(Short) Book Review: Xamarin Mobile Application Development for Android

You probably read by now that I’ve been thinking of build either an Android application or a Chrome one as either companion or replacement for the glucometer utilities which I’ve been writing in Python for the past few months.

Packt has been nice enough to let me review Xamarin Mobile Application Development for Android, and so I decided to take into consideration the option of actually building the app in C#, so that it can be shared across various platforms.

The book goes into details of what Android applications can and should do and provides nice examples, mostly around a points-of-interst application. It’s hard to say much when I don’t want to complain, so I’ll just say, give it a go, if you don’t plan to make your apps open source (which I think you should). As the book points out, being able to share your backend libraries (but not frontend/UI ones!) across operating systems and platforms (phone, tablet, computer) is a godsend, so I think Xamarin did build a very good tool for the job.

On the other hand, I’m definitely not going to pursue this — while C# is a language I like, and Xamarin for Android allows you to use JNI extensions as the one Prolific releases for their USB-to-serial adapter, I find having the tool open source is more important than any of this.

Book Review: OAuth 2.0 Identity and Access Management Patterns

PacktPub sent me another book for review after the quite good Learning Cython Programming (which I reccommend!), this time the book is OAuth 2.0 Identity and Access Management Patterns (Packt). I’m afraid to say I’m not incredibly impressed.

The book is not bad; the content is there and it can be useful, just I don’t know if the price attached to it, especially from Amazon or for the print edition is worth it. From one point of view, OAuth 2 itself is quite simple in its design, intentionally, as the previous implementation was obviously overcomplicated; on the other, the book sticks strictly to the protocol itself rather than describing ways to integrate it with your application.

One of the weakest points of the book is that it sticks strictly to the terminology used by the standard. While terminology is important, it would be nice to have a more “plain English” definition of what’s going on, and an explanation of said terms. Even things like “secure storage” are not obvious (secure to whom?).

Books like this to me are good if after reading it I have fewer questions than when I started. I did choose to review this one because I have had bad experience while trying to implement OAuth before – and the messy hybrid that was the first version of Facebook Connect – and I wanted to know what the current state of the art is in the authentication department. But the book did not make it any clearer to me.

There’s lots of hand-waving, too. For instance the state parameter that is passed on during requests is told «can be used for defending against man in the middle attacks» — but there is no explanation on how this works; sure it’s passed unmodified back to the caller, but what are the semantics? Similar to XSRF tokens? If there is such an attack, what stops Eve from using the same state value? I’m sure there are answers and best practices, but the book does not help me there.

There are also some references that while factually true, are rendered in such a way to be ambiguous and misleading. When explaining the advantages of OAuth 2 over previous authentication systems, for example, it gets compared to HTTP Basic Auth complaining:

The drawback here is that, in this type of authentication, the user, alongside his username, enters and sends his password over the wire as well.

While this is true, nobody in their sane mind would use basic authentication nowadays; indeed anybody who wants to use HTTP-level authentication would use digest auth which does not suffer from the just-listed problem. Sure it has other issues, but that’s still the case.

The book will eventually proceed to explain what the advantage of OAuth 2 over user/password authentication is (fine-grained access control to resources hosted at a third-party service), but even just pointing that out right away would have been an improvement. Indeed here the problem is not that username and password are passed over the wire (they almost always are, at some point), but rather than you don’t have to provide your (say) Facebook password to (say) Duolingo for it to be able to find your friends already on the system. This is a definitive win over user/password authentication, but is not really made clear. Not that OAuth was the first implementation of a token-based authentication: after all Kerberos is a technology of the 80s.

The calls to security measures are also vague, ranging from security through obscurity by suggesting to «perform code analysis» to make reverse engineering harder (what?), or to encrypt a whole SQLite database to prevent SQL injection attacks. Oh and there are no other apps beside JavaScript “client apps” and mobile applications. Maybe the desktop is already dead? I don’t think so.

I’m sorry if I sound harsh, but the author definitely knows the topic, so I would have hoped for more, especially for the not-so-cheap price the book is sold at. Toward the end of the book, lots of pages are “wasted” by XML dumps when trying to explain how to make use of SAML 2.0 — without explaining what it is or why we should care (not that online I could find a good answer to this).

At any rate if you’re struggling with OAuth 2, the book is not bad, but unless you really want to spend on books, this one is not for you.

Book Review: Learning Cython Programming

Thanks to PacktPub I got a chance to read an interesting book this week: Learning Cython Programming by Philip Herron (Amazon, Packt). I was curious because, as you probably noticed, after starting at my current place of work the past April, I ended up having to learn to use Python, which ended up with me writing my glucometer utilities in that language, contrarily to most of my other work, which has been done in Ruby. But that’s a topic for a different post.

First of all, I was curious about Cython; I heard the name before but never looked much into it, and when I saw the book’s title and I quickly checked what it was, my interest was definitely picked. If you haven’t looked into it either, at a quick summary it’s a code generator bridge between Python and good plain old C, wrapping the latter such that you can either make it run Python callbacks, or generate a shared object module that Python can load, and offload the computation-intensive code to a more performant language. And it looks a lot like a well-designed and well-implemented version of what I hoped to get in Ruby with Rust — no connection with Mozilla’s language with the same name.

The book is a quick starter, short and to the point, which is an approach I like. Together with the downloadable source code, it makes it a very good solution to learn Cython, and I recommend it if you’re interested. Not only it covers the obvious language itself, but it covers a wide range of use cases that show how to make good use of the options provided by Cython. It even goes on to show how to integrate it in a build system (although I have some reserves on the Autotools code in there, which I think I’ll send Philip a correction for).

I seriously wish I had Cython and this book when I was working on Hypnos, an Ultima OnLine «server emulator» for which I wanted to add Python-based scripting — other emulators at the time used either a very simple, almost basic-like scripting language, Perl or C#. This was before I tried to use Python for real, which turned me to hate its whitespace-based indentation. I did write some support for it but it was a long and tedious process, so I never finished it. Not only Cython would make that work much less tedious, but the book shows exactly how to add Python scripting capabilities to a bigger, C program using tmux as the example.

The book does not ignore the shortcomings of Cython of course, including the (quite clumsy) handling of exceptions when crossing the foreign language barrier. While there are still a bunch of issues to be straightened out, I think the book is fairly good at setting proper expectation for Cython. If you’re interested in the language, the book looks like the perfect fit.

Book Review: Instant Mercurial Distributed SCM Essentials How-to

Okay the title is a mouthful for sure, but this new book from Packt Publishing is an interesting read for those who happen to use Mercurial only from time to time and tends to forget most of the commands and workflows, especially when they differ quite a bit from the Git ones.

While I might disagree with using some very unsafe examples (changing the owner of /etc/apache to your user to experiment on it? Really?), the book is a very quick read and I feel like for the price it’s sold by Packt (don’t get distracted by the cover above, that links to Amazon) it’s worth a read, and keeping it on one’s shelf or preferred ebook reader device.

Well, not sure if I can add more to this, I know it sounds like filler, but the book is short enough that trying to get into more details about the various recipes it proposes would probably repeat it whole. As I said, in general, if you have to work with Mercurial for whatever reason, go for it!

Book review: Instant Munin Plugin Starter

This is going to be a bit of a different review than usual, if anything because I actually I already reviewed the book, in the work-in-progress sense. So bear with me.

Today, Packt published Bart ten Brinkle’s Instant Munin Plugin Starter which I reviewed early this year. Bart has done an outstanding job in expanding from the sparsely-available documentation to a comprehensive and, especially coherent book.

If you happen to use Munin, or are interested to use it, I would say it’s a read well worth the $8 that it’s priced at!

ModSecurity, antispam and books

You probably remember that I wrote quite a bit about my use of ModSecurity to handle antispam for the blog’s comments as it allows me to verify the User-Agent header as well as having a few extra tricks up my sleeves without enabling either forced registration, captchas or comment forced moderation. Among the other things, it allowed me to also disable the 60-days limit for comments on posts: now all the posts have free comment enabled.

But I think I already ranted about the lack of good documentation about ModSecurity: while it’s definitely powerful, it also has a few rules that are definitely draconic, and that makes it almost impossible to use it without fiddling for most use cases. Part of this has, in my opinion, to do with the idea ModSecurity was designed for in the first place: putting a stop to vulnerabilities of broken PHP code. I’m not singling out PHP here, they did, more than a couple of rules are designed to workaround common PHP code errors. While this can probably be considered good enough, it shows its problems when used with Rails (for instance the “duplicate parameter” rules break Rails pretty badly). For this reason in Gentoo, by default, I disable some of the worst rules (you can still get the original by using the vanilla USE flag).

Now, earlier this month, before my one-week vacation, Packt Publishing asked me to review a book (that they published last week) on the subject: ModSecurity 2.5 by Magnus Mischel . I’m still reading through it, given my usual time constraint (and a few unusual ones, including my birthday yesterday), but I can say something about it already: give it a read.

It starts from quite some basics in the functioning of ModSecurity, and that is very good, as it’s exactly what the original documentation lacks. At the start I actually had the wrong impression that it was going to take a too “newbie” look to the thing, but indeed there are some very basic tricks that might not be obvious at all even though you’ve been roaming through the ModSecurity documentation for a while before.

You can say that reading this book has been pretty helpful to both me and Gentoo: from one side I’m understanding how to improve the antispam rules so that they can be published and made available for others to use (I’m considering publishing my own rule set, not only for the antispam, but also as a measure of protecting against marketing crawlers that waste everybody’s bandwidth); from the other side, there has been at least one dependency (over mod_unique_id) that I didn’t know about, but which is now fixed in the ebuild you can find in tree.

Bottom line is, if you’re planning of doing any serious work with ModSecurity, this is definitely a must-read text. Kudos to Magnus, his work is definitely quality work. You can get the book and PDF directly from Packt or get it from Amazon (associate link) if you prefer.

And thanks again to Packt (and Magnus) for the opportunity of improving the Gentoo packaging: I know now of a couple more things I should be looking at to fix in the next future.