Tim McCormack timmc

## gist:cbf503895f08dc39f3bc471aaa5e068a
Have the following been addressed in the branch, if appropriate?

- Tests (unit, API, integration)
- Docs (both in source and in docs directory, and in public docs if separate)
- Changelog
- Compatibility with previous versions (calls, shared files or DBs, data formats -- backward and forward compatibility)
- Rollback friendly?
- Feature switches?

## gist:c0e340a3b339fda71070
2014-04-09 14:56 [You]

I would like more information on how the Online Vault is able to manage and expose passwords. Specifically, when I click the "reveal password" icon, is that password text actually present in the page context? If so, I have some security concerns.

My *guess* is that when I am logged into my LastPass extension, it recognizes the Online Vault as the trusted site and responds to requests for data. (I hope it does not simply transmit the master password or any derivative of it down to the page!)

My concern is that under an attack scenario where an attacker can inject javascript into the Online Vault page (via cross-frame vulnerabilities, SSL tampering, etc.) they can request decryptions and then exfiltrate that data. Note that this could all happen without user interaction, e.g. in a hidden iframe on an attack site.

If my assumptions above are true, I would like to see an option that prevents the extension from communicating descrypted sensitive information to lastpass.com.

## ramdisk-target.sh
#!/bin/bash
# Overwrite ./target with a tmpfs ramdisk. Prompts for sudo.

function usage() {
  echo 'Usage: `ramdisk-target.sh recreate|restore`'
}

if [ ! -f "project.clj" ]; then
  echo "Not in Clojure project."
  exit 2

## debug-compilation.sh
#!/bin/bash

# Munge your codebase to add :verbose on all :require and :use forms and insert printlns in front of defns.
# $1: Path to directory you want to munge files in (recursively).

# WARNING: There is not an easy way to reverse this script, so commit your work beforehand
# and undo the munging with `git reset --hard HEAD` or similar.

find "$1" -name '*.clj' -exec sed -i 's/\((defn\? \([a-z0-9<>_*+-]\+\)\)/(println "var \2")\n\1/' '{}' \;
find "$1" -name '*.clj' -exec sed -i 's/:\(require\|use\) /:\1 :verbose /' '{}' \;

## jmxrmi.md

      
              1 file
            
          
              1 fork
            
          
                0 comments
              
            
              4 stars
            
          
                grkvlt
                / jmxrmi.md
            
            
              Created
              June 13, 2013 19:02
            
              
                JMX and RMI
              
          
    Java Management Extensions

I think it is worthwhile providing some information about JMX, since it is very heavily used by all of our Java based entities in Brooklyn. JMX uses the RMI protocol to communicate, this is called JRMP and is implemented by the javax.management.remote.rmi.RMIConnector in the JVM.
Protocol Annoyances

There are a couple of problems with the RMI protocol as used by default in JMX.

It sends the remote address as data inside its protocol messages, causing problems for machines behind NAT or using split DNS.
The random port allocation for RMI means incorrect firewall configurations are generated.


## rest.swear.clj
;; An exercise in writing #'rest without [0-9a-zA-Z], by Tim McCormack
;; Note that the input must be a vector, although the code could easily be
;; modified to vector-ify any input coll.

;; Let's take this a step at a time...

(#(((% 1) :main) %) ;; call the main method with the input and fns
 [[0 1 2 3 4 5] ;; the input is hardcoded here
  ;; fns are accessed by static indices into the fn table
  {:main #(if (= (% 0) [])

## fact.swear.clj
;; It all started here: http://clojure-log.n01se.net/date/2011-04-06.html#19:04

(#((% (+(*))) %) ;; call arg 1 with all args
 [;; data
  (+ (*)(*)(*)(*)(*)(*)(*))
  ;; main fn -- simulate 'if' with map lookup and closures
  #(({(+) (% (+(*)(*)))} ;; if zero return 'then' clause
     (% (+)) ;; dispatch on first arg
     (% (+(*)(*)(*)))) ;; call 'else' clause (n not found in map)
    %)

## defbean.clj
(defmacro defbean
  [class-name
   field-names
   & interface-specs]
  (let [sym-base (str (gensym)),
        prefix-sym #(->> % name (str sym-base) symbol),
        setter-name
          (fn [field-name]
            (->> field-name name inf/capitalize (str sym-base "set") symbol)),
        setters
	Have the following been addressed in the branch, if appropriate?

	- Tests (unit, API, integration)
	- Docs (both in source and in docs directory, and in public docs if separate)
	- Changelog
	- Compatibility with previous versions (calls, shared files or DBs, data formats -- backward and forward compatibility)
	- Rollback friendly?
	- Feature switches?
	2014-04-09 14:56 [You]

	I would like more information on how the Online Vault is able to manage and expose passwords. Specifically, when I click the "reveal password" icon, is that password text actually present in the page context? If so, I have some security concerns.

	My guess is that when I am logged into my LastPass extension, it recognizes the Online Vault as the trusted site and responds to requests for data. (I hope it does not simply transmit the master password or any derivative of it down to the page!)

	My concern is that under an attack scenario where an attacker can inject javascript into the Online Vault page (via cross-frame vulnerabilities, SSL tampering, etc.) they can request decryptions and then exfiltrate that data. Note that this could all happen without user interaction, e.g. in a hidden iframe on an attack site.

	If my assumptions above are true, I would like to see an option that prevents the extension from communicating descrypted sensitive information to lastpass.com.
	#!/bin/bash
	# Overwrite ./target with a tmpfs ramdisk. Prompts for sudo.

	function usage() {
	echo 'Usage: `ramdisk-target.sh recreate\|restore`'
	}

	if [ ! -f "project.clj" ]; then
	echo "Not in Clojure project."
	exit 2
	#!/bin/bash

	# Munge your codebase to add :verbose on all :require and :use forms and insert printlns in front of defns.
	# $1: Path to directory you want to munge files in (recursively).

	# WARNING: There is not an easy way to reverse this script, so commit your work beforehand
	# and undo the munging with `git reset --hard HEAD` or similar.

	find "$1" -name '.clj' -exec sed -i 's/\((defn\? \([a-z0-9<>_+-]\+\)\)/(println "var \2")\n\1/' '{}' \;
	find "$1" -name '*.clj' -exec sed -i 's/:\(require\\|use\) /:\1 :verbose /' '{}' \;
	;; An exercise in writing #'rest without [0-9a-zA-Z], by Tim McCormack
	;; Note that the input must be a vector, although the code could easily be
	;; modified to vector-ify any input coll.

	;; Let's take this a step at a time...

	(#(((% 1) :main) %) ;; call the main method with the input and fns
	[[0 1 2 3 4 5] ;; the input is hardcoded here
	;; fns are accessed by static indices into the fn table
	{:main #(if (= (% 0) [])
	;; It all started here: http://clojure-log.n01se.net/date/2011-04-06.html#19:04

	(#((% (+(*))) %) ;; call arg 1 with all args
	[;; data
	(+ ()()()()()()(*))
	;; main fn -- simulate 'if' with map lookup and closures
	#(({(+) (% (+()()))} ;; if zero return 'then' clause
	(% (+)) ;; dispatch on first arg
	(% (+()()(*)))) ;; call 'else' clause (n not found in map)
	%)
	(defmacro defbean
	[class-name
	field-names
	& interface-specs]
	(let [sym-base (str (gensym)),
	prefix-sym #(->> % name (str sym-base) symbol),
	setter-name
	(fn [field-name]
	(->> field-name name inf/capitalize (str sym-base "set") symbol)),
	setters