someone has two years to attack you without you knowing, they’re going to get in.
    • (07:42) Attackers can target update mechanisms in desktop programs to target users throughout your enterprise. Also, the nature of .NET code makes it very difficult for antivirus software to detect when it’s doing something bad.
    • (08:30) Jon McCoy says there’s a security issue with Visual Studio in that it executes constructor code for controls as they’re loaded in the designer, so a malicious user can run code which runs under your user permissions.
  • Securing information on your computer: crypto and passwords
    • (09:40) Jon McCoy talks about some of the security practices he recommends: full disk crypto with TrueCrypt, using a hardware solution like YubiKey for long passwords, and using encrypted VMs as secure containers.
    • (11:12) Jon G asks Jon McCoy what he thinks of solutions like Keepass and LastPass. K Scott asks whether OpenID and OAuth help. Jon G laments that CardSpace never took off.
    • (12:47) Jon G asks if signed code helps secure code at all. Jon McCoy says it doesn’t really, since it’s not validated.
  • Businesses and security
    • (13:27) Jon G asks if Jon McCoy gets involved with forensics. Jon McCoy says he mostly works with small businesses who are being attacked or want to fix security issues.
    • (14:31) K Scott asks Jon McCoy if he deals with mobile device security. Jon McCoy discusses the security blind spots desktop and mobile developers have.
    • (15:23) Jon G asks what Jon McCoy thinks about two factor auth.
    • (16:22) Jon McCoy explains how his background as a developer helps him understand issues in a way that IT focused security experts don’t.
  • Defending against cracks
    • (17:20) Jon asks about defense against cracks. Jon McCoy says the motivation behind cracks and malware shifts – sometimes the bad guys are just after a proxy network, password cracking machines, or even free cloud storage. Malware distributors can really strike it rich by owning a computer that happens to be inside a big company; they can sell that access for a lot of money. Part of fighting an attack is understanding what’s motivating the attacker.
    • (19:07) Jon G talks about targeted attacks against employees using fake, infected PDF business documents – send to enough people and a few will open it. Jon McCoy says that’s why he advocates using a hardened VM for browsing the internet as well as using different e-mail addresses so you know unsolicited e-mails to an admin e-mail can’t be valid.
  • Resources: tools and papers
    • (20:13) Jon G asks for a little more information about the security tools Jon McCoy distributes on his site.
    • (20:47) Jon G asks about how Jon McCoy’s security disclosure policies. Jon McCoy says he generally keeps things secret long enough to give his clients a security advantage. He talks about a technique he used which phones home when obfuscated code is decompiled.
    • (21:51) Jon G asks Jon McCoy how he keeps up with things. Jon McCoy says things are pretty lonely, he’s off on his own most of the time. Jon G says it’s easy to forget that a lot of .NET runs on top of Win32 and COM.
    • (23:10) Jon G asks Jon McCoy for some reference for developers who are interested in learning more. Jon McCoy lists a few (referenced in the show links).

Show Links: