July 27, 2016

Mark Dixon - OracleUS Postal Service is 241 years old today! [Technorati links]

July 27, 2016 04:30 AM

Franklinphone

As reported today by History.com,

On this day in 1775, the U.S. postal system is established by the Second Continental Congress, with Benjamin Franklin as its first postmaster general. 

Isn’t it ironic that we could easily imagine Benjamin Franklin as an enthusiastic early adopter of technology that is steadily rendering the traditional postal service obsolete?

Mark Dixon - OracleDavid Bradford: Tips for Networking Success [Technorati links]

July 27, 2016 01:14 AM

Bradford

This afternoon, after reading David Bradford’s insightful post, “8 Things Every Business Person Should Learn From Pokemon Go,” I downloaded David’s “101 Tips for Personal, Powerful and Permanent Business Connections” from a link on that blog page.

This is a great guide that goes beyond a traditional primer on networking and makes specific recommendations for building meaningful, long-lasting business relationships.

Four tips that jumped out at me: 

23) Remember that there is a Law of Reciprocity in the Universe. Give as much or more than you receive; otherwise, your network will dry up.

39) Always ask the Question – “What can I do for you?”

99) The Single greatest factor that gets and retains attention is a deep personal relationship.

100) Nothing will define you more than the people who impact your life at pivotal junctures. So surround yourself with great people both in the physical world as well as in the virtual world.

I am deeply grateful for the wonderful people who have impacted my life at pivotal junctures. David, you positively influenced my life today.  I look forward to implementing your tips into my life.

July 26, 2016

Matthew Gertner - AllPeersAll American Cities with a Small Town Feel [Technorati links]

July 26, 2016 10:13 PM
Looking for some All American Cities with a Small Town Feel? Panama City Beach fits that bill nicely...Photo by CC user jsclark on Flickr

The United States of America is a diverse country whose citizens have roots in many different nationalities. The third most populous country in the world, America has big cities, small towns, and magical gems tucked in between. Besides the huge metropolitan areas, this country holds many national parks, tourist attractions, and wildlife habitats. Consider these all american cities with a small town feel and other untapped markets.

Popular Lesser-Known Destinations

Summerville, SC is a small, southern town just outside of Charleston with a population of over 44,000 people. The city is full of down-home charm and host to the state’s largest arts & craft celebration, known as the Flowertown Festival. One of the city’s hidden gems is Cresswind At The Ponds. Summerville’s 55+ community by Cresswind is beautifully designed with traditional architecture and custom homes. Numerous monthly events are scheduled for its residents as they go about enjoying their lives in a serene and tranquil environment. The entire community, with its eye-pleasing detail wherever you look, appears at if lifted from the pages of a storybook. The residents’ active community clubhouse offers social events, activities, resort-styled amenities, and a fitness center. Summerville’s +55 community by Cresswind is only minutes away from historic downtown Summerville and the beaches near Charleston.  

Delray Beach, FL is simply stunning to the eye. This village by the sea is just north of Boca Raton, facing the Atlantic Ocean. This affluent community hosts many events and festivals year-round, but the main attraction is Atlantic Avenue. Delray Beach’s Atlantic Ave. is lined with small cafes, restaurants, and shops for your enjoyment. The best way to be part of the action is to stroll around. Atlantic Avenue is a shopper’s paradise, with many high-end retailers and upscale restaurants, such as The Vintage Tap, Seacrest Gill, and Il Bacio. Atlantic Avenue’s beautiful palm trees and ocean breeze are addicting in a sense. Entertainment, food, shopping, parking, and white sandy beaches are all here, the very definition of Florida. 

Panama City Beach, FL exemplifies fun in the sun. Sandy white beaches, amusement parks, restaurants, diverse people, and a thriving night life can all be found here. Located in the Florida Panhandle, Panama City Beach has become the nation’s hottest spring break destination, but has many other nice qualities as well. Front Beach Road is the main strip. It gives you a view of the emerald-green waters of the Gulf. Tall, modern hotel resorts sit side-by-side with classically styled Art Deco buildings. Panama City Beach offers many events throughout the year, like Thunder Beach Motorcycle Rally, G.C. Triathlon, Seafood Festivals, and many sporting events. Many music concerts and comedy shows are also scheduled throughout the year. 

These three All-American cities are different, yet similar in their American spirit. Try taking a step off the beaten path to discover new and exciting areas. Sometimes you can’t see the forest for the trees and you’ll tend to miss what’s right in front of you.

The post All American Cities with a Small Town Feel appeared first on All Peers.

Matthew Gertner - AllPeersDon’t Touch that Dial: Yes, You CAN Access HBO in Australia! [Technorati links]

July 26, 2016 09:54 PM
Yes, you can access HBO in Australia!Photo by CC user Adam.J.W.C. on Wikimedia Commons

Planning a fabulous getaway is an exciting time. Thoughts of where to go for a complete unwind are fun to imagine. Let your imagination run free as you are considering the perfect location and activities for relaxation, the sites to visit that you’ve only ever dreamed of before. Sometimes, the planning for the vacation can be just as much fun as the going!

If you’ve dreamed of visiting Australia, now is a good time to follow through and make a plan. Visiting historic landmarks, breathtaking architecture, meeting new people as you soak in the culture–all of these aspects should be on your ‘must do’ list.

The Other Side of a Busy Itinerary

Having a full itinerary is always a productive approach to any vacation time. Don’t forget, though, in all of your planning to include some down time. Book a place to sleep that is comfortable and perfect for you and your travel companion, giving you a chance to simply rest during what may be a busy trip. 

Let’s face it, in today’s culture watching TV is certainly a big part of how we relax. If you are traveling outside of the United States and want to ensure access to the programs you enjoy, you will be excited to know that you can watch HBO in Australia with the help of Smart DNS Proxy, a brand of Global Stealth Inc. With this service, users are able to access HBO in Australia and other networks via (from a multitude of streaming devices) many different websites to accommodate their needs.

How It Works, So You Won’t Have to

Once you are in Australia, the last thing you want to happen is to log in to your laptop or tablet and find your favorite entertainment sites blocked due to not having the proper technology to access them. By funneling your website requests through their own quick, safe DNS servers, Smart DNS Proxy provides a way for your query to go through their own network and not get lost in the translation of a different country.

In doing this, wherever you are in the world you will find your favorite websites without problems, streaming your favorite tv shows and movies on places like HBO without any frustrations.

So go visit the Sydney Opera House (an experience like none other), visit Birdsville for their infamous race weekend (a remote setting but well worth the thrill of the horse races), or sit and soak in the sight of the 12 Apostles (majestic limestones at the coast near Victoria). Want an amazing view so unique you can never top it? Go climb up to the top of the Sydney Harbor Bridge and see–well, everything! Love being underwater to discover the breathtaking sea creatures? Suit up and dive in to experience the Great Barrier Reef.

But whatever activities you choose to do while on vacation in Australia, don’t forget to set yourself up for the added success of watching your favorite HBO programs. Once your amazing experience of sightseeing is done for the day, let Smart DNS Proxyhelp you unwind into total relaxation.

The post Don’t Touch that Dial: Yes, You CAN Access HBO in Australia! appeared first on All Peers.

Julian BondAvaaz is raising money for the refugee team at the Rio Olympics. [Technorati links]

July 26, 2016 07:00 AM
Avaaz is raising money for the refugee team at the Rio Olympics.

"These refugees have no home, no team, no flag, no national anthem," IOC president Thomas Bach said.

I immediately thought of James Bridle and his "Flag For No Nations" essay. Can we get them to walk in the opening ceremony behind a space blanket as well as the Olympic flag?

https://secure.avaaz.org/en/rallying_for_refugees_42/

A Flag for No Nations.
http://booktwo.org/notebook/a-flag-for-no-nations/

Refugee team to make history at Rio Olympics (CNN)
http://edition.cnn.com/2016/06/03/sport/rio-olympics-refugee-team/

After she swam for her life, Syrian refugee now Olympic hopeful (Huffington Post)
http://www.huffingtonpost.com/entry/syrian-refugee-looks-to-compete-at-olympics-months-after-swimming-to-flee-danger_us_56f3f9dfe4b0c3ef521815b7

The refugee team
https://www.facebook.com/RefugeeOlympicTeam/




 Days to give 30 million hope »

[from: Google+ Posts]
July 25, 2016

ForgeRockLongtime ForgeRock Partner Everett Acquired by PwC [Technorati links]

July 25, 2016 11:35 PM

Congratulations to Everett and PwC

We were excited to hear the news earlier this month that our longtime partner Everett is being acquired by PwC – two great organizations that have done much to advance Digital Identity as a key enabling technology for business in the emerging Internet of Things era. PwC and Everett bring together complimentary skill sets that in combination are sure to move the overall Digital Identity industry forward in interesting new ways, and provide significant opportunity to up-scale our partner sales and delivery ecosystem for the benefit of our joint clients.

Everett has the well-deserved reputation as one of the top international advisory and systems integrators specialised in Digital Identity. ForgeRock has been fortunate to work with Everett on complex enterprise Digital Identity implementations with global companies including BinckBank, TomTom and many others. PwC, of course, is one of the world’s largest professional services organization and has a prestigious consulting practice. ForgeRock was fortunate to have PwC’s support in the early days of User-Managed Access, which was very helpful in getting the new protocol established as a viable data security standard.

PwC’s acquisition of Everett is a tremendous endorsement of Digital Identity as a key enabling technology powering today’s business. Many global brands look to PwC for guidance with digital transformation strategies and creating profitable approaches to the Internet of Things. Choosing to bring on the highly experienced professionals at Everett as their in-house identity team tells us that some of the sharpest minds in business today believe that Digital Identity will be central to the success of the enterprise now and in the years ahead. Congratulations to all our friends at both Everett and PwC. We look forward to working with you!

 

The post Longtime ForgeRock Partner Everett Acquired by PwC appeared first on ForgeRock.com.

Rakesh RadhakrishnanSystemic Security Services as a Competitive Cloud Advantage [Technorati links]

July 25, 2016 08:55 PM
Enterprise movement towards the Clouds is a given. As digitization is transforming all enterprises in all industries, whether you are HDO (health delivery org line Stanford Medical), Payee (health insurance co., like Aetna), Manufactures (like Amgen or Biogen) or a distributor (like AmerisourceBergen or McKesson) within the health care industry (and this is true in banking/finance, retail, government, education and all industrial sectors), you are impacted by massive digitization (see my example for digital health). Every industry is impacted by smart IOT technologies, mobile first and cloud first strategies and more. At the same time enterprises are looking to the Azure, AWS, Google and other Cloud Providers to help them with this transformation as well, as they adopt industry domain specific PAAS (such as Cloudera for Genomics BigData on Azure), externalized SAAS models and IAAS models end to end. The Cloud vendor that is serious about "systemic security" will be the one with a competitive advantage, and it is way more than just "compliance certifications" although they are a critical baseline or a starting point to have. I am quite impressed with the SHIFT in Microsoft's thinking around security in this space, the last few years. Here are my top 25 reasons (not an exhaustive list as there are more);

1. CEO's commitment and investment in "Cyber Security" -listen to the fantastic talk by Sathya Nadela from MS.
2. Impressive list of Compliance Certifications end to end and global.
3. Next Gen Azure Data Center Security (see the video on it)
4. Microsoft's support for Industry IAM Standards (from FIDO UAF in Windows 10, to SAML in ADFS to SCIM in FIM to XACML in Dynamic Access and more)
5. Microsoft's support for Industry Security Standards ( such as SCAP extensions in SC config manager, STIX with MS interflow and more)
6. The emphasis on Secure Development Lifecycle (see blog and presentation).
7.  Free tools, papers and more for Threat Modeling (STRIDE) and Risk Modeling (DREAD)
8. Security Vendor Acquisitions (such as Adallom (CASB) Aorato (Security Machine Learning) and more).
9. The strategy towards trustworthy computing
10. Organizational alignment of all Security into MS Enterprise CSG
11. Azure SOC (see link)
12. Orchestrated Disaster Recovery (DR and BC as a Service)
13. DAC and support for XACML and Privileged Access Management (with Partners)
14. Intel IOT Security aligned with Azure Security (partnership)
15. Cisco Cloud Connect and Azure (partnership)
16. SDP -Software Defined Perimeter and Azure (with Vidder)
17. Azure Direct Connect (express route)
18. SD WAN - Software Defined WAN and Azure (see Velocloud)
19. Azure Storage Security (Storage as a Service)
20. Azure Big Data Security
21. MS Intune (MDM, MAM and Mobile Sec)
22. MS Advanced Threat Analytics (acquisitions)
23. Azure IAAS Security
24. ID AAS and Access Management from Azure
25. Several hundreds of MS Security Partners (from IDS/IPS to SIEM in the cloud, to DLP and more)

Microsoft is dead serious about security, compliance, trust, privacy and transparency..  hence you find everything from Top Leadership commitment, to Org changes, to extensive compliance certifications, to industry standards support, to global NG secure data center deployments to strategic partnership (such as Cisco and Intel), to Secure by Design and Secure Development lifecycle to Security capabilities built-into every offering coming from MS. A number of CISO's I've talked to have taken notice of this major SHIFT in Microsoft's thinking and are quite impressed with their investments in Security as a Competitive differentiator. To me Adallom+Aorato is a strategic acquisition that when combined can offer a platform to implement a lot of Innovative "Threat Centric Security Patterns", end to end. A Standards based end to end IAM and Cloud Security Target Architecture can be mapped to Microsoft's technologies and solutions as a "reference architecture and a reference implementation".

Vittorio Bertocci - MicrosoftControlling a Web App’s session duration [Technorati links]

July 25, 2016 07:47 AM

When you use the OpenId Connect (OIDC) or the WS-Federation middleware (MW) in an ASP.NET app, a successful authentication (eg, a transaction resulting in your app receiving a valid user token) results in the production of a session cookie – courtesy of the cookie middleware. As long as the session cookie sticks around and is valid, the app considers the user authenticated.

By default, in ASP.NET 4.6 the amount of time for which this session is matches the validity timeframe of the token that prompted the generation of the session in the first place. Say that you are using the OIDC MW with Azure AD: the id_token received by the app during the user authentication transaction will last one hour, hence the session cookie for your app will also last 1 hour. Somewhat counter-intuitively, this behavior will be enforced regardless of session-modifying settings (such as a specific duration) you add to the cookie MW options. However, it is safe to say that you will often want your app to have sessions that last more that one hour, or whatever duration the original token carries. True, by default the cookie MW provides sliding sessions… but users don’t necessarily stay active all the time. Certain web apps stay quiet in a tab all day, and are used only at sparse times – but with inactivity, the session times out so every tab switch becomes a new auth gesture. Not fun.

There are at least a couple of ways you can extend the duration of your session. One is quick and somewhat dirty; the other is more… thoughtful, and safer: but it also requires a bit more code. Let’s take a look.

Decouple the session duration from the token validity

The easiest way out of this is to decouple the session duration from the expiration times carried by the original token. That is super easy: you just tell the OIDC MW to stop controlling this aspect in the cookie MW, by passing the following option:

[sourcecode language='text'  padlinenumbers='true']
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
   {
     ...
     UseTokenLifetime = false,      
   });
[/sourcecode]

As simple as that. With UseTokenLifetime set to false, the cookie MW will now honor whatever settings you add in the cookie MW options.

The challenge with that approach is that now the app session is entirely decoupled from the session the user has with Azure AD (or whatever IdP you are working with). That’s dangerous: your app session might outlive the IdP session, which might have been terminated for good reasons (admins find out the user was compromised; lost device scenarios; and so on).

Set up session renewing logic

The ideal would be to ensure that our app’s session lasts as long as the IdP session, or at least approximate it. Note: the duration of the IdP session is NOT the duration of the id_token obtained when the user authenticated to your app. When your user was bounced to the Azure AD pages, he/she went through an authentication ceremony which ended up with two artifacts:the id_token your app requested AND a session cookie bound to the Azure AD domain. That cookie is what makes possible for the user to avoid entering credentials if he/she ends up needing in short order another token from Azure AD. The validity timeframe of that cookie is the validity timeframe of the IdP session. How can we latch to that session and ensure that our own web app’ session follows it?

If you ever worked with ADAL JS, you know that it uses a neat trick (explained here) to renew the tokens it needs for the JS frontend to access its API backend. The idea is that ADAL JS injects in the web app a hidden iframe, and uses that iframe to silently request new tokens to Azure AD. Given that the hidden frame points to the Azure AD domain, as long as there is a valid cookie for Azure AD maintaining a user session, requests for new tokens will not require the user to reenter credentials – and will obtain new tokens silently.

That works for the SPA application architecture, where the web app “session” is really carried by the tokens attached to every web API call. In the case of apps protected by OIDC and cookie MWs, the session is really the cookie issued by the web app itself. Could we tweak the trick we use in ADAL JS to keep getting fresh session cookies from the web app as long as the Azure AD session is valid? Yes we can! Here there’s a way to do it:

1. add to the web app a route that will always result in a new authorization request, regardless of whether the user is already signed in or not

2. add a hidden iframe in the web app, which hits the new “forced” sign in route at regular time intervals

…and that’s all there is to it.

The point #1 is only necessary because I am assuming you are using the ASP.NET project templates or our github samples for OIDC web apps – in the regular app templates and samples the SignIn route only triggers the Challenge if the user isn’t signed in yet. In fact, all you need to do is to go in the Account controller, duplicate the SignIn method, rename it ForcedSignIn or equivalent, and get rid of the if:

[sourcecode language='csharp' ]
public void ForcedSignIn()
{
    // Send an OpenID Connect sign-in request.
        HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
            OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
[/sourcecode]

That done, all you need to do is to inject an iframe in the app pages that will periodically hit the new route. For example, you can add the below right in –Layout.cshtml, in the body (right after all the <div>s).

[sourcecode language='javascript'  padlinenumbers='true']
<iframe id="renewSession" hidden></iframe>
<script>
    setInterval(
    function () {
        @if (Request.IsAuthenticated)
        {
            <text>
            var renewUrl = "/Account/ForcedSignIn";
            var element = document.getElementById("renewSession");
            console.log("sending request to: " + renewUrl);
            element.src = renewUrl;
        </text>
        }
        else
        {
            <text>
        console.log("No renewal attempt without a valid session");
        </text>
        }
        }, 1000*60*45);
</script>
[/sourcecode]

It’s that simple! With that JS in place, the app will trigger a new sign in, completely transparently, every 45 minutes. Note that this will happen only if the current web app session is still valid. If there is a valid Azure AD session, the app will successfully drive a new authentication dance that will result in a new cookie; otherwise – no harm done.

I made a little test just to be sure. I created two apps, one with the session refresh trick and one without. I deployed both to their own azure websites. I opened Chrome and signed in in both apps, from 2 different tabs, at 10:12pm. Then I selected the tab with the app without session trick, and started watching Mockingjay part II (don’t judge me. Also, meh).
At 23:20 I went back to Chrome, selected the tab with the app with the session trick, and clicked on About. I got access right away – sign that the session was still valid.
I switched to the tab with the app with no session trick. I clicked about, and sure enough I got redirected to Azure AD before gaining access – sign that the session expired as usual. Fiddler:

clip_image002

This is all pretty neat, isn’t it. I already know that some of you like to sprinkle just a bit of AJAX in their MVC apps, and this trick allows you to also secure web API with the OIDC and cookie MW instead of switching to the more appropriate OAuth2 bearer. Not that I approve – tokens are better than cookies – but I understand that for apps that are mostly MVC adding a whole JS subsystem might be impractical.

The approach isn’t completely issues-free, though. For example: the Azure AD session is itself a sliding session. Which means that this trick will generate traffic and keep the Azure AD session alive where user inactivity could have eventually lead to that session expiring. But, as long as you know what you are doing, it’s an extra trick in your bag Smile

Happy coding!

V.

Gerry Beuchelt - MITRELinks for 2016-07-24 [del.icio.us] [Technorati links]

July 25, 2016 07:00 AM

Julian Bond"Welcome to the first true post-mass media election." [Technorati links]

July 25, 2016 06:50 AM
"Welcome to the first true post-mass media election."

https://www.youtube.com/watch?v=MMKFIHRpe7I

Yes. That really happened.

Obama ramped up the social media to dizzying heights and Bernie surfed far past where an also-ran could be expected to wind up, but Trump is kicking it, and he's tapped into something utterly terrifying. Sort of like an unholy, ghastly hybrid of Nigel Farage, Boris Johnson, and the late Sir James Goldsmith, rebooted in New Jersey and sent on a daikaiju rampage through the American Id.

via http://www.antipope.org/charlie/blog-static/2016/07/a-plaintive-request.html#comment-2006628
and
http://www.antipope.org/charlie/blog-static/2016/07/a-plaintive-request.html#comment-2006692


[from: Google+ Posts]
July 22, 2016

Mark Dixon - OracleSpaceX Falcon 9 Liftoff – So Cool! [Technorati links]

July 22, 2016 11:27 PM

At 12:45 a.m. EDT on July 18, 2016, the SpaceX Falcon 9 launched and landed over Port Canaveral. The rocket was carrying the Dragon CRS-9 craft to the International Space Station. Photo Credit: Ken Kremer/kenkremer.com

SpaceX

Shots like this are still thrilling to me!

Mark Dixon - OracleData Breaches – The New Certainty? [Technorati links]

July 22, 2016 05:43 PM

In 1726, Daniel Defoe stated, in The Political History of the Devil, “Things as certain as death and taxes, can be more firmly believed.”

Yesterday, 290 years later, I heard an Oracle colleague add a third certainty, “Now three things in life are certain: Death, Taxes and Data Breaches!

How will you cope?

DTD

July 21, 2016

Matthew Gertner - AllPeers4 Big Advantages of Staying Local [Technorati links]

July 21, 2016 11:49 PM

What are the advantages of staying local?

Many business owners dream of heading a multi-national corporation that does business all over the world ― but not every business owner hopes for such a global reach. In fact, most small-business owners are perfectly happy with reliable, albeit modest profits from one or two locations in their hometowns.

Yet, with the vast majority of business content repeating the mantra “Expand or Die!” it can seem like a risky business decision to stay small in this economy. However, those articles are forgetting the advantages of staying local. It is possible to survive and thrive as a small, local business; here’s how.

One of the Advantages of Staying Local: Retaining Better Connection With Core Customers

There is little more satisfying than seeing customers return time and time again due not only to your wonderful products but because they appreciate having a relationship with the business itself. By staying small and local, business owners get to experience the thrill of meeting and interacting with their loyal customers. This strong foundation with customers allows local businesses to better understand community needs and wants, thereby increasing both revenues and customer contentment.

Meanwhile, larger businesses rarely have time or resources to develop such meaningful connections because too much effort is focused on continuing to expand to new locations. These businesses must find other ways to engage their audience ― usually impersonally ― to fill the gap left by core customer feedback.

Recognize Positive Changes to Community

Local economies depend on local businesses. Dozens of economic studies on the subject have found the following overwhelming statistics:

By staying local, businesses have the opportunity to make substantial contributions to their communities ― and not just through economic activity. Local businesses are usually more active with local charities, tackling problems that are important to the community with the help of their customers. Then, business owners can literally see the positive changes they have made.

Larger companies may argue that their larger coffers grant them more power to institute change, but as Slate explains, dismally few big businesses are willing to donate a similar percentage of profits as small businesses do. The more involved a business is with a particular community, the more drive it has to make real change.

Cultivate Partnerships With Other Local Businesses

Advantages of Staying Local #3: stability

Large companies often argue that their enormous size grants them the ability to offer products and prices that smaller businesses can’t, but in doing so they neglect to mention that they do so at the expense of quality and service. Small, local businesses provide a personalized touch more often in-line with other small, local business values, so partnerships can be extremely profitable. Plus, there are particular services where a similar local style is paramount; for example, a small business in Florida would see the best results from marketing firms in Florida, which understand local trends and tastes.

All companies can easily survive by procuring supplies and services from faceless, big-box wholesalers ― but that way isn’t necessarily the best way to do business.

Expand in Alternative Ways

Just because a local business isn’t expanding with additional locations in different cities doesn’t mean it cannot expand at all. In fact, most small businesses are continuously growing in ways that maintain their local identities while improving customer experience.

Alliances with similar local businesses, like the partnerships described above, can be especially beneficial to businesses and customers alike. For example, a bar that caters to hikers and mountain bikers might ally with a nearby rock gym, providing drink discounts to patrons who went climbing that day. Alliances allow two local businesses to grow in terms of audience expansion and satisfaction.

Diversification is another strategy of for small-business growth. A bookstore can add a small coffee shop and bakery; a video game store can add board games and comic books to its selection; and a furniture store can start selling mattresses. There are many ways to diversify effectively without losing the advantages of staying local.

Sometimes, that dream of running a global business empire should stay a dream. It is impossible to disregard that advantages of staying local provides many benefits ― to customer, to community, and to business.

The post 4 Big Advantages of Staying Local appeared first on All Peers.

Mark Dixon - Oracle2010 America’s Cup Winning Yacht [Technorati links]

July 21, 2016 02:22 PM

This morning, I arrived early at Oracle headquarters and took a stroll around the lake.  It was fun to see the 2010 America’s Cup winning yacht displayed in front of Building 500. Here are a few of the photos I took – of the yacht and descriptive information posted about the yacht and race.

IMG 1461

IMG 1465

IMG 1466

IMG 1467

IMG 1468

IMG 1450

GluuJava OpenID Connect Servlet Sample [Technorati links]

July 21, 2016 04:02 AM

java-openid-connect

This blog highlights a new Java sample application that illustrates authentication using a simple servlet and Gluu’s OpenID Connect libraries. This example assumes you already have an OpenID Connect client registered (i.e. you have a client id and secret). The source code is in the oxAuth Github repository.

There are three important steps that we need to perform:

  1. Redirect the person to the authorization URL, which will result in a code
  2. Use the code to request tokens (access token, id_token)
  3. Use the access token to call the user_info API

Part of the functionality is implemented as a servlet filter, which tells the container to intercept HTTP requests. This is configured in the web.xml file. The filter specifies a class LoginFilter, that performs the first two steps of our OpenID Connect workflow. It also provides some other static configuration information, such as your client credentials, the re-direct URI (to which URIs the OpenID Provider is authorized to send responses), and the scopes, what user data the client is requesting.

LoginFilter uses the authorization code flow to obtain an access token, which it stores in the session. Note, when you register your client, you should use only the CODE response_type. If you add other response_types, you will not be using the authorization code flow. See OpenID Connect 1.0 for valid response_types and which flow they specify. The LoginFilter class also does one more trick: it stores the user_info endpoint URI in the session too.

The servlet is very simple: it just prints the information about the person to an html page. The servlet performs the last part: it uses the access token to call the user_info endpoint. If you deploy the servlet, and it works, you should see a page similar to the one below.


screenshot_rp_demo

July 20, 2016

Mark Dixon - OraclePOCO – The Power of Cloud by Oracle [Technorati links]

July 20, 2016 10:43 PM

POCO

It has been enjoyable to participate at Oracle Headquarters this week in a set of meetings regarding information security. This afternoon, we had a fun surprise when our colleagues from Japan announced their marketing slogan, The Power of Cloud by Oracle (POCO), and passed out POCO – branded chocolates to everyone in attendance!

Should we consider launching POCO-mon GO?

Mark Dixon - OracleFirst Step onto the Moon! [Technorati links]

July 20, 2016 09:43 PM

Where were you when Neil Armstrong first stepped on the moon July 20, 1969, forty seven years ago today?

I was sixteen years old, living on a farm outside Richfield, Idaho. Our family didn’t own a television set, but on that historic Sunday evening, our family joined some friends in town to watch the moon landing on their black and white television.

What a thrill to see that grainy image of a man from earth climb down the stairs and step onto the surface of the moon!

Moonwalk

ForgeRockForgeRock Identity Platform Strengthens User Experience, Platform Security, and Identity Insight [Technorati links]

July 20, 2016 11:55 AM

Mid-Year Release for Customers Supports Passwordless Authentication, Stateless Architecture, Visualization of Identity Relationships and More

ForgeRock is pleased to announce the availability of the ForgeRock Identity Platform Mid-Year Release 2016. This latest edition of the ForgeRock Identity Platform has advanced new capabilities that will enable organizations to orchestrate highly secure, frictionless user experiences using push authentication. It’s the industry’s first end-to-end open source identity management solution to support passwordless login and frictionless second factor authentication capabilities for continuous security. We’re killing the password!

For those that don’t know, last year we decided to move to a model that supports feature releases every six months rather than every year. Why two releases per year? The ForgeRock product team is just too prolific, and too devoted to delighting our customers to keep new releases to just one per year! The 2016 mid-year platform release is a culmination of these efforts, and the first release under the new model. We’ve added some really cool capabilities in the following areas.

Passwordless DiagramForgeRock’s push authentication technology supports passwordless login for smoother customer experiences and better security.

Reflecting on the release earlier today, ForgeRock CEO Mike Ellis had this to say: “User frustration and implementation costs are a real concern with traditional two-factor authentication, and a significant barrier for organizations working to create the kind of secure, seamless online user experiences that we’ve all come to expect online. With passwordless authentication now available through the ForgeRock Identity Platform, our customers can create highly secure, frictionless user experiences that will delight and engage end users, while keeping the growing number of IoT devices and data out of the wrong hands.”

But Wait, There’s More!

ForgeRock is fortunate to have many, many creative people within the organization who are enthusiastic about contributing content when we launch new products. This Mid-Year Release is no different, and we’ve got lots of visual, video and written content to help our customers and friends to explore and learn about ForgeRock offerings in more detail. Read on…

2016 Mid-Year Release Video Album

Our product team, led by SVP Daniel Raskin and senior manager Chris Kawalek, put together a series of videos for the mid-year release, provide enlightening overviews on subjects including a Push Authentications with ForgeRock Access Management overview and demo, Stateless OAuth2 Token Support, Common Audit Event Handlers, A Day in the Life of an OAuth2 Token, and a whole lot more. Featured ForgeRockers include veteran stars like CTO Lasse Andresen and SVP Engineering Jamie Nelson, along with newcomers like Office Manager Anette Recinos and Inside Sales Representative Maria Neau. Rocking performances all around.

VideoAlbum

 

Webinar, White Paper & More

Just can’t get enough? Please consult the following assets:

The post ForgeRock Identity Platform Strengthens User Experience, Platform Security, and Identity Insight appeared first on ForgeRock.com.

July 17, 2016

Gerry Beuchelt - MITRELinks for 2016-07-16 [del.icio.us] [Technorati links]

July 17, 2016 07:00 AM
July 16, 2016

OpenID.netPreventing Mix-Up Attacks with OpenID Connect [Technorati links]

July 16, 2016 12:34 PM

Recently the OAuth community has been concerned with some attack vectors around mixed up clients, particularly when dynamic client registration and discovery are used with user-selected OpenID Providers.

Broadly, the attacks consist of using dynamic client registration, or the compromise of an OpenID Provider (OP), to trick the Relying Party (RP) into sending an authorization code to the attacker’s Token Endpoint. Once a code is stolen, an attack that involves cutting and pasting values and state in authorization requests and responses can be used to confuse the relying party into binding an authorization to the wrong user.

Many deployments of OpenID Connect (and OAuth) in which the configuration is static, and the OPs are trusted, are at greatly reduced risk of these attacks. Despite that, these suggestions are best current practices that we recommend to all deployments to improve security, with a particular emphasis on more dynamic environments.

The full research papers on these attacks can be read here: A Comprehensive Formal Security Analysis of OAuth 2.0, and On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect.

Using the Hybrid Flow to mitigate attacks by a bad OP

Fortunately, the Hybrid flow of OpenID Connect is already hardened against these attacks, as the ID Token cryptographically binds the issuer to the code, and the user’s session, and through doing dynamic discovery on the issuer, the token endpoint. In fact, any OpenID Connect flow that returns an ID Token from the Authorization Endpoint already contains the same information returned by the OAuth 2.0 Mix-Up Mitigation draft specification, the Issuer (as the iss claim) and the Client ID (as the aud claim), enabling the RP to verify it, and thus prevent mix-up attacks.

To protect against the Mix-Up attack, RPs that allow user-driven dynamic OP discovery and client registration should:

Use the hybrid code id_token flow, and verify in the authorization response that:

  1. The response contains tokens required for the response type that you requested (code id_token).
  2. The ID Token is valid (signature validates, aud is correct).
  3. The issuer (iss value) matches the OP that the request was made to, and the token endpoint you will exchange the code at is the one listed in the issuer’s discovery document.
  4. The nonce value matches the nonce associated with the user session that initiated the authorization request.
  5. The c_hash value verifies correctly.

To aid the implementation of the best practice, we recommend that OPs consider supporting OAuth 2.0 Form Post Response Mode, as it makes it simpler for clients doing code id_token to get both the code and the ID Token on the backend for verification.

OPs MUST also follow the OpenID Connect requirement for exact matching of a pre-registered redirect URI, to protect against open redirector attacks.

Using the Code Flow to mitigate attacks involving a compromised OP

Environments with statically registered OPs are not susceptible to dynamic registration attacks (by definition), however, it is still possible for a whitelisted OPs to potentially attack other OPs and for malicious users to bind stolen codes to their own sessions. This may sound far-fetched (why would your trusted OPs attack each other after all?), but if one OP was compromised for example, it could be used to attack the other OPs, which is not ideal. To protect against such attacks, RPs using the “code” flow with statically registered OPs should:

  1. Register a different redirect URI for each OP, and record the redirect URI used in the outgoing authorization request in the user’s session together with state and nonce. On receiving the authorization code in the response, verify that the user’s session contains the state value of the response, and that the redirect URI of the response matches the one used in the request.
  2. Always use nonce with the code flow (even though that parameter is optional to use). After performing the code exchange, compare the nonce in the returned id token to the nonce associated to the user’s session from when the request was made, and don’t accept the authorization if they don’t match.

Summary

The OpenID Connect working group believes that when the above best practices are followed, the attacks described are prevented.

This advice was drafted at a working meeting of the OpenID Connect WG at the 22nd Internet Identity Workshop (IIW), and reviewed at the OAuth Security Workshop 2016 in Trier Germany.

July 15, 2016

MythicsOracle Documents Cloud Service – New Features – 16.3.1 [Technorati links]

July 15, 2016 04:00 PM

 

Oracle Documents Cloud Service – New Features – 16.3.1

Oracle Documents Cloud Service (DOCS) was upgraded to 16.3.1 to include the following features:

 

July 12, 2016

ForgeRockForgeRock Identity Summit, Sydney – Agenda Announced [Technorati links]

July 12, 2016 07:07 PM

There are only a few weeks left before the ForgeRock Identity Summit Series makes its inaugural trip to Sydney, Australia! I wanted to provide a brief preview of the great event we have planned.

The Identity Summit will be held on the rooftop of the Museum of Contemporary Art Australia (MCA) on 9 August. It’s a beautiful location with breathtaking views of Sydney Harbour, the Opera House and the city skyline. We are bringing together industry analysts and the ForgeRock community of customers, partners, developers, and executives to discuss the latest in identity, privacy, and digital trust.

Following the Identity Summit, we will hold the Sydney Identity Unconference on 10 August, also at the MCA. This will be a highly technical event for identity geeks in which the agenda is determined by attendees, and focused around the ForgeRock open source identity platform and the identity relationship management community. For more details and to register for this free event, please visit the Sydney Identity Unconference website.

Agenda Highlights

Keynote presentations by:

Case studies from:

We’ll also have several presentations from ForgeRock execs:

The agenda also includes a presentation on the very relevant topic of Continuous Security, as well as a “Thought Leaders Panel” in which speakers from KuppingerCole, TomTom, Constellation Research, Sunsuper, and John Dobbin & Associates will discuss why identity is a critical element in enabling digital business. Finally, we’ll close out the evening with a cocktail reception.

I look forward to meeting members of the identity community from the region, and hope to see you there! If you haven’t registered for the Identity Summit or Unconference yet, there’s still time:

9 August: Identity Summit, Sydney

10 August: Sydney Unconference

Be sure to track the #IdentitySummit hashtag on Twitter, and our @ForgeRock feed for the latest updates.

The post ForgeRock Identity Summit, Sydney – Agenda Announced appeared first on ForgeRock.com.

Julian BondYou'll hear a lot of talk about calls for a UK General Election because Theresa May wasn't democratically... [Technorati links]

July 12, 2016 08:12 AM
You'll hear a lot of talk about calls for a UK General Election because Theresa May wasn't democratically elected. Quite apart from misunderstanding representative democracy there's a small problem that hardly gets mentioned. It took Nick Clegg last night to recognise it in public, but even he glossed over the problems. He was the architect of the Fixed term act of 2011. https://en.wikipedia.org/wiki/Fixed-term_Parliaments_Act_2011 which was a sop to the LibDems to get them on board for the coalition. This act requires 5 year fixed terms but Clegg claimed on TV that there are methods built in whereby elections can be called early. Well, in order for a general election to be held before the term is up, one of three things has to happen.
1) The act is repealed
2) There is a vote of no confidence in the government, without a second vote of confidence in the government in 14 days. Both by a simple majority in the House of Commons.
3) There is a vote for an early election passed by 2/3 of the MPs

There is precedent in Europe for option 2) to be deliberately pushed by an incumbent coalition but it's very unusual. Try and imagine a Tory government with a majority calling for no confidence in itself with a 3 line whip to make it happen! Not going to happen. Try and imagine a coalition of SNP, Labour and Tory renegades getting a vote of no confidence passed against a Tory 3 line whip. Again, not going to happen.

So unless something really, really bad happens or for some reason Theresa May resigns, it looks like we're stuck with her and the Tories till 7-May-2020.

And she'll be watching you. http://www.thecanary.co/2016/07/11/theresa-may-becomes-new-pm-need-share-sht-video/


ps. http://hasarticle50beeninvoked.uk/
 Fixed-term Parliaments Act 2011 - Wikipedia, the free encyclopedia »

[from: Google+ Posts]
July 11, 2016

Gerry Beuchelt - MITRELinks for 2016-07-10 [del.icio.us] [Technorati links]

July 11, 2016 07:00 AM
July 08, 2016

Mike Jones - Microsoft“amr” Values specification distinguishing between iris and retina scan biometrics [Technorati links]

July 08, 2016 05:44 PM

OAuth logoThis draft distinguishes between iris and retina scan biometrics, as requested by NIST, and adds a paragraph providing readers more context at the end of the introduction, which was requested by the chairs during the call for adoption. The OpenID Connect MODRNA Authentication Profile 1.0 specification, which uses “amr” values defined by this specification, is now also referenced.

The specification is available at:

An HTML formatted version is also available at:

Mike Jones - MicrosoftOpenID Connect EAP ACR Values specification [Technorati links]

July 08, 2016 01:25 AM

OpenID logoThe OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 specification has been submitted to the OpenID Enhanced Authentication Profile (EAP) working group. Per the abstract:

This specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators.

The specification is glue that ties together OpenID Connect, W3C Web Authentication, and FIDO Authenticators, enabling them to be seamlessly used together.

The specification is available at:

KatasoftEncode and Decode JWTs with jsonwebtoken.io and java.jsonwebtoken.io! [Technorati links]

July 08, 2016 12:36 AM

We’re excited to announce our first two StormHack projects to the world: jsonwebtoken.io and java.jsonwebtoken.io! These two sites are open source developer tools we created to make it easy to both encode and decode JWTs and generate a corresponding code sample.

Encode or Decode JWTs

Encode and decode JWTs with jsonwebtoken.io

Including Java JWTs

javajwts

Generate Code Samples

Not only does jsonwebtoken.io enable you to encode or decode a JWT, it also generates a code sample based on the library of your choice (with even more coming soon!), enabling you to simply copy and paste the code generated into your project or application.
Code for jwtk/nJWT with jsonwebtoken.io

View Readme’s Without Leaving the Page

Want to take a look at the Readme for nJwt, PHP-JWT, or other JWT libraries? No sweat. Based on the library you select to generate a code sample on jsonwebtoken.io, we’ll automatically pull in the Readme docs directly on the page, so there’s no need to go hunting for them. We also link you to the GitHub repo for the JWT library within the Readme in case you want to dig in further.
Screen Shot 2016-06-17 at 11.50.01 AM (2)

JWTs are no joke. Is this tool reliable?

The source code used for jsonwebtoken.io is publicly available on GitHub, so feel free to check it out! As with everything we develop at Stormpath, this developer tool was designed with security as a core component.

We’d love to hear from you!

Please give jsonwebtoken.io or java.jsonwebtoken.io a try and let us know what you think. We value your opinion, so if something isn’t working the way you’d expect or there’s a feature you’d like to see added, please let us know by opening an issue on the jsonwebtoken.io or jJWT Github projects.

The post Encode and Decode JWTs with jsonwebtoken.io and java.jsonwebtoken.io! appeared first on Stormpath User Identity API.

July 07, 2016

Mike Jones - MicrosoftTerminology updates in OAuth Mix-Up Mitigation specification [Technorati links]

July 07, 2016 11:08 PM

OAuth logoThe only change to the new draft is to use terminology more consistently. Specifically, it changes the terms “issuer URL” and “configuration information location” to “issuer identifier” so that consistent terminology is used for this. (This is the terminology used by OpenID Connect.)

This is being posted in preparation for discussions at the upcoming OAuth Security Workshop in Trier, Germany and the IETF 96 meeting in Berlin.

The specification is available at:

An HTML-formatted version is also available at:

Mike Jones - MicrosoftIANA Considerations added to CBOR Web Token (CWT) [Technorati links]

July 07, 2016 09:09 PM

IETF logoThe CBOR Web Token (CWT) specification now establishes the IANA CWT Claims registry and registers the CWT claims defined by the specification. The application/cwt CoAP content type is now also registered.

This version adds Samuel Erdtman as an editor in recognition of his already significant contributions to the specification.

The specification is available at:

An HTML-formatted version is also available at:

Katasoft8 Tools Every Java Developer Should Know (& Love) [Technorati links]

July 07, 2016 06:42 PM

Here at Stormpath we take quality and productivity very seriously. As any good craftsmen already knows, having talent is not enough, you also need the right tools for the job. Engineering isn’t just a science, its also an art, so although we undoubtedly have talent (wink wink) at Stormpath, we always look to supplement with the tool that best fits our needs. Our engineers are always eager to share new tools with the rest of the team. And now, with all the other talented Java developers out there!

In this post I’ll share the tools that our Java SDK team uses for daily tasks, how we use them, and hopefully share a few tips that will be useful for you.

Project Management Tools

1. Git

What can we say about Git that you don’t know already? For an in-depth look at the benefits of Git, you can simply read their About page.

Our Java SDK Team is spread around the globe and almost never sitting next to each other. Git safeguards every piece of code that we write. Here are some cool commands that have saved us lot of time and headaches:

  1. Create a file called search.sh
  2. Paste this
    git rev-list --all $2 | (
    while read revision; do
    git grep -F $1 $revision $2
    done
    )

    The command can then be executed like this: sh ./search.sh string_to_search file_where_to_search

2. Github

Github not only provides free hosting for our Git project, it has also the invaluable benefit of opening the source code up for the world to see it. This encourages people to try it, communicate with us, and participate, which ultimately improves the quality of everyone’s projects and grow all our technical knowledge.

Github also allows us to keep track of our issues. Customers can then submit feature requests and report bugs. They can also get notifications about progress that we make.

3. Maven

Maven is already famous enough, so I won’t bore you with a long explanation of why we are using Maven to take care of our build process. However I can share a few useful tips to get even more out of Maven:

  1. Consolidate Dependencies: In a multi-module project you should define every single dependency right in the root pom.xml inside the <dependencyManagement> tag. Once you do that, all the sub-modules can depend on those dependencies without having to specify their versions. This way of managing your dependencies (e.g, updating versions) can be done in a centralized place, and all the sub-modules will pick up changes automatically. For example, root pom.xml:

    <dependencyManagement>
      <dependencies>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>${jjwt.version}</version>
         </dependency>
         ...
      <dependencies>
    <dependencyManagement>

    Sub-module’s pom.xml:

    <dependencies>
      <dependency>
          <groupId>io.jsonwebtoken</groupId>
          <artifactId>jjwt</artifactId>  <!-- note that no version has been specified -->
      </dependency>
      ...
    <dependencies>

  2. Prevent sub-module deployment: During release-time we want all our sub-modules to be released, but how can we avoid a sub-module (like an example) being released?. Simple, just add the following in the pom file to the module that you do not want to release:

    <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-deploy-plugin</artifactId>
        <version>2.7</version>
        <configuration>
            <skip>true</skip>  <!-- this this the important line -->
        </configuration>
    </plugin>

  3. Skip Integration Tests: We have many integration tests that take quite a long time to complete. These tests validate that the interaction with the backend is working properly. During regular local development, we modify code several times before the new feature or bug-fix is complete. There is not need for those intermediate local builds to be validated against the backend each time, this would significantly slow the development process. Therefore, we have configured our Java SDK to automatically run ITs only when the build is running in our CI server. You can do the same like this:

    In your root pom.xml file:

    <properties>
        <skipITs>true</skipITs>
    </properties>
    ...
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-failsafe-plugin</artifactId>
                <version>2.19.1</version>
                <configuration>
                    <skipITs>${skipITs}</skipITs>
                    <includes>
                        <include>**/*IT.*</include>
                    </includes>
                </configuration>
                <executions>
                   <execution>
                       <goals>
                           <goal>integration-test</goal>
                           <goal>verify</goal>
                       </goals>
                   </execution>
                </executions>
            </plugin>
        </plugins>
    <build>

As you can imagine, all the integration test files must suffixed with the letters IT for this configuration to work. For example, ApplicationIT.groovy or I18nIT.groovy.

Then, when we do want to have the ITs running, we execute the build like this: mvn clean install -DskipITs=false

Testing Tools

4. Groovy

Rather than writing our tests in Java, we do so with Groovy. Why? Well, it provides all these capabilities for free:

  1. Relaxed Java-like syntax: It is Java syntax, but with fewer rules. For example semicolons, variable types, and access modifiers are all optional. The latter has a huge benefit for testing. Since access modifiers are not strict, your test can read and assert internal state for the class being tested. For example, let’s assume you have this class:

    public class Foo {
    
        private String bar = null;
    
        public void setBar(String bar) {
            this.bar = bar;
        }
    }

    If you want to test that the setBar(String) method works ok (meaning that it properly changes the value of the private property called bar) you can simply do so by reading the value of that variable with Groovy. Java would not allow something like that (at least not without resorting to reflection).

    @Test
    public void test() {
        def foo = new Foo()
        foo.setBar("hello")
        Assert.isTrue(foo.bar.equals("hello")) //groovy allows us to access the private property called bar
    }

  2. Power Assertions: Groovy provides a powerful variant of assert also known as power assertion statement. Groovy’s power assert clearly shows evaluation results when the validation fails. Additionally, it is more readable than its Java counterpart.

    Assert.isTrue(foo.bar.equals("hello"))

    can be translated to:

    assert foo.bar == "hello"

    When the assertion fails it will show a very clear description of what has happened:

    assert foo.bar == "goodbye"
           |   |   |
           |   |   false
           |   hello
           Foo@12f41634

  3. Mocking: When using Java, dynamic mocking frameworks (like EasyMock, PowerMock and Mockito are very popular. All those frameworks can be used easily with Groovy. Yay!

5. Rest-assured

Our backend provides a REST API service for creating and managing user accounts. Our Java SDK is one of many different SDKs providing a language-specific client-side model to simplify interactions. Some of these SDKs also provide a web layer to interact with the backend without needing to write any code.

In order to guarantee interoperability among all these web frameworks, they must behave exactly the same. Therefore we had to create a set of HTTP-based integration tests that every framework is validated against. That’s our Test Compatibility Kit. This project is maintained by all our SDK engineers, and not all of them master the same programming languages. Therefore we had to utilize a language-agnostic testing tool. That’s when Rest-assured came to the rescue.

Rest-assured is a simple Java DSL (domain-specific language) for testing REST services. Not only it is very simple to use and get started with, even for developers that have never used Java before, it is also incredibly powerful. It provides advanced features like detailed configuration, filters, custom parsers object, CSRF, and OAuth 2.0. It was built from the ground up to provide an extremely simple syntax: given-when-then.

For example: let’s see how easy it is to validate that “a post to /login with valid credentials must return status code 302“:

given()
    .accept(ContentType.HTML)
    .formParam("login", account.username)
    .formParam("password", account.password)
.when()
    .post(LoginRoute)
.then()
    .statusCode(302)

You can see a lot of different Rest-assured tests in our TCK repo.

6. Cargo Plugin

In order to have our Java SDK validated by the TCK we need to start one of our Web Examples so those tests can be executed against it. Logically, we wanted that validation to happen automatically on every build. Cargo Plugin is used exactly for that purpose.

Cargo is a thin wrapper to manipulate various types of application containers in a standard way. With Cargo, we were able to run our examples in different Servlet Containers (like Jetty and Tomcat) quite effortlessly. We simply configured the Cargo Maven2 Plugin in our pom files to start a Servlet Container (Tomcat 7) and deploy the recently built War file during the Integration Testing phase. You can see the working configuration in our Servlet Plugin Example.

Miscellaneous Tools

7. JWT Inspector

In our Java SDK we use JWTs quite heavily to transport data in a secure and trouble-free way. When testing and troubleshooting we need to analyze the content of the JWTs that we receive in the browser. Those tokens can be either in the URL, in a cookie, or in local storage. JWT Inspector is a browser extension we built to help us decode and inspect JSON Web Tokens directly from the console or in the built-in UI. You do not need to trace those tokens in your app. You simply press the extension button and JWT Inspector will automatically show all the information you need. You can then copy whatever claim of the expanded token you need.

8. Postman

We work quite heavily with REST API requests. Writing REST requests is not always user-friendly; the actual syntax depends on the tool that we are using, like curl or HTTPie. Both are quite readable but sometimes it is difficult to remember the exact syntax. Additionally, when troubleshooting, we need to test some requests and their outcome. When they fail we are not sure whether the problem is in the request or in the endpoint itself. We end up losing time simply because we doubt the correctness of the request we are writing.

Postman makes writing REST API requests simple. It also provides many valuable features like saving and re-using requests, generating code (java, python, curl, etc.), and grouping requests to run them sequentially. Postman helps you build complex commmands thanks to its user-friendly UI. All you have to do is complete a form. Can it get better than that?

Final Thoughts

Using the right tools not only allows you to save time and reduce effort, it also improves the overall quality of your product and makes your daily work more enjoyable. We should be always open to discovering and learning new tools. It might require some effort at first but you will soon realize that it was absolutely worth the time you invested.

I’d love to hear about the developer tools that have been your personal lifesavers. Share them in the comments below, or tweet us @gostormapth!

Happy (tool-assisted) coding!

Java developer tools

The post 8 Tools Every Java Developer Should Know (& Love) appeared first on Stormpath User Identity API.

KatasoftDefault Starters — Spring Boot Technical Concepts Series, Part 1 [Technorati links]

July 07, 2016 03:54 AM

It’s Java Week at Stormpath, and we’re excited to launch the first post in our Spring Boot Technical Concepts series! We thought it was only appropriate to begin with Spring Boot Default Starters in Spring Boot.

Java Enterprise Edition in the late ’90s – especially Enterprise Java Beans (EJB), required an almost mystical knowledge of arcane XML descriptors and boilerplate code. In the early 2000’s, as EJB desperately tried to keep up with the emerging Java technologies, along came Spring.

It was like, well, like Spring had come to the endless winter of the enterprise Java landscape.

With minimal XML and a few POJOs (Plain Old Java Objects), you could now have a robust, enterprise-ready application. In conjunction with EJB alternatives like Hibernate, Spring rocketed to the forefront of enterprise Java development. At a time when interpreted functional language alternatives, like Ruby, were becoming popular, Java experienced a resurgence (arguably because of Spring) – even within smaller business applications.

Spring, in providing a major release just about every other year along with significant interim releases, has been a lot more agile than Java EE. (Almost 4 years passed between Java EE 6 and 7 releases.) Along the way, Spring has continuously improved. A major enhancement has been the ability to configure Spring in a completely declarative way with annotations relying on little to no XML at all.

Enter Spring Boot

On April 1, 2014, Spring Boot 1.0.0 was released. Spring Boot is Spring’s convention-over-configuration approach to rapidly developing, testing, running and deploying Spring Applications. Best of all, they can be just run from the command line without the need to deploy to a container.

The idea is that most Spring applications use a set of sensible defaults. Rather than explicitly specifying these defaults for every application, Spring Boot assumes them. They are easily overridden with Spring boot too.

Best of all, there’s a collection of Spring Boot Default Starters that adds features and functionality to your application with zero additional configuration on your part.

The Spring Initializr project, hosted at start.spring.io allows you to configure and download a complete Spring Boot project with just the libraries (starters) you need.

There are now 100 starters grouped into 19 categories. These range from Core starters to Web starters to a number of different categories of Cloud based starters.

Spring Boot Default Starters From Your Browser

Let’s create the most simple, barebones Spring Boot application with no other dependencies. Jump over to start.spring.io and click the Generate Project button:

Spring_Initializr

A file named demo.zip is downloaded.

Run the following from your terminal:

unzip demo.zip && \
cd demo && \
mvn clean install && \
java -jar target/*.jar

This will unpack, build and run this demo, which is pretty uneventful. All it does is fire up a Spring Boot application and exit. That’s because there are no starters configured at all. Let’s go back to start.spring.io, but this time, let’s add in the web starter.

Spring_Initializr1

Spring_Initializr2

This time, when you click the Generate Project button and run the above commands, you will see that an embedded Tomcat container starts and is listening on port 8080 (date/timestamps removed for brevity):

s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8080 (http)
com.example.DemoApplication              : Started DemoApplication in 2.959 seconds (JVM running for 3.318)
o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 35 ms

If you browse to this Spring Boot application, you will just get a 404 because no controllers have been configured, but at least you can see that you have a web application that is running and responding to requests.

localhost_8080

If you look at the pom.xml file in the demo folder, you’ll see that Spring Initializr has set things up for you, including the web dependency:

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
...

Spring Boot Default Starters From the Command Line

Are you already a denizen of the command line? Thanks to the brilliant content negotiation and meta data provided by Spring Initializr, you can interact with and create Spring Boot projects from http://start.spring.io using your favorite command line http client. The examples below use httpie.

First, just hit start.spring.io, and see what you get back:

http start.spring.io

This will give you a lot of output showing you all the possible parameters you can pass over to start.spring.io to configure your project.

Let’s replicate what we did earlier by creating a Spring Boot web enabled application.

http -v start.spring.io/starter.zip dependencies=web baseDir=demo -d

The -d tells httpie to save the binary data coming through as the file named in the Content-Disposition header. The -v parameter tells httpie to give verbose output. Here’s what that looks like:

POST /starter.zip HTTP/1.1
Accept: application/json
Connection: keep-alive
Content-Length: 42
Content-Type: application/json
Host: start.spring.io
User-Agent: HTTPie/0.9.3

{
    "baseDir": "demo",
    "dependencies": "web"
}

HTTP/1.1 200 OK
CF-RAY: 2be5911b2bc11840-EWR
Connection: keep-alive
Content-Disposition: attachment; filename="demo.zip"
Content-Length: 50956
Content-Type: application/zip;charset=UTF-8
Date: Wed, 06 Jul 2016 19:47:08 GMT
Server: cloudflare-nginx
Set-Cookie: __cfduid=d1e5718ac8125bcb1930bde5ea2a343a61467834428; expires=Thu, 06-Jul-17 19:47:08 GMT; path=/; domain=.spring.io; HttpOnly
X-Application-Context: start:cloud:1
X-Vcap-Request-Id: 1b6e59b5-6717-4e55-61a0-c49ba2e25c23

Downloading 49.76 kB to "demo.zip"
Done. 49.76 kB in 0.02079s (2.34 MB/s)

You now have a demo.zip file, just like before, that has everything you need to customize and fire up a Spring Boot web application.

Spring Boot Default Starters From Your IDE

Try this just for fun:

http start.spring.io Accept:application/json

You’ll see that you get back a ton of JSON data. That’s because of the Accept:application/json header. This triggers a JSON response thanks to the built in content negotiation.

A few Java IDE’s have added the ability to create a Spring Boot project using Initializr. They do this exact thing behind the scenes: get all the meta-data from start.spring.io and then let you choose the options you want to add to your project right in the IDE.

IntelliJ Idea supports Spring Initializr. Follow these steps to see it in action:

  1. Choose: File -> New -> Project… from the menu.

  2. Select Spring Initializr and click Next button.

    New_Project

    Notice the Initializr Service URL (https://start.spring.io). We will circle back to that later.

  3. Customize your project and click the Next button.

    New_Project2

  4. Select the features you want in your Spring Boot project by clicking the check boxes. Below, you can see we’ve selected the Web starter, just as before. Click the Next Button.

    New_Project3

  5. Customize the project’s location on your machine and click the Finish button.

    New_Project4

You’ll be back in IntelliJ with your Spring Boot project all setup.

demo

Create and Host Your Own Spring Initializr

One of the greatest features of the Spring Initializr project is that it’s easily extensible and it’s as easy to host as any other Spring Boot application since it is, itself, a Spring Boot application.

Stormpath has created a number of Spring Boot Starters so that you can easily integrate Stormpath with your project. Let’s take a look at what it would take to make these starters available in Spring Initializr to make it even easier!

The first thing to do is to clone (or fork) the project here.

Next, we’ll add in information for the Stormpath Spring Boot Starters as a new Category called Identity Management. This is as easy as updating the initializr-service/application.yml file. Below is just the Stormpath additions to the dependencies section:

...
    - name: Identity Management
      content:
        - name: Stormpath Base
          groupId: com.stormpath.spring
          artifactId: stormpath-spring-boot-starter
          id: stormpath-spring-boot-starter
          description: Spring Boot Starter for Stormpath
          version: 1.0.RC9.2
        - name: Stormpath WebMVC
          groupId: com.stormpath.spring
          artifactId: stormpath-webmvc-spring-boot-starter
          id: stormpath-webmvc-spring-boot-starter
          description: Stormpath WebMVC Spring Boot Starter (includes Base)
          version: 1.0.RC9.2
        - name: Stormpath Thymeleaf
          groupId: com.stormpath.spring
          artifactId: stormpath-thymeleaf-spring-boot-starter
          id: stormpath-thymeleaf-spring-boot-starter
          description: Spring Boot WebMVC Starter for Stormpath with Thymeleaf views
          version: 1.0.RC9.2
        - name: Stormpath Spring Security
          groupId: com.stormpath.spring
          artifactId: stormpath-spring-security-spring-boot-starter
          id: stormpath-spring-security
          description: Spring Boot Starter for Stormpath with Spring Security Integration
          version: 1.0.RC9.2
        - name: Stormpath Spring Security WebMVC
          groupId: com.stormpath.spring
          artifactId: stormpath-spring-security-webmvc-spring-boot-starter
          id: stormpath-spring-security-webmvc-spring-boot-starter
          description: Spring Boot WebMVC Starter for Stormpath with Spring Security
          version: 1.0.RC9.2
        - name: Stormpath Default
          groupId: com.stormpath.spring
          artifactId: stormpath-default-spring-boot-starter
          id: stormpath-default-spring-boot-starter
          description: Spring Boot Default Starter for Stormpath with WebMVC, Thymeleaf and Spring Security
          version: 1.0.RC9.2
...

In the root of the project, we build Spring Initializr:

mvn clean install

The easiest (although not the only) way to run the application is to install the Spring CLI tools. On Mac, you can do:

brew tap pivotal/tap
brew install springboot

You can also install the tools with:

curl start.spring.io/install.sh | bash

Once that’s done, switch into the initializr-service folder and run the app:

spring run app.groovy

This fires up the Spring Boot application on the standar port, 8080.

Now, let’s go through the same exercise as before with IntelliJ, only this time, we will use our local Spring Initializr:

  1. Choose: File -> New -> Project… from the menu.

  2. Select Spring Initializr.

    This time, we’ll change the Initializr Service URL to: http://localhost:8080.

    New_Project5

    Click the Next button.

  3. Customize your project and click the Next button.

  4. Select the features you want in your Spring Boot project by clicking the check boxes. Below, you can see I’ve scrolled to the bottom and selected Stormpath WebMVC.

    New_Project7

    Click the Next Button.

  5. Customize the project’s location on your machine and click the Finish button.

You’ll be back in IntelliJ with your Spring Boot project all set up.

demo1

Above, you can see that the proper dependency has been added to the pom.xml file. Thank you, Spring Initializr!

What about hosting and deploying your customized Initializr? There’s a Spring CLI command for that!

spring jar start.jar app.groovy

This creates a runnable Spring Boot jar that you can run like any other self contained Spring Boot app.

➥ java -jar start.jar

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v1.3.6.RELEASE)
...

Want to incorporate the latest version of the Stormpath Spring Boot Starters?

Head on over to: http://start.stormpath.io. This is a live deployment of a customized version of spring.start.io. It has all of the original Spring Boot Starters, as well as all the Stormpath starters.

Just like start.spring.io, you can use your browser, the command line, or the IntelliJ IDE.

Spring Boot starters super-charge your application and Spring Initializr makes it really easy to pick and choose the components you need to give your application a (configuration) head start. Go on over the start.spring.io (in your browser, on the command line, or from your IDE), check off the pile of tech you want to include in your application and start building!

The post Default Starters — Spring Boot Technical Concepts Series, Part 1 appeared first on Stormpath User Identity API.

July 05, 2016

Matthew Gertner - AllPeersOnline Lenders Are There to Help [Technorati links]

July 05, 2016 09:28 PM

Insufficient funds: it’s a genuine fear of yours as you sign checks and complete online payments. You’ve managed to avoid the NSF message so far by relying on a strategic payment schedule that consists of waiting until payday to settle your debts. When it’s the regular bills that you’ve budgeted for – with consistent due dates – this plan is foolproof. Unfortunately, life has a way of disrupting the status quo just as you start to get comfortable, and an unavoidable charge, renovation, or repair is all it takes to throw you off your game. The addition of an expense you didn’t budget for can make your fear of insufficient funds a reality.

Online Lenders can help you restructure your bills

As financial emergencies go, it’s pretty stressful. Without the appropriate amount of money in your account, the check you write will bounce or the online payment you make for your business won’t go through. Most financial institutions will charge you for these NSF transactions, and enough of these charges can do considerable damage to your credit score. If you already have a poor or sub-prime credit rating, a NSF transaction is the last thing you need on your record.

Luckily there’s a way to avoid the penalties of insufficient funds – even for those with bad credit. There are small dollar loans available online that can provide fast access to cash in your time of need. Ranging from $200 and $1,000, these financial products offer support when your bank account is too low and your next paycheck is too far away. Bridging the gap between paychecks, it’s an easy way to pay for unexpected expenses without risking a NSF transaction or missing a bills’ due date entirely.

Though there are rates and fees associated with these short-term loans, they pale in comparison to the interest and late penalties that can come with missing an important bill’s deadline. By avoiding making a NSF transaction, it also saves you from negatively affecting your credit rating. Every loan is different, however, as it depends on the lender that you partner with. Direct online lenders like MoneyKey create financial products that abide by state lawsregulating the size and repayment of small dollars loans. To learn more about how an online payday loan from MoneyKey can help, check out their webpage and compare them to other state licensed lenders.

A state licensed lender is your source for loans with the best rates, terms, and conditions. When your lender follows the rules, you won’t be exchanging one debt for another. You’ll have a loan you can repay in time for payday, without having to overstretch your budget and receive a NSF warning. So find a direct online lender that’s licensed in your state to help with your finances.

The post Online Lenders Are There to Help appeared first on All Peers.

ForgeRockPrivacy@Scale & The Data Driven Economy Project [Technorati links]

July 05, 2016 06:30 PM

Exploring a New Paradigm for Personal Data

A year ago, Facebook commissioned a program to explore how the data driven economy is evolving and to pose the question: how can we sustainably maximize the contribution personal data makes to the economy, to society, and, crucially, to individuals?

We’re transitioning into an era in which people’s data will turbocharge the creation of value for the economy and for society, but also increasingly for them as individuals. We have the opportunity to generate mutually reinforcing benefits for all stakeholders, while still working to minimize and mitigate risks and harms. You can download the resulting report and see earlier versions here: thedatadriveneconomy.com.

@xmlgrrlForgeRock’s Eve Maler in conversation with Facebook’s Emily Sharpe during the Privacy@Scale event in Washington D.C., May 31, 2016.

I was fortunate to be one of the 175 experts invited to take part in one of a series of roundtables to discuss these issues, and was honored to be quoted in the final report. The roundtables were organized, and the reports written, by Ctrl-Shift, a specialist consultancy helping organizations to create new services and strategic market positions based on trust and control around data. And in May I sat down with Emily Sharpe, Manager of Privacy and Public Policy at Facebook, for a Q&A at their event called Privacy@Scale in Washington D.C. on how attitudes around data privacy are evolving, and why it makes sense for organizations to find ways to transition to “consent strategies” rather than maintaining today’s more coarse-grained and adversarial system of personal data handling.

What follows are some highlights of the discussion between Emily and myself.


Privacy@Scale Q&A

Emily Sharpe: During your recent keynote at the European Identity and Cloud conference, you spoke about how, in view of new consent regulations, standards, and tools on the scene, we need to think strategically about solutions that don’t force “awkward compromises” when it comes to privacy, business growth, and consumer trust. Could you share examples of what you see as “awkward compromises”? And what would you do differently with respect to regulations and standards to arrive at a better outcome that’s not simply not “awkward,” but hopefully not even a compromise — which implies trade-offs that may be unnecessary and even harmful?

Eve Maler: There are a lot of examples of awkward compromises when it comes to for-profit companies and their data collection and sharing policies – retail grocery chains maintaining loyalty programs comes immediately to mind. But I think one of the more enlightening instances where you had individual customers balking at data policies laid down by a business was when Spotify imposed a new privacy policy back in the summer of 2015. When it first came out, the terms asserted that Spotify basically had blanket access to all the data on your smartphone:

“With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files.”

The policy also asserted the right to collect location data and access to third-party app data, meaning Spotify would have access to your Facebook account, for instance. As these things so typically play out nowadays, the outcry in the media was swift and harsh, and within a few days the CEO was apologizing online. But here’s the thing, companies like Spotify haven’t had a lot of choices in negotiating access to and managing data from their customers. When your core competency is heavily commoditized and switching costs are low (like with music services!), loyalty programs relying on customer data get outsized importance. The more a Spotify can use personal data to customize their offering to your personal tastes and preferences, the more likely they are to keep you locked in as a customer. Hence their motivation to have a single (typically nonnegotiable) “privacy deal” (Terms & Conditions, or Terms of Service).

What I’ve been working on at ForgeRock and with the User-Managed Access (UMA) Work Group at the Kantara Initiative is an alternative to this kind of all-or-nothing, one-size-fits-all approach. The idea is to enable a “consent strategy” that defers data sharing options to end user choice, leveraging new “privacy/consent tech” to make it finer-grained and more meaningful. UMA builds on OAuth to allow users to work with any API and app ecosystem to get delegation and consent functionality like you see with Google Docs. You can have Share buttons, dropdowns with choices of what access to grant (Read Only, Download, Edit, etc.) and revocation of specific permissions — plus a central console where you can manage all this. That kind of capability wasn’t available last year, but it is now and any organization participating in the digital economy can play, and also interoperate with each other.

Emily Sharpe: During the Data Driven Economy roundtable you participated in in California, you said the following: “Regarding UMA architecture and OAuth, it was Facebook that made it popular. UMA makes the end user the intermediary to the flow of data between applications, to ask people if they want to connect to those applications for data flows for their own benefit. It innovates a consent flow, and the ability to revoke this consent at a later date. As far as I know no regulator has ever talked about this.” Question: Practices like these seem to actually enhance core privacy principles like control/consent, and data accuracy and quality. Why aren’t regulators promoting examples like these? Should regulators and policymakers be focusing more on the privacy rewards of innovative practices like these?

Eve Maler: Regulation doesn’t know what’s coming next – regulators aren’t in charge of innovation, and they can’t be expected to know what’s next in the marketplace. If you look at the arc of tech innovation, there are examples of regulation where it’s pretty clear what the regulation is supposed to do and what they know. But generally it’s hard to anticipate new practices. For example, regulators tend to talk about personal data disclosure and limited collection and use, meaning that they anticipate the data will flow from a service to an application – but these APIs generally allow for putting data back into the service (read and write functions), which is really not “collection” or “disclosure” at all the way they’d probably understand it. And OAuth was built as a response to top-line business needs and growth strategies. It works by enabling a user to permission an app to connect to a service on the user’s behalf, in some cases even if the user isn’t online. The user can withdraw their permission anytime. This is a real live example of consent innovation in the market.

Emily Sharpe: We heard the following from a participant in the APAC roundtable: “What we’re finding is that where the trust and transparency are established, customers are opening up and sharing more information that’s contextual – providing they understand the purpose for which it will be used and for a specific period of time.” Question: do you agree? How do we measure these benefits?

Eve Maler: It’s not a slam dunk that people are harmed by more data flows – there are risks and rewards in sharing and not sharing. It can depend on the industry vertical and the individual use case, for example. But, for instance, we’re seeing impressive results in healthcare settings. We’re working with Philips on their HealthSuite Digital Platform, which is an open, cloud-based platform that collects, compiles and analyzes clinical and other data from a wide range of devices and sources. Securely managing the identities of patients, caregivers, devices, and even family members, is critical with this kind of cloud-based system. Philips did a study with Banner Health looking at monitoring vital stats of patients with chronic health conditions through devices and mobile apps. They found that this monitoring can save 10 days on average per patient, per year in the emergency room, and also save $27,000 dollars per patient, per year. Shorter, less ER-intensive stays in hospital, with more care happening outside clinical settings because monitoring can happen in the home, and data securely shared through the cloud. And yes, establishing trust and transparency is key to making this work.


Just a few closing thoughts: Please note that the Q&A above was recreated from my notes – it’s not an exact transcription. Many thanks to Emily and the Facebook and Ctrl-Shift teams for including me in the Data Driven Economy project. Facebook is at the center of the many of the debates circling around personal data privacy today. Indeed, the E.U. Safe Harbor argument came about initially in regards to how Facebook transfers data between data centers in the U.S. and Europe. So it is encouraging to see the Facebook team working so diligently to advance the data privacy dialog, and seeking to find solutions that are beneficial to all parties. As Stephen Deadman, Facebook’s Global Deputy Chief Privacy Officer, put it in his foreword to the final report, “when people have more control over their own data, more growth, innovation and value can be created than when they don’t.” I couldn’t agree more.

 

The post Privacy@Scale & The Data Driven Economy Project appeared first on ForgeRock.com.

Katasoft7 Habits of Super Productive Java Developers [Technorati links]

July 05, 2016 05:59 PM

Last week we surveyed our internal team of incredibly productive Java developers looking for the best advice, tips, and tricks they could offer. For a small team, they have a combined 153 years of professional experience in Java, so they know what they’re talking about! Here’s what they had to say:

1. Know your tools (and have the right ones)

Before kicking off any new project, spend some time thoroughly researching the existing frameworks or libraries that could make your implementation easier. Along with that, have the right IDE and customize it for your project.

Outside of the tools that are specific to your project and language, our developers deploy a veritable battalion of everyday tools to increase their efficiency. Stormpath Java evangelist Micah Silverman shared his list:

Micah has also built a custom key sequence that shuts down all his open programs and leaves open only his IDE and an empty browser.

2. Write tests first

It sounds counterintuitive, but by thinking ahead to your testing you’ll end up writing testable code. It saves you time in the long-term if your testing logic is in place before your first line of code.

3. Love that httpie

Forget curl; httpie is where it’s at, so learn to love the command line. This Swiss Army knife for developers is quite possibly the most powerful tool in your arsenal, and the most frequently overlooked. If you’re on Mac, Homebrew is where it’s at for every utility you could possibly need, and probably a few hundred you didn’t know existed.

4. Be proactive about productivity

If you’re naturally focused and driven you might not need the help, but for the rest of us, productivity can feel like a never-ending battle with a wall. Productivity hacks abound, and we recommend you devote some time to trying a few out to find the one that best suits your workflow. Our team favors the Pomodoro technique, which breaks work down into timed intervals, typically 25 minutes, and separates these intervals with short breaks.

And, about those breaks. Take them. For real. Get up and walk away from your computer, think about something other than work. I regularly use an app called Pause to force my brain to disengage and slow down.

5. Automate where possible

Scripts are your friend. Take the time to automate your repetitive tasks, even the simple ones. Those saved seconds add up, and can eliminate errors.

6. Don’t stay stuck

Start by not being afraid to spike and delete: Try out different approaches and explore not just their impact on your project and interaction with existing code, but also where you get stuck. Then, delete that and write some tests. If that doesn’t work, use the resources around you; ask questions on Stack Overflow or pair up with a friend or colleague. Getting a second set of eyes on your problem can get you unstuck in a fraction of the time.

Along with this one, don’t be afraid to open a book! There are some amazing general and Java-specific reference texts on the Stormpath bookshelves that can, and have, gotten our team unstuck a time or two. These include Effective Java, Simple Java, Clean Code, and Design Patterns.

Bottom line: You never have to stay stuck for long, so don’t.

7. Pay it forward

Stormpath founder Les Hazlewood is also the founder and primary contributor to the open-source Java security framework Apache Shiro. He offers this advice: “Participate (actually code) in some great open source projects. A lot. As much as you can. There is simply nothing in the world that I know of that will expose you to the quantity and quality of great code written by senior developers than participating in multiple solid open source projects. You will learn more by looking at clean code and good design patterns than anything you could do on your own or what you would see by working on a few closed-source projects.”

Les is quick to credit “probably half” of what he knows about writing good software to the thousands of hours he spent early in his career contributing to open-source projects. And here’s the thing, when you regularly participate in large open-source projects you create opportunity for yourself, not just to learn, but to solve the day-to-day problems you’re having with your own applications.

Bonus: Keep your focus on what matters

Here at Stormpath, user management is the focus of our business. Is it yours? Probably not. So keep your eye on the core functionality of your application and leave the risk, complexity, and resource burden of developing sophisticated authentication and authorization functions to us.

We offer an advanced, developer-centric service that implements in minutes. The Stormpath REST API lets developers quickly and easily build a wide variety of functions they would otherwise have to code themselves, including:

Sound intriguing? Download our Build vs. Buy whitepaper, or sign up and get started right now!

The post 7 Habits of Super Productive Java Developers appeared first on Stormpath User Identity API.

Matthew Gertner - AllPeersKnow Your Summer Festivals [Technorati links]

July 05, 2016 02:05 PM

It’s hard to find a person in the city who hates the summer. After the winter we’ve had, everyone’s welcoming the season of sunny days and elevated temps with open arms. But nobody in Toronto loves the summer more than music lovers. After a long winter spent dormant, the city opens up during the warmer months, with back-to-best festivals and special events. As the official epicentre for the best Canadian music fests, Toronto brings in local and far-off visitors to its streets to celebrate the biggest names in music. As the summer crowds fill the city, be sure to get your tickets sooner rather than later, or you’ll be nursing cool disappointment over missing the hottest musical acts of 2016.

image1-2

Field Trip
Historic Fort York & Garrison Common is the backdrop to the coolest celebration of Canadian-grown and international artists. Unlike the boring field trips of your youth, you won’t need a signed permission slip to attend Toronto’s annual downtown festival on the weekend of June 4. As long as you have a ticket, you can explore the weekend-long event centre around world-class music. With performances from Robyn, The National, and Santigold headlining Field Trip, the lineup is pretty solid. But if you’ve gone to Field Trip before, you know it isn’t just about the music. As a festival celebrating the community’s artists, you can expect to find the best of Toronto’s chefs, designers, and comedians padding out the schedule in order to create the full summer festival experience.

NXNE


The 22nd annual NXNE (North by Northeast) festival takes place over 7 days this June, celebrating the best in visual art, comedy, film, and – of course – music. As Toronto’s foremost music and arts festival, artists from around the world travel to perform at over 50 music venues in the city. Known for giving a stage to emerging artists as well as established musical acts, it’s the ideal event for music lovers. Usually, these bands make sure to drop by the city while they’re touring the country, North America, or the world at large, and they often stick around to see their fellow performers for themselves. While taking a break in the city, it’s the perfect time for them to take inventory of their equipment and see if anything needs repairs – or replacements. It being the Great White North, there’s no music store Toronto musicians prefer better than the one that’s been in business for over 50 years. Any Long & McQuade music store in Toronto is prepared to help a touring band restock after a long journey. With the likes of Father John Misty, Ghostface Killah, and Mother, Mother set to hit the 6ix, any number of musicians could be checking out their inventory.

OVO Fest


Toronto-boy Drake and his record label, OVO (October’s Very Own), bring the biggest names in rap and hip hop to the Molson Amphitheatre over the Civic Weekend. In a tour supporting his number 1 selling album, Views, Drake will stop by the 6ix from July 29 to August 1 with special guests Snoop Dogg and Wiz Khalifa. Its full lineup is still to be announced, but if it’s anything like previous years – with artists like Lauryn Hill, Nicki Minaj, Kanye West, Jay-Z, and Stevie Wonder making appearances – concert goers won’t be disappointed. The only downside is how quickly the festival sold out. Tickets were gone in under 3 minutes, leaving only those lucky enough to be by a computer at the time to have a chance to see the 7th annual OVO Fest.

It doesn’t matter if you managed to get tickets for Drake’s coveted festival at the Amphitheatre or you’re saving all of your money for a full pass to NXNE: one thing for sure is that the summer is the best time for music lovers across the city. Take the time to search out the other special events and festivals scheduled to hit Toronto this season, and you’ll have the best summer yet.

The post Know Your Summer Festivals appeared first on All Peers.

Mike Jones - MicrosoftToken Binding for Access Tokens, Refresh Tokens, and ID Tokens [Technorati links]

July 05, 2016 02:29 AM

IETF logoTwo new related specifications define syntax and semantics for applying Token Binding to OAuth Access Tokens and Refresh Tokens and to OpenID Connect ID Tokens. draft-jones-oauth-token-binding contains the OAuth portions. openid-connect-token-bound-authentication-1_0 contains the OpenID Connect portions.

These are being submitted now to hopefully enable end-to-end implementations and interop testing of Token Bound Access Tokens, Refresh Tokens, and ID Tokens across multiple platforms before the Token Binding specifications are finalized.

The OAuth specification is available at:

The OpenID Connect specification is available at:

Thanks to Andrei Popov, Yordan Rouskov, John Bradley, and Brian Campbell for reviews of earlier versions of these specifications and to Dirk Balfanz and William Denniss for some earlier discussions providing input to these specifications.

July 02, 2016

Gerry Beuchelt - MITRELinks for 2016-07-01 [del.icio.us] [Technorati links]

July 02, 2016 07:00 AM
July 01, 2016

MythicsSoftware in Silicon for the Masses [Technorati links]

July 01, 2016 01:20 PM

Software in Silicon for the Masses

Two years ago,…

June 30, 2016

Kantara InitiativeKantara Trust Status List keeps growing [Technorati links]

June 30, 2016 08:21 PM

WAKEFIELD, Mass., USA –(June 30, 2016) – Kantara Initiative announces the Grant of Kantara Initiative Service Approval Trustmark to the MedAllies Credential Service Provider (CSP) – Identity Proofing Component service operating at Level of Assurance 1, 2 and 3 non-PKI and re-approval of Experian as CSP – Identity Proofing Component at level 2 and 3. Both were assessed against the Identity Assurance Framework – Service Assessment Criteria by Kantara Accredited Assessors

Kantara Initiative Accredits Assessors, Approves Credential and Component Service Providers at Levels of Assurance 1, 2 and 3 to issue and manage trusted credentials for ICAM and industry Trust Framework ecosystems. The broad and unique cross section of industry and multi-jurisdictional stakeholders, within the Kantara Membership, have the opportunity to develop new Trust Frameworks and profiles of the core Identity Assurance Framework for applicability to their communities of trust. The Kantara Initiative Trust Framework Program drives toward modular, agile, portable, and scalable assurance to connect business, governments, customers, and citizens. Join Kantara Initiative to participate in the leading edge of trusted identity innovation development.

“MedAllies is pleased to have received this certification, which demonstrates our commitment to further expand our scope of digital identity management. With this certification, we add to our EHNAC/DTAAP accreditation to allow for OTP capability, which will apply throughout the healthcare industry benefiting providers and patients. ” said A. John Blair, MD, Chief Executive Officer at MedAllies. To learn more about MedAllies, please visit  www.medallies.com

“This is a further example of Experian’s commitment to being a leader in the fraud and identity industry through continuous innovation and best practice market certification. As a long standing member of Kantara, we have seen first-hand the value that Kantara represents to the industry and we are committed to our ongoing relationship with them”, said Kolin Whitley, Senior Director at Experian.  To learn more about Experian, please visit  http://www.experian.com/business-services/fraud-management.html

“Kantara warmly welcomes MedAllies to the growing cohort of approved providers in the digital identity and credential space, particularly in this critical area of clinical messaging amongst doctors and hospitals in domestic US Healthcare”, said Colin Wallis, Executive Director, Kantara Initiative Inc.

For further information or to accelerate your business by becoming Kantara Accredited or Approved contact secretariat@kantarainitaitive.org

About Kantara Initiative

Kantara Initiative is a membership non-profit organization that provides strategic vision and real world innovation for the digital identity transformation.  Developing initiatives including: Identity Relationship ManagementUser Managed AccessIdentities of Things, and Minimum Viable Consent Receipt.

 

June 29, 2016

KatasoftIs Java Dead? No! Here’s Why… [Technorati links]

June 29, 2016 10:40 PM

We see this “Is Java dead?” question pop up year after year, and yet, by all external markers, Java is alive, well, and growing. While newer languages grab the headlines, TIOBE ranked Java as it’s top language of 2015 currently shows it enjoying 5% growth in use since 2014, more than any other programming language.
Is Java Dead -- TIOBE

Further, the PYPL Index, which ranks languages based on how often language tutorials are searched on Google, shows Java clearly out in front with 23.9% of the total search volume.

While there are a number of timely reasons for a big resurgence in Java over the last two years (the explosion of Android development, the release of Java 8, the growth in the Spring community, especially Spring Boot), market dominance comes only from having a great product. Here’s why we think Java isn’t going anywhere soon.

JVM and the Java Ecosystem

The Java Virtual Machine, or JVM. compiles programs into bytecode, which is then interpreted and run by the JVM. Because the JVM sits above your specific hardware and OS, it allows Java to be run on anything, a Windows machine, a Mac, or an obscure some flavor of Linux.

The big advantage granted by the JVM is in this increased compatibility and the stability it affords. Because your application runs in the VM instead of directly on your hardware, you can program said application once and trust that it is executable on every device with a Java VM implementation. This principle is the basis for Java’s core messaging: “Write once, run everywhere.” And it makes Java applications very resilient to underlying changes in the environment.

Security & Interoperability

Java + AndroidThe Android environment is a great case study on Java’s innate security and interoperability. Android, which encompasses 89% of the global mobile market, runs on Java. Because Java allows the OS to run in a virtual machine, it doesn’t need to recompile for every device, improving both system stability and usability.

Another benefit of Java displayed perfectly by Android, is its interoperability with other JVM languages like Scala, Groovy, Clojure, JRuby, etc. You get to build your application in the “more dynamic” language of your choice, and still fall back to Java when you need more horsepower.

This huge Android market is also inherently at risk for exploitation. Android + Java allows users to run semi-trusted apps and mitigates its risk by running all apps in a virtual machine. Thus, the only way for an app to exploit the OS kernel would be through a flaw in the VM implementation, which is kept necessarily small, and is protected by a well-defined security surface.

Java in Production, at Scale

Amazon, Google, eBay and any many other large e-commerce brands use Java for their backend processing. They use it because it’s proven, and scalable. Any language, any backend could manage a handful of users, but Java can deal with 200m or more reliably. Let’s look at a few notable examples:

Hadoop

Apache Hadoop is a Java framework for running applications on large clusters of hardware. It was designed to provide high throughput for applications that manipulate or otherwise handle large data sets. Today, Hadoop is used by companies like Facebook, Amazon, IBM, Joost, and Yahoo to process data, perform analysis, or generate reports.

Hadoop creator Doug Cutting has said: “Java offers a good compromise between developer productivity and runtime performance. Developers benefit from a simple, powerful, type-safe language with a wide range of high-quality libraries.” We’ll put it simply: Big data wouldn’t exist without Hadoop, and Hadoop can’t exist without Java.

Twitter

Twitter + JavaTwitter has been a hugely visible recent win for Java and the team at Oracle. Originally written in Ruby on Rails, the rapid rise in popularity Twitter experiences clearly exposed the lack of scalability in RoR. “Fail Whales” (the alerts that indicated the network was overwhelmed) grew in frequency until Twitter began a shift to Java in 2012. Today, Twitter runs on Java + Scala, and the Fail Whale is extinct.

MinecraftMinecraft + Java

Minecraft is an insanely successful video game. It made millions of dollars for its development team even before its sale to Microsoft for $2.5b in 2014. And Minecraft runs on Java.

The breadth of the Java community helped Minecraft spread to hundreds of thousands of potential would be modders. At the same time, Minecraft also introduced Java to a whole new generation of developers. A quick Google search on “making mods for Minecraft” will net you 653k results, many of which are resources to teach programming to the under-12 set.

One of these open source tools is Eureka, which they use to track what type of device a user is using to launch Netflix and cross-check against movements and recent activities to ensure the account is “current” and safe.

The Future of Java

Last year Oracle announced the impending arrival of Java 9, slated for September 2016. This update is scoped to break up the languages multitude of functions into a number of bite-sized components, a change that is intended to make Java quicker and more accessible. Oracle’s overall investment (while often slighted and maligned) have ultimately helped ensure Java can continue to support the many enterprises that rely on, and still react to new trends in development.

Java and the Internet of Things

“I really think Java’s future is in IoT. I’d like to see Oracle and partners focused on a complete end-to-end storage solution for Java, from devices through gateways to enterprise back-ends. Building that story and making a success of it will help cement the next 20 years for Java. Not only is that a massive opportunity for the industry, but also one I think Java can do quite well,” said Mike Milinkovich, Executive Director of the Eclipse Foundation.

Oracle agrees. Per VP of Development Georges Saab, “Java is an excellent tech for IoT. Many of the challenges in IoT are many of the challenges of desktop and client Java helped address in the 1990s. You have many different hardware environments out there. You want to have your developers look at any part of the system, understand it and move on. Java is one of the few technologies out there that lets you do that.”

Java + Stormpath

Java might have its detractors, and some of their arguments might even be reasonable, but it has its benefits too, such as outstanding tools for deployment, performance profiling, the JVM, a vast library of libraries, and so much more. At Stormpath, our backend has been 100% Java since day one, and we recently upgraded to Spring Boot. Viva la Java!

Learn More

Stormpath offers an advanced identity management service with broad Java support that implements in minutes. The Stormpath Java SDK, Servlet plugin, and the family of Spring integrations including: Spring WebMVC, Spring Security WebMVC, Spring Boot WebMVC, and Spring Security Spring Boot WebMVC allow developers quickly and easily build a wide variety of functions they would otherwise have to code themselves, including:

The post Is Java Dead? No! Here’s Why… appeared first on Stormpath User Identity API.

June 28, 2016

KatasoftThe Ultimate Guide to Running a Company Hackathon [Technorati links]

June 28, 2016 06:25 PM

Last week, we officially kicked off the second ever Stormpath company hackathon: StormHack 0x01. Our first StormHack event took place a little over two years ago (wow, the time really flies!) and was a huge success: our team built quite a few high-value projects, everyone had fun, and it was a huge morale booster for the team.

This time around, we had similar results. StormHack was incredibly productive, valuable, and most of all: fun.

StormHack 0x01 - Randall and Alex

In the spirit of openness, I thought I’d continue the tradition of sharing what worked, what didn’t, and what I learned throughout the hackathon, to give you a better idea of how you might want to run your own hackathon at your company >:)

A Note on Evangelism

If you work at a company where a hackathon has never been done before, you might run into trouble selling the idea to your leadership. While I didn’t have this problem at Stormpath (we have great executives, what can I say?), there are definitely some things I’d recommend when trying to sell the idea of an internal hackathon to your boss(es).

Evangelism is not only about reaching out to developers external to your company, but also being able to bridge gaps internally as well.

By understanding both the pros and cons of running an internal hackathon, you can more likely convince your company leadership that it’s a good idea.

The Cons

The largest problem people tend to have about hosting an internal hackathon is that it will directly take away engineering time.

At small tech companies, engineering time is usually the single largest constraint. Taking time away from core engineering is usually not something you want to do, as it slows down product momentum, causes timelines to slip, and may negatively impact customers.

Furthermore, if you pull your DevOps / ops / systems team off infrastructure for a few days, and your systems are not 100% reliable, then you run the risk of having public outages and all other sorts of problems.

There’s also the big issue of cost. Getting everyone together for a few days to work on creative projects can potentially cost a lot of money.

The Pros

On the opposite side of the spectrum, running an internal hackathon can be great for a lot of reasons.

Team bonding. Regardless of how you run your hackathon, one of the guaranteed side-effects is that your teams will have time to bond. By getting everyone together and reserving time to work on creative endeavors, you foster an ideal environment for people to hang out, collaborate with others they may not normally work with, and generally have fun.

There’s also something about a slightly competitive atmosphere that brings out the best in people, and gets them to more closely bond with their teammates. Working hard towards a single goal with a small group of people gives everyone a chance to really get to know their co-workers.

Exercising the Product. When you’re constantly working hard to improve a product, one of the things you frequently forget to do is take a step back and evaluate your product from a new perspective.

Taking some time to work on creative projects for a few days gives everyone the chance to work with the product in a way they may not normally experience. Having the ability work on something new often provides a fresh perspective on what things need to be fixed, improved, and (maybe even?) removed in the future.

Creating Valuable Things. One of the best sells to executives is the fact that during an internal hackathon, all employees are working on new, creative ways to improve the product in some way.

At StormHack, for instance, we had teams build new (and very complex!) core API features, marketing materials, and user onboarding tools. These projects have contributed a significant amount of value to the company in a very short amount of time, all without any sort of management overhead / process in the way.

Keeping your company thinking about new ways to expand and improve your business is incredibly important in ensuring that your company continues to innovate. Hosting an internal hackathon is quite possibly the best way to accomplish this in a short period of time, with minimal investment.

Reducing Technical Debt. Another popular reason to throw an internal hackathon is to eradicate technical debt. While this isn’t one of the reasons we threw StormHack, it’s still a great reason to have a hackathon.

As a product grows and matures, maintaining a balance between shipping features and keeping a sane amount of technical debt becomes more and more challenging. Giving everyone on your team time to reduce technical debt without any other pressures can do wonders for engineering morale, product stability, and maintainability as a whole.

The Schedule

When organizing a hackathon (or any event, really), the first thing you should do is draw up a schedule so you have some definitive boundaries to work within.

The StormHack schedule looked like this:

June 15 (Wednesday)

June 16 (Thursday)

June 17 (Friday)

When I ran the last StormHack a little over two years ago, one of the main bits of feedback I got from the team was that a decent number of people wanted to continue working on their projects after work hours.

Although it was tempting to give people unrestricted project time during the event this time around, I decided not to, as it wouldn’t be fair to people at Stormpath who have families, outside commitments, etc. Depending on your company culture, you might want to tweak this to what works best for you.

How it Works

Now that we’ve covered the schedule, let’s talk about how the hackathon event actually works.

Day 1

StormHack 0x01 - Michele

The goal on Day 1 is to give everyone a chance to pitch their ideas to the rest of the team, recruit team members, and plan out their projects.

In my opinion, Day 1 is the most important part of the event. It’s really important to let everyone know upfront how the teams and idea pitching works so there isn’t a lot of confusion. If you do a bad job of getting everyone to pitch their ideas and break into teams on Day 1, the rest of the event won’t work very well.

Idea Pitching

StormHack 0x01 - Kelly

The way we handled idea pitching at StormHack worked really well. A few weeks before the event, I sent everyone on the team an email with a link to a Google Sheet that had a couple columns:

I encouraged everyone to start thinking of potential hackathon ideas that would be useful to Stormpath in some way, and to add them to the list. This way, everyone on the team could get a sense for what sort of ideas people had, and start to think about what they want to work on in advance.

When the actual day of the event came, we got everyone together in the Stormpath dining hall, and I invited everyone who had an idea to pitch that idea to the rest of the team. This way, everyone who had an idea they wanted to work on would have a chance to get other people interested in the idea, and recruit people for their team.

Each of the pitches included:

While this was going on, I was taking note of each idea, and the person who submitted it in a new Google Sheet.

After everyone had an opportunity to pitch their ideas, I then read through the list and had everyone vote for their favorite 3 ideas (by raising their hands). I tallied up the results, and we used this to narrow the list of many ideas down to just 10.

The reason we did this was because we wanted to encourage people to work together in teams, and to not have a lot of teams with just one person on them (that wouldn’t be very fun for team bonding!).

Breaking into Teams

StormHack 0x01 - Elder

Afterward, we then used hand raising to go through the list of the top 10 ideas and assign people into teams.

Before the event started, we decided that teams must have 2 <= n <= 5 members in order to encourage both collaboration and diversity of ideas. While it wouldn’t be fun to have a lot of 1 person teams, it also wouldn’t be fun to have a single team with 20 people on it, going against another team with only 2 people.

NOTE: In the event that more than 5 people wanted to work on a single team, we would have let the person who pitched the idea pick which people got in. Luckily, however, this didn’t happen =)

Project Planning

After all the teams had been formally decided, we then broke up into our newly formed teams, and went off to plan our projects.

Project planning is incredibly important, especially when you only have a short amount of time to build a project, and you’re working with people you may not work with often.

The idea here is that when each team goes off to plan, they should:

This way, once Day 1 is over, every team will be 100% ready to come in the next day and immediately start building things!

Day 2

StormHack 0x02 - Ed

The goal on Day 2 is to build things as fast and furiously as possible =) Other than breaks for eating, the goal of Day 2 should be to do a majority of the project work.

Day 3

 

The goal on Day 3 is to finish up the projects, prepare a small demo, and pitch what your team built to the rest of the company so voting can take place.

At StormHack, I basically called up each team in random order and gave them 10 minutes to present. This took a little over an hour and a half.

Depending on how big your company is, you may want to reserve more (or less) time for project presentations.

NOTE: One thing I should have done better was to let each team know how long they had to present in advance. Several teams ended up going over their allotted presentation time, and had to be cut off early 🙁 Next time, I’ll be sure to explicitly write it out, and remind teams during the event how long they have to present, so they can prepare accordingly.

Once the presentations are done, it’s time to vote!

The way we handled voting was pretty good, I think:

The rules were that:

Once we tallied up all the results, we found the top 3 teams (by votes), and called them up to front to receive their hackathon trophies =)

We decided against doing expensive cash prizes and the like because that might cause ultra-competitive behavior (which we didn’t want). We instead opted to give the top 3 teams custom StormHack trophies.

StormHack 0x01 - Team Swag

After all the awards had been handed out, Brian started playing the Star Wars Imperial March music, at which point I pulled out the participation prize for everyone: custom ordered StormHack medallions:

StormHack 0x01 - Medallions

Everyone then came up one at a time, and I placed the medal around their neck. It was a really fun way to end the event, and made sure that everyone felt they won something for their hard work. It was a really good time all around.

Nate wearing a medallion.

Finally, after the medals had been given out, everyone hung out for a bit before heading home to catch up on some much-needed sleep =)

Logistics

On the logistical side of things, here’s what we did at StormHack. When running an event like this yourself, you might find some of these considerations useful.

Music

StormHack 0x01 - Playlist

A week prior to the event, I sent everyone an email with a link to a shared Spotify Playlist I had created. I told people to add their favorite music to the list, and that whatever was there would be played throughout the office on shuffle during the event.

This worked out fairly well (we only had speakers in our main open space), because people could go into conference rooms and shut the door for privacy / quiet, as well as put on headphones and ignore it if they wanted to.

I’m still not sure if this is the best solution, as people have such widely different taste in music. But, I can most definitely say that music is needed during this sort of event to create a good atmosphere! So, at the bare minimum, you should have speakers around that you can use!

Total Cost: $0

Social Media

If you’re going to run an internal hackathon, you might as well get some good video / photos out of it! During StormHack, we had Lindsay take pictures, record video, and even setup a reality TV-style camera booth.

The camera booth was really fun: we setup a GoPro camera in an empty conference room, and told people they could go into the room and record whatever they wanted for future usage. We had people tell hilarious stories, do crazy stuff, and just overall have a lot of fun.

We’re going to eventually edit these videos together into a Stormpath recruiting video of some sort, or maybe just play it at future company BBQs and laugh =)

Total Cost: $0

T-Shirts

StormHack 0x01 - T-Shirt Design

When running an internal event like a hackathon, making everyone feel like part of the group is really important, especially when one of your main goals is team bonding.

What we did to help with this was generate a custom StormHack 0x01 t-shirt design from CustomInk, and then send out a Google Form to everyone on the team two weeks in advance asking for each person’s t-shirt size.

On the first day of the hackathon, we gave the shirts out to everyone to wear and took advantage of this on day #2 in order to get a big team picture together.

Overall: the t-shirts went over really well — people loved them and felt like it made the event better!

Total Cost: $836.51

Prizes

StormHack 0x01 - Trophy

As I mentioned earlier, we decided to give out custom trophies to the top 3 teams, as well as custom medallions to everyone who participated. We ended up ordering the medallions through TrophyDepot.

