Search This Blog

18 February 2016

Remote work

    One of the things that gets cited as an advantage to be physically in the office is collaboration. You get to walk to someone’s desk, meet with people face to face and chat, and discuss things. What actually happens is that there are always people “collaborating” - talking, most often near you, there is a constant "buzz"(noise) in the open space like it is a factory floor. Put on headphones, or ear muffs, you would say. So be in the office to be near people and in the same time think of ways to isolate from them. Make meetings only in dedicated places, you say. So be in the office to have the freedom to walk to anyone and collaborate, but forbid this and cripple it by requiring meetings be held in dedicated areas instead.
    What in our connected world prevents us from collaborating regardless of physical location. We have lots and lots of tools to connect, meet, talk, chat, collaborate all we need is an internet connection and it doesn’t matter where each of our team members is physically located. When you are collaborating with a person you are not interfering the work of lots of others that don’t need your noise and distraction. We could be at home, at a coffee shop, at the park, you name it, just pick the place where you could be most productive and that is your office.
    You could check out a book “Remote office not required” by 37signals:

14 February 2016

Native mobile applications with cross content

What is the right format for a mobile application? Some would insist on native only all the way, every day. Some would go cross platform in an attempt to save time and reuse development resources.
We would argue firmly against cross platform development. It doesn't matter if it is HTML/Javascript or C#/Xamarin (some of the most frequently used technologies for cross platform development). In the case of HTML/Javascript we would say that one would be far better off with just a mobile friendly/responsive web app. In the case of C# it is just plain doing it wrong, because it is almost impossible to have a C# developer that would be familiar with the mobile's platform SDK and almost no experience when it comes to the UI, because it is developed in the native platforms technique.
The way to go is definitely native. But what if you have a big amount of content that can be displayed in the same way for multiple mobile platforms. Then just use HTML pages for that content. We would have a native mobile application that uses HTML for part of the content (something that we like to call cross platform content). We could call it a custom cross platform solution/technology, because it is, and in the same time it is more appropriate to think of it as a native application with some (little or a lot) of HTML content with or without the capability to interact with the native code (depending if the solution needs it or not), because this is the intent purpose of this solution.
This is the sweet spot for complete set of capabilities on the device and time and resource savings.

Here are some native applications which can be used for templates where a custom HTML5 content can be added:

07 February 2016

SSL interception - Man in the middle attack

How to check visually for the security of a site we are visiting
When we open a site the address bar of the browser shows if the connection is secure (SSL). Usually there is a green padlock. If we click on it we can get detailed information of the SSL certificate that is used by the web site. If the SSL is an Extended Verification Certificate there is also an additional area that is green next to the padlock to get a quick visual indication that the site uses an EV certificate.
If we are using a connection that is passing through a proxy it can intercept the connection and start the communication with the site we request on our behalf, read all of the contents, resign it with a forged certificate and send it to us. Normally the browser won’t accept that certificate, because it has not been signed by the proper CA. But if someone has access to the machine we are using, he may have installed an additional CA in the browser and that CA is the one that is used to sign the forged certificate and it is trusted by our browser(it got installed in our browser by that person) and we would see a green padlock in the browser’s address bar. But there is no way that we would see the additional green area in the browser address field. If we know that a domain is using an EV Certificate, this can be used as a quick visual check to alert us that there is something wrong with the certificate.

Comparing the certificate fingerprint.
To verify that the certificate that a site is presenting is the actual certificate that was issued to that domain we need to check the certificate fingerprint. We can do that if for example we access the same site from another location/network which we know is secure and take the certificate fingerprint and compare it with the one we get from the other location/network, or we can use a site like 

which can provide us with the fingerprint.
In the browser we can click on the padlock (in the address bar) and select to see more information for the used certificate:

 In that window we can select to see the certificate and find out what the fingerprint is: