Saturday, February 23, 2008

Screenshots and features Project Dune

I took some time to update the projectdune wiki with a list of features currently supported. That should make things a lot clearer. See the screenshots for further details.

Supported features

Monday, February 18, 2008


Err... yeah, it's been cold in Holland for the last two days. Icy, salted roads and scratching ice from car windows. It'll improve very soon though.

I worked on Project Dune over the weekend and it's now getting there. One more bit of functionality to create the reporting ability from estimate to timesheet. That'll certainly mark a milestone. From there onwards as they say. I'm trying to take things easy now and just improve on existing things. Maybe some refactorings here and there.

There's still a new module in the pipeline for test case management. So you can write a document, the test plan and then refer the individual bits with the test results. The same things should probably be done for issues.

Wednesday, February 13, 2008

Identity on the Net

Project Dune has a feature implementation pending with regards to logins through OpenID's. When you surf the net nowadays, every site you go to requires you to put your details in for registration. The objective of registration is to be able to verify the same details at a later time. The details are verified by a secret that you are telling in the process of registration (your password), which is stored securely at the site and of which both parties hope is a secret that is never shared with any other party.

Your registration however is further verified by adding a key that you only own: your email address. The registration site creates a temporary link with a complex url that is very hard to guess. You move to the url and thereby activate your account that you requested to set up earlier. From here on, you don't need to keep checking your email to be able to log in, you use the shared secret.

What most sites care about is authentication. Authentication is the process of verifying that someone who identified himself with some token at some point (your name or any other credential) is the same person that comes back another time and not somebody else. This is essentially what authentication means for sites that allow "semi" anonymous access (you register with your details, but the registration site never actually verifies your real identity. So what they check is not that you are who you say you are, but that you are the same person that made the initial registration).

OpenID attempts to simplify this a bit further. Rather than "registering" in the same method for each site that you may be on, you'll continue to see new sites popping up that claim to manage your identity online. Basically, this means a split of the registration process from the authentication process.

Remember how I said that many public sites don't care about who, in the context of real identity, is making a registration? They only care if they can reliably assume that it is the same person that actually registered before. So another site could authenticate on the site's behalf and then have the user call back to the originating site with the result of the authentication.

The authentication relies on the fact that the user now claims to own a url. For example, if I want to log on with OpenID on a forum site, I could claim I own:

Then the forum site tells me: "oh yeah? proof it!". So they redirect my browser to an authentication provider site "". The forum site passes in a return URL that is used to pass my browser back after the authentication claim. First, I need to fill in my secret that I have with my authentication provider. If I succeed, it is assumed I correctly own the URL. If it fails, my claim is invalid.

In both cases, I get redirected to the forum site. The forum site then analyzes the details and shows the results as they have programmed. There's another process there related with cookies and multiple redirects. So if you have already logged on with your OpenID, a cookie is stored in your session. Then for each site that you visit, you may be requested how long you wish to keep the cookie and the session. As you get redirected from one site to the other, the sites still redirect you to your authentication provider inbetween to re-verify the details. This process is called "single sign on".

Project Dune thus will start to use OpenID. The objective is to modify the project code to allow anonymous browsing for "the public". So you won't have the same abilities as users created through the system, but you can still browse issues and participate in those things that the administrators have indicated as allowable.

Now, consider the options here. Project Dune for example contains functionality for inspections. This means you could configure the software to allow people to participate in inspections of source code. How cool would it be to have anonymous users inspect your code online for certain changes and make remarks? The current method is mostly by sending email, but this way you just login, go to the source, open it up, add your comments and move in. You are identified by your OpenID, so you will in some way be traceable.

Sunday, February 10, 2008

Project Dune release 1.3.5

I've worked a bit this weekend on a new installation method for Project Dune. Some software written in PHP is earmarked by the ability to just extract it to some web directory under Apache and run it.

Project Dune now also gains that ability. It's quite unique for Java packages, since mostly these are very manual processes. I spent quite some time to develop a web based installer. It's a war package that goes to Tomcat, where it will configure the project before it puts it in the final place for installation.

Have a look over at SourceForge and let me know your thoughts over at the forums.

Tuesday, February 05, 2008

Internet and updates to projects

I finally got Internet now. It took three months to get it all done. Alice Internet is crap. I requested it 25th October. Then 10 days later received a letter/email that my service was canceled. No reason given. I called and they said it was the register of connections where my request wasn't listed. So they tried again. Some days passed and nothing happened. I called to be sure and they said they'd restart. Went on holiday for 3 weeks. Came back. Absolutely nothing, as if the request just died. They said they'd try again and I just gave up there. So I went with KPN Comfort or something.

They said they'd connect in 2 weeks, but this became 5 in total. After 2/3 weeks, you get a call to confirm a repair man to come around. Actually, all he does is check the signal on the box and if that's allright, he leaves. So not really any use there. The crap is that only after they ship the box with the modem, so you just wait a stupid amount of time before you are connected.

Anyway, it's done now and working. 650 Mb/s effective downstream. Some 12'th of that upstream. It's stable and has good service.

I've updated Project Dune at SF now and XssProtect at Google Code. Later on, I'll have to redeploy Project Dune because it requires Java6 and has a couple of fixes here and there. Then I'll need to figure out how to get the project more popular. Probably relates to creating complete deployments or shell scripts that can do this. I'm not tooo happy about izpack, because you can't install it on a headless machine. What's the best method to create installs for software on Linux?

Friday, February 01, 2008


Still no internet yet. I ordered this end of December and it is taking 4 weeks instead of the promised 2 weeks. At least the connection is confirmed working. As soon as I get the modem, I can start putting things in place.

Yesterday I picked up my car, a Honda Civic Hybrid. You'll see a lot of these in Holland because of two tax cuts (a steep discount on the catalogue value when you buy and other discounts on a monthly basis that is the reduction on lease price). Cars are heavily taxed in Holland nowadays. When you buy one, you may actually pay some 40% of taxes on top of the selling value. What they don't really tell you is that when the taxes are determined on the monthly basis, they don't use the value "out-of-factory", but use the value with the taxes applied. So you pay tax-on-tax basically. Anyway, I don't have too much of that.

I'll be doing a CISSP course soon, the book arrived. It's huge, 1100 pages on general computer security. That includes everything basically, including physical security and so on. That's a good investment to do.

There's a team that does business development at Sogeti with regards to security. I'm part of the architects that find entry-points there. I'll be more of a focus from IT risk management / security considerations and how this applies to architecture. This also includes reading books on SOX, reading general books on IT security management, the CISSP book and finally some insights from the insurance industry (risk management) for some theories and models I am developing. Eventually it won't just be theory of course, I'll need to convert it into practical methods and examples and perhaps test it against previous cases to see if it could have changed decisions.

I'm driving around the country today with family. Tomorrow just an easy day.