The trophies were purchased by our office manager, Sarah, and the custom Stormtrooper figurines were purchased at the Disney Store nearby. =)

Total Cost: $482.96

Food

StormHack 0x01 - Food

At Stormpath, we have catered lunch every day in the office. We use ZeroCater for this. They’re a catering startup that handles all of the food creation, pickup, and delivery for companies.

What’s nice about ZeroCater is that they let you specify food allergies, etc., and have a nice schedule that everyone can see for each week. So, if I’m curious about what food will be served for lunch this upcoming Friday, I can take a look at ZeroCater’s website and know. =)

For StormHack, we basically let ZeroCater know that we’ll also need them to cater breakfast and dinner each day, gave them the times, and that was it! They handled the rest.

We also ordered lots of additional sodas, energy drinks (my personal favorite, mmm), and various beers and liquors which we had delivered directly to our office.

Total Cost: $6,118.16

Travel / Accommodations

Without question, the most expensive part of StormHack for us was travel costs. We have quite a few remote employees, and flying them into the area, and taking care of things like transportation, lodging, etc., was a large expense.

For companies where everyone is local (or everyone is remote!), this won’t be an issue.

In total, we flew in 6 people (7 if you count me) for the entire week of fun / activities.

Total Cost: $9,410.06

Total Cost

With everything included, StormHack cost us roughly $16,847.69 (for a team of 37 people).

If you take the amount of direct project value, team bonding, overall fun that was had at the event into consideration, I think you’d agree that overall, $16,847.69 was a small price to pay for such a valuable experience.

The Event Post-mortem

StormHack 0x01 - Team Picture

Since we’ve now discussed all of the hackathon scheduling and rules, let’s talk about how StormHack actually turned out!

Overall: things went very well. In terms of value: out of our 10 teams, each team delivered an incredibly valuable project for the company. Some of the teams have already made their projects publicly available to the world (which we’ll be talking about in later articles), and some will be released in the coming weeks.

In terms of a sprint, StormHack yielded some of the coolest and most useful new product ideas we’ve ever had. For a small 2.5 day break from normal work, this output far exceeded any expectations we had going in.

When the event was over, I sent out a simple Google Form questionnaire to everyone that asked 5 questions:

  1. On a scale of 1 to 10, how much did you enjoy StormHack?
  2. Would you like to participate in another StormHack in the future?
  3. Is there anything you didn’t like about StormHack?
  4. Is there anything you really liked about StormHack?
  5. What would you like to improve about StormHack in the future?

For #1, the average person rated StormHack as a 8.9/10. That’s a pretty high average score, meaning that most people really had a good time!

For #2, every single person (except one) said they would like to participate in another StormHack event in the future.

For #3, we got several interesting answers regarding things people did not like:

For #4, we got lots of good feedback on things people really loved:

Finally, for #5, we got great feedback on what people would like to improve:

Overall? The event was a great success! People had fun. Valuable projects were built. And much team bonding was had.

Closing Advice

Hack all the Things

Running a company hackathon can be an incredibly rewarding experience for everyone involved. I know that for me, personally, the past two StormHack events have been some of the highlights of my career.

The ability to hack on creative projects, get everyone involved, and take a break from normal work to focus on outside-the-box things is fun, exciting, and incredibly valuable.

If you decide to run your own company hackathon, please email me or leave a comment below! I’d love to hear how it goes, and I hope you have as much fun as I have.

Finally: I wanted to give a huge shoutout to Tom for reading and reviewing this for me when he was already super busy, as well as Sarah for doing a killer job with all the logistics, keeping everything running smoothly, and handling everyone’s last minute problems =)

Team Stormpath, out.

The post The Ultimate Guide to Running a Company Hackathon appeared first on Stormpath User Identity API.

KatasoftTutorial: Build Your First Swift Web App with Vapor [Technorati links]

June 28, 2016 12:17 AM

Vapor for SwiftIf you love using Swift to build your iOS apps, but another language for your backend, you’ll be super excited to hear about Vapor. Vapor is a web framework written in Swift that you can use to build a website or API. While still in beta, it’s already garnered a huge amount of interest: over 4,000 people have starred it on GitHub, and it’s growing quickly.

Last week, I wrote a post with an overview of various server-side Swift frameworks. Of them, Vapor has the best documentation by far, and even a command line tool to help you bootstrap your new project! In this tutorial, I’ll show you how to get started with Vapor, and build your first web app. So, let’s get started!

Install Swift Version Manager

Like most of the other server-side Swift frameworks, Vapor is built on Swift 3. This is because Swift 3 is the first version of Swift to include Swift Package Manager. Like Cocoapods or Carthage, Swift Package Manager allows you to easily manage your code’s dependencies, and automate the build and installation of external code.

Unfortunately, Swift 3 is still in development, so there are multiple versions of Swift 3 out there. To manage this complexity, we’ll install Swift Version Manager, or Swiftenv. Enter your shell and run these commands to install:

git clone https://github.com/kylef/swiftenv.git ~/.swiftenv

echo 'export SWIFTENV_ROOT="$HOME/.swiftenv"' >> ~/.bash_profile
echo 'export PATH="$SWIFTENV_ROOT/bin:$PATH"' >> ~/.bash_profile
echo 'eval "$(swiftenv init -)"' >> ~/.bash_profile

Install Swift 5-31

Next, we’ll use Swiftenv to install the 5-31 development snapshot of Swift. Run this command in the shell:

swiftenv install DEVELOPMENT-SNAPSHOT-2016-05-31-a

Initialize Your Swift Project

Once you have the correct version of Swift installed, we’ll create our project! To do so, we’ll make a HelloWorld directory, set the local version of Swift to the 5-31 snapshot, and tell Swift Package manager to initialize a project:

mkdir HelloWorld
cd HelloWorld
swiftenv local DEVELOPMENT-SNAPSHOT-2016-05-31-a

swift package init --type executable

By running this, Swift Package Manager creates two files for you:

Add Vapor as a Dependency

To install Vapor, we’ll add it as a dependency to our Package.swift. Replace your Package.swift file with the following:

import PackageDescription

let package = Package(
    name: "HelloWorld",
    dependencies: [
        .Package(url: "https://github.com/qutheory/vapor.git", majorVersion: 0, minor: 10)
    ]
)

Generate an Xcode Project File

Next, we want Swift Package Manager to download Vapor. SPM can also generate an Xcode file for you to use. If you prefer, you can skip this step and use another text editor in the next step.

swift package generate-xcodeproj
open HelloWorld.xcodeproj

Write the Vapor Code!

With Xcode (or your favorite text editor), open up main.swift. In Xcode, you’ll need to make sure that you’re running the correct version of Swift. You can do that through the Xcode menu: Xcode > Toolchains > Swift Development Snapshot 2016-05-31 (a)

Xcode Toolchains

Now that you’ve fixed Xcode, replace the existing code in main.swift with:

import Vapor

let app = Application()

app.get("/") { request in
    return "Hello, World!"
}

app.start()

In this code, we import the Vapor library, and initialize its Application object. We then register a handler for /, which returns “Hello, World!”. Finally, we start the app.

Run the app

To run the app, run the HelloWorld target in Xcode, or via the command line using the following:

swift build
.build/debug/HelloWorld

And viola! Your first server-side Swift application is now running at http://localhost:8080/. Check it out!

Screen Shot 2016-06-06 at 11.29.17 PM

Want to keep building with Vapor? Check out Vapor’s website for more information.

More Reading

There’s more than just Vapor on the server! Read our overview of various server-side Swift frameworks. This blog post is based on a talk I gave at the Swift Language Meetup in San Francisco. Watch the recording!

If you’re building a backend API for your app, consider using Stormpath to help you implement a secure REST API. Stormpath is an Identity API for developers that provides complete user management, including authentication and authorization, out of the box. Read our tutorial on how to build a REST API for your mobile apps using Node.js to learn more.

The post Tutorial: Build Your First Swift Web App with Vapor appeared first on Stormpath User Identity API.

June 27, 2016

Matthew Gertner - AllPeersMore Than an Inheritance: Help Your Children Become Financially Stable [Technorati links]

June 27, 2016 09:57 PM

Help Your Children Become Financially Stable by instilling good habits in them now

Photo by CC user Skitterphoto on Pixabay

Most parents consider the benefits of leaving an inheritance for their children. It ensures they have a financial cushion and a safety net to fall back on, and may even allow them to make investments of their own, such as buying property. But as any parent who is trying to save money for their children’s future has come to realise, the financial conditions of today are more challenging than ever before. Here are four ways you can help your children become financially stable, instead of passing on financial burdens.

Teach Them Financial Discipline

In the UK, money and earnings are a somewhat taboo subject. But talking to your children about money from an early age has been shown to be influential in how they will handle their finances as they mature.

As the old adage goes, “give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime”. Teaching your children how to be financially responsible will help them use resources to become financially independent and responsible. Leaving an inheritance is more worthwhile if your children know how to spend wisely, invest, and save.

Plan Your Funeral

Another taboo subject, and yet another one that is so important: planning your funeral. You might think that funeral costs can come out of the inheritance, or sale of assets. However, it takes time for these issues to be legally settled, meaning many need to take out loans to cover the cost of a loved one’s funeral. By the time any inheritance comes through, the interest will have racked up and your children might end up with very little.

Avoid this trap by planning your funeral before you pass. Full funeral packages, such as those provided by Golden Charter, let you plan and pay for your funeral. The average cost of funeral expenses in the United Kingdom have risen by more than 90 percent in the last decade. Securing a funeral plan can save you and your family a significant amount of money, as well as easing the stress of funeral planning for those you leave behind.

Budget Wisely

Proactively monitor your credit cards and outstanding loans. Missing payments and not shopping around for good interest rates are just a few of the mistakes we make that can impact our children when we pass. This will also save you money, which you can add to the inheritance, or use to treat yourself with!

A good money-saving attitude to every day purchases can also ensure there’s more for the inheritance pot, and can be passed on to your children too. For example, choose store brands over premium brands where you can, and plan your grocery shopping to reduce cost and waste. It’s also a good idea to set up a good savings account for your children and encourage them to save regularly.

Invest

Perhaps the most effective tool for building wealth is to invest – intelligently, that is. Intelligent investing achieves the balance between maximum capital appreciation and minimum loss potential. If you’re unsure, an initial spend on a good financial adviser can result in reaping greater benefits in the long term.

The post More Than an Inheritance: Help Your Children Become Financially Stable appeared first on All Peers.

Radovan Semančík - nLightMidPoint 3.4 (Heisenberg) Released [Technorati links]

June 27, 2016 04:10 PM

MidPoint 3.4 code-named "Heisenberg" was released few days ago. This is a sixteenth midPoint release since the project started all these long years ago. MidPoint went a very long way since then.

The Heisenberg release is the best midPoint release yet. We have finished access certification functionality, which makes midPoint the very first open source product to enter the identity governance and compliance playing field. We have also improved midPoint internals to better handle inconsistencies of resource data and we have also made many small internal improvements to increase robustness. This was one of the inspiration for the code-name. Similarly to Heisenberg's uncertainty principle midPoint accepts that there is some degree of uncertainty when it comes to processing of the identity data. It may not be practically possible to always base the decisions on authoritative data. Practical identity management system needs to accept that the identity data are always in a state of flux - and midPoint does just that. And it manages the data reliably even in situations where other systems fail miserably.

So, midPoint now has governance features. This is really big news. Much bigger than you may expect. Why? Because midPoint is a brilliant identity management system. Identity provisioning circulates inside midPoint veins. The release of midPoint 3.4 made the term "closed-loop remediation" obsolete. Any governance decision is immediately reflected into provisioning action because it all happens inside one system. There is no need to painfully integrate provisioning and governance engines any more. MidPoint does it all!

Even though the governance features in midPoint is really a big news, there is even more important improvement in midPoint 3.4: user interface. MidPoint user interface went through a major facelift during last two releases. And the Heisenberg release brings the results. The user interface is much more streamlined, it is consistently color-coded, it is much more user-friendly and it just looks good. See it for yourself:

Even though midPoint currently has the richest user interface among all the open source IDM systems, there are still more user interface improvement planned for the future and usability is one of our big priorities. Usability is something that needs to be continuously improved. And it will. Also there are big plans to expand the governance and compliance features in next midPoint versions. MidPoint is by far the richest open source IDM system and it improves all the time.

The Heisenberg release is without any doubts a major milestone in midPoint history. It comes after long years of a very hard work. But it was worth it. Every second of it. And the midPoint team is very proud of the result. So, just give it a try.

(Reposted from Evolveum blog)

June 25, 2016

Matthew Gertner - AllPeersHow to Write a Research Paper Quickly [Technorati links]

June 25, 2016 06:52 PM

Many of us have been there, that awful moment when it dawns on you that you have a paper due in the coming days, and in our wisdom we opted to go out for those parties and paid no mind at all to our studies. Then after the fun comes the cold hard shock and the realization that within just a few short days you must lash together something passable like perhaps, a research paper. In times like these it’s important to stay calm and get focussed, if this awful fate befalls you then here are some tips to getting that paper completed quickly.

2004-02-29_Ball_point_pen_writing

Facts

Obviously the basis for any research paper is cold, hard facts, these will be the ammunition that you will use to win this war. The best way to start any research paper is to compile a list of important facts on your subject that you can use, it will then be your responsibility to pad these facts out with conjecture and opinion but it is in the facts that you will find the nucleus of your arguments and propositions.

Structure

As with any article writing it is imperative that you have a solid structure to stick to, planning this beforehand will help you greatly during the writing process. Obviously you will require the usual introduction, body and conclusion but you need to think about what those will contain. A good introduction not only introduces the theme of your paper but should also ask questions that will be later discussed. The main body of the piece should include a 2-sided argument and plenty of info to back it up. The conclusion should round the piece off with opinions, answers to the questions asked in the introduction and possibly some open-ended questions to finish with.

The Research

If you’re looking for quick fixes then be thankful that you are living in the digital age, a simple search online for your chosen subject will yield thousands of results for you to use in your paper. You can even find research papers that have been written about your subject, these can be like finding treasure as you can paraphrase points that others have already made to fill out your paper. Remember that if you do use the work of others to help you in your time of need that it is essential that you change the wording significantