I wrote this review back in November of 2011. While cleaning out my blog’s draft folder I realized I’d never gotten around to posting it. Since it’s a good tech/geek read, I figured it was better late than never.

I went on vacation recently and needed a book for the rather long plane ride. After reading a sample chapter of Kevin Mitnick’s new autobiography, my interest was piqued. I had remembered reading about him and the “Free Kevin” movement back in ’98, and at the time I didn’t understand why people were getting behind this guy. He did a bunch of bad stuff, why should he be free? Since it’d also probably cover some interesting computer security topics, I figured it be both educational and entertaining. I picked up a copy and by the time I was arriving home, my hopes had been met.

Mitnick gained massive media attention in the mid-to-late 90’s when he was on the run from the FBI for various hacking related offenses. He was eventually captured, and spent 5 years in prison. In his new autobiography, “Ghost in the Wires”, he chronicles his escapades and details how he compromised so many systems. Surprisingly, it mostly through something called Social Engineering, which can loosely be defined as “the manipulation of people to get them to do what you want”.

Mitnick’s tales typically involve him just calling up his target, and simply convincing them to give him certain information or do certain things for him. For example, he was able to compromise the Social Security Administration by pretending to be an investigator from the Inspector General’s Office. He convinced a staff member there of his status, and for several years was able to use her to get privileged information. Here’s an excerpt of where he discusses the ruse:

I said, “We’re going to be needing assistance on a continuing basis,” explaining that while our office was working on a number of fraud investigations, we didn’t have access to MCS — short for “Modernized Claims System,” the amusingly clumsy name for their centralized computer system.

From the time of that initial conversation, we became telephone buddies. I was able to call Ann and have her look up whatever I wanted — Social Security numbers, dates and places of birth, mother’s maiden names, disability benefits, wages, and so on. Whenever I phoned, she would drop whatever she was doing to look up anything I asked for.

Mitnick comes off as smart and very curious, and a lot of his stories are very interesting, but it’s hard to like the guy. He ends up causing a lot of people grief and some of the decisions he makes made me want to facepalm. He continues to hang out with his best friend after the guy steals his wife (this same friend later tries to offer him up to the FBI), he strings along “Eric” even though he suspects the guy is working for the FBI, and he continues to do high profile system break-ins while he’s on the run. Though then again, if he hadn’t made these nutty decisions, there probably wouldn’t be a book to read.

The book starts off a little slow, but takes off once Mitnick goes on the run from the FBI for 2 years. During this time he assumes several identities, lives in a hand full of cities, and breaks into numerous systems. He gleefully details the social engineering tactics he used to do all of this, but when it comes to the technical aspects of his crimes, the book does a little bit of hand waving. The lack of detail in this department was apparently due to a disagreement between Mitnick and his co-writer. Mitnick wanted more detail, while his co-writer wanted to keep the story moving. They comprised, so there are a few side boxes for the more technically inclined, but you typically just get the general idea of what happened.

Overall I thought the book was a fascinating read and a valuable look into how a very successful individual was able to break into many different systems. If you’re into computer security, or looking for a non-fiction thriller, this is something to check out.

HTML5’s web audio API is pretty cool. Last year I had some fun experimenting with it, and since then I have been meaning to loop back and play around with it some more. So when I was offered a review copy of Audio Processing with Web Audio, my interested was piqued and I decided to see what it had to offer.

The book is setup to be a primer for web audio (in Packt terms an “instant” book). It contains a mere 63 pages, and reads like one long chapter. Overall it turned out to be a nice introductory book, but it’s does have a few flaws that take it down a notch.

As the book starts, you’re directed to setup your development environment and to download a zip of the code examples. This zip contains a total of 8 examples, broken out into 6 “recipes”. You can see a list of what they are below.

Recipe 1_1: Initialization exercise
Recipe 2_1: Playing Audio Files from an Audio Buffer
Recipe 3_1: Playing Audio in a Loop
Recipe 4_1a: Setting Volume
Recipe 4_1b: Setting Volume (refactored to use new template code)
Recipe 5_1: Scheduling Audio Playback
Recipe 5_2: Automating Audio Parameters
Recipe 6_1: 5-band Equalizer

For what I assume were space restrictions, the first two recipes in the code example packet were not discussed in the book. This makes the book slightly awkward since the first recipe covered, the one on looping sound (3_1), makes references to text written for these recipes and doesn’t cover concepts that would have been discussed for those examples. Thankfully it’s easy to pick up what you miss from the example code, but it’s an unfortunate editing snafu.

In the looping sound section you’re walked through the creation of the recipe via code samples with explanations, and once it’s done you’re given a deeper discussion of why things worked the way they did. The next two recipes are done in the same vein, and cover volume and automating audio parameters. The example code works smoothly and the author does a great job of explaining all of the little nuances that go with the code.

The final recipe is on building the 5-band equalizer. It’s billed as an advanced example, and it sort of feels like you go from a nice walk through the world of web audio, to a brisk sprint. I really didn’t know what was going on. I don’t know much about sound theory, so the different filters and concepts were all very foreign. I imagine this chapter was included so those more familiar with sound concepts would feel they got something out of the book, but it’s a little confusing for developers not tuned into how sound works.

Looking over the example packet, one other example titled “Scheduling Audio Playback” was cut from the book. However, unlike the first two examples, this exclusion isn’t really noticeable. Still, it leaves me thinking this book could have been a lot more interesting if it had been expanded by 20 or 30 pages. However, I’m glad they included all of the examples in the code packet, since it gives the reader some jumping off points after they’ve finished the text.

Overall it’s a nice introductory book. It has some flaws, but it comes with some good example code and does a good job on the majority of topics it tackles.

Security is a hot right now*. You see TV commercials touting degrees in Information Security, you see news stories on hacking done by Anonymous, and you hear people throwing around terms like “cyber security” and “cyber attacks”. So when offered a review copy of The Tangled Web, my interest was piqued. The book aims to take its readers on a walk through of the modern web stack, and to explain the web’s vulnerabilities and what can be done to avoid them. It’s geared at software engineers and security professionals, and is written by a security expert at Google.

The book is divided into 3 sections. The first section aims to describe the anatomy of the web. It goes over URLs, the HTTP protocol, CSS, HTML, JavaScript, non-HTML document types, and browser plugins, all with a security mind set. I felt I was pretty familiar with the URL syntax, but was surprised to learn about some of the tricky URLs that could be created. Most people probably wouldn’t think twice before visiting this URL: http://bing.com&q=test@1249763400 – what happens depends on what browser you’re using.

The second section of the book covers Browser Security, and was to me the most interesting part of the book. The fundamental security policy of the browser is the Same Origin Policy (SOP), which puts content isolation rules in place to keep web sites from interfering with one another. In most web browsers, the origin for a page is defined by its scheme, host, and port. Though apparently for IE versions before 9, only the scheme and host are taken into account – unless you’re dealing with the XMLHttpRequest (XHR) object, then IE takes all 3 into account when defining the origin.

My favorite browser flaw talked about in this section was the one on the getComputedStyle/currentStyle API. Back in 2002, it was discovered that JavaScript could be used to look at the computed color of visited links to determine if a visitor had visited a particular site. Thousands of checks could be made a second, thus any website you went to could snoop-in on your browsing habits if it wanted to. Fixes for this security issue were put in place around 2010.

Another neat trick that was talked about was trying to load an authentication-requiring image from a third party site and using the image’s onload and onerror events to see if the user had logged into that site (a good discussion of this can be found here). This idea can further be extended to third party APIs. If a website doesn’t put the proper security in place for its API, malicious sites can do all sorts of mischief to their visitors, all without them noticing.

The last section of the book is the shortest (32 pages) and focuses on coming security features. This section of the book didn’t really grab me, but there were a few bits that piqued my interest. Cross-Origin Request Sharing finally allows developers to use the XHR object in a cross domain fashion, but until older browsers are phased out, developers will have to create a fall-back behavior if they decide to use it.

Overall I enjoyed the book and found it worth reading. I do, however, wonder if framing security around a discussion of the web stack was the best way to go. The author contends that arbitrary taxonomies of vulnerabilities aren’t as informative, and that some problems don’t fit into buzzword friendly names like Cross-Site Scripting (XSS) or SQL Injection, but I think information is more accessible when organized that way. Reorganizing chapters around a taxonomy of problems like XSS, CSRF, etc, would also probably make it a better reference for developers. Though to his credit, the author does devote the last few pages to common web problems like XSS, CSRF, etc, and indicates the pages where these problems are discussed (since they come up throughout the book).

If you’re a web developer and want to get a better understanding of security I think this is a very good book and worth checking out. However, if you’re not a web developer, I wouldn’t pick this up unless you had a technical interest in web security. Lastly, if you’re interested in the book I’d recommend reading the sample chapter on the HTTP protocol, since it gives a good preview of what the book is like.

*This may be area specific. I live in Maryland, and the BRAC has been driving a lot of job growth. So it maybe it’s better to say it’s hot in the Maryland area, and possibly other places too.

I had been wanting to learn more about CSS3, so when offered a review copy of The Book of CSS3, I accepted knowing that at the minimum, I’d at least get exposure to a bunch of cool new design features. Luckily, the book itself is well written and proves to be a great guide to what’s available now, and to what’s coming soon.

The book is written for web developers who are familar with CSS and who may have played around with some of the new CSS3 features, like rounded corners and drop shadows, but who are looking to get a fuller understanding of what it is and what they can do with it. After explaining a bit about what CSS3 is, remarking on its modular nature (the spec is broken into modules so that browsers can implement individual modules without having to implement the whole CSS3 spec right way) and giving a short write up of its troubled history (work on the CSS3 spec originally started way back in 1998), the book launches into chapters on individual CSS3 topics – you can see the full table of contents here.

The flow of the book from one topic to the next is pretty good, but with the exception of chapters dealing with animation and transformation, most of the chapters can pretty much be read in any order. However, the earlier chapters cover topics that are more widely accessible, stable, and cross-browser than the later chapters, so reading the book start to finish is probably advantageous. The structure of each chapter is very similar, with the author discussing a little about the topic and then leading you through various sections where features are described and showed off with examples. Cross-browser techniques (where relevant) and compatibly are also mentioned.

One of the early topics that really piqued my interest was Web Fonts. With Web Fonts you can use any font you want, even a crazy hand written one, and users will see it when viewing your webpage. The author even provides some cool links to some CSS3 font resources like Google Web Fonts, which makes it really easy for you to include and use fonts in a cross-browser manner.

Another topic that I enjoyed was “Transitions and Animations”. Animations let you move and change elements during a given time period. Unfortunely for us, the Animations module, at least for now, is only implemented in Webkit browsers (Chrome and Safari). However, Transitions are currently available in all of the major browsers except IE. A “Transition” is an animation that happens between two different states. They allow you to give a smooth feel to certain style changes. For example, say you wanted to change the color of a link, but you wanted the change to come in gradually. You could do that like so:

Example test: Mouse over this link!

As you can see, the hover pseudo-class changes the link to color to red, but since we’ve setup a transition for the color property, the link transitions from black to red over the period of 1 second, instead of abruptly changing to red. This effect also applies to other properties, and is especially neat when changing a div’s position or size.

Near the end of the book some yet-to-be implemented features are discussed. Chief among them is the “Template Layout Module”, which would allow you to lay out items on a page in way that is similar to a grid, but a in fashion that is little more intuitive. The Template Layout Module is made even more interesting by the fact that even though it is currently not implemented in any browser, you can still use it by using a JavaScript library written by Alexis Deveria.

I feel like I learned a lot from this book and that it not only contained a lot of useful information, but that the information was presented well. The only draw back to reading this kind of book is that CSS3 is still in flux right now and certain features will change as things are ironed out, however, much of what’s talked about is reasonably stable, and knowing about what’s coming will probably give you a better footing for the features when they finally arrive. If you’re looking to learn more about CSS3, this is definitely a book to look into.

For a while I’ve been meaning to read a book on design patterns, which are ways to design and structure solutions to common problems in order to create efficient and optimal results. I missed a chance to take a course on them back in college when I took Cryptology instead, and have since been meaning to sit down and read up on what’s been developed and what can be useful to me. So it was to my happy surprise when I stumbled across Pro JavaScript Design Patterns in the book store a while back.

The book is broken into two parts. The first part explains how object oriented programming concepts work in JavaScript and how to implement the ones that aren’t built into the language, such as interfaces and private members. The second part of the book focuses on a common set of design patterns and how they can be implemented in JavaScript. It covers the following patterns, giving a chapter on each one: Singleton, Factory, Bridge, Composite, Facade, Adapter, Decorator, Flyweight, Proxy, Observer, Command and Chain of Responsibility.

Before I go any further, while I’m going to write a mostly positive review for this book, I should say that I initially tried to read it around 18 months ago, but stopped after I finished the first section. I re-read it from start to finish about 2 months ago. I stopped the first time I tried to read it because the book introduces a lot of ideas and I was a little confused on some of the concepts it touched on. Specifically, I was confused with how constructor functions worked and how a function’s prototype property worked. I got distracted trying to understand this and picked up another book and ended up not coming back to this book (it’s hard for me to get back into a book once I’ve set it down for a while). As for constructor functions and the prototype property, a good explanation of them can be found here.

I had better luck on my second read through and found the second half of the book to be an easy read. Though each chapter focuses on a different design pattern, some of them use patterns introduced in earlier chapters, so it’s actually a good idea to read the chapters in order. Each of these chapters starts by explaining the basic idea behind the pattern and then goes into a couple of real world examples of how the pattern is used. The chapters close by discussing the benefits and drawbacks of the pattern they introduced and some advice is given to help you identify situations where using the pattern would be a good idea.

Overall, I found this be to be extremely interesting. I could possibly have learned about the different design patterns by reading online tutorials, but being able to look at solutions in JavaScript was very helpful. Also, after reading certain chapters, I felt like going back and rewriting some of my old apps (though I’ll contain myself). Knowing about this collection of design patterns is a huge plus for me and for that alone I’m glad I read this book. I wouldn’t recommend this book to someone who doesn’t have a good understanding of prototypal inheritance, but if you feel like you do, this book is worth checking out. If you don’t, I would recommend looking up some design pattern tutorials online and trying to learn about the common patterns, you’ll be glad you did.

On a side note, I was also amazed at how many of these patterns I’d seen before. It certainly gave me a better appreciation for some of the code bases I’ve seen in the past. I also found that I used some of the patterns already unknowingly, but that I didn’t have a name for the technique I was using.

If I could go back in time I would still probably take that Cryptology class, but I would also try and read up on Design Patterns too. If you have a few extra minutes, it’s worth reading up on them.

Packt Publishing recently provided me with a copy of their new Ext JS book called Ext JS 3.0 Cookbook. The only thing they asked for in return was a review stating my opinion.

For those who don’t know, Ext JS is a JavaScript library aimed at helping developers create web applications with customizable user interface widgets. The library is known being sturdy and for letting users easily create eye-catching designs. However, unlike many other JavaScript libraries, Ext JS is licensed under the GPL by default. For people wanting to avoid the GPL, a commercial license can be purchased.

Ext JS 3.0 Cookbook is a book which has the goal of providing Ext JS users with a wide variety of techniques and code samples with which they can use in their development of web applications. The book is well written, has nicely formatted code samples (which are also available in a zip file – a URL to the file is given in the book), and contains a lot of interesting information. However, I wouldn’t recommend it to everyone, which I’ll get to in a moment.

Ext JS 3.0 Cookbook is divided into 10 chapters, with each chapter covering a different topic of the library. However, the book can really be thought of as one giant, categorized, FAQ guide on Ext JS. Each chapter contains a series of “recipes”. These recipes are specific tasks a developer might want to perform, for example: “Displaying remote data with a combo box” or “Creating a grid panel with expandable rows” or “Creating an auto-refreshing chart”.

The definition of each recipe follows a set pattern of 5 sections:

• The problem is described.
• “How to do it…” – Code for solving the problem is provided.
• “How it works…” – An explanation is given on how the code works.
• “There’s more…” – Additional, possibly useful, bits of information are provided.
• “See also…” – Other topics are suggested as further reading.

Each of these sections is given its own heading, though some recipes omit a section when it isn’t needed. This makes the book well suited as a reference guide since you know what you’ll be getting when you look something up. However, even though the book starts off with some recipes on working with the DOM and with data types, it’s not a book for Ext JS beginners. If you’re a new comer to Ext JS, you’re better suited by a book like Learning Ext JS.

Ext JS 3.0 Cookbook is really for those Ext JS users who are past the beginner stage and want something on-hand that will help them accomplish tasks they may run into or help them find better solutions to problems they’ve already had. If you work with the Ext JS library as part of your job or use the library a lot, having this book around would probably be beneficial. It’s nicely put together and has a lot of useful information. However, if you’re just a casual user of the Ext JS library, you’d probably find more benefit from an introductory text on the library or from just browsing their online documentation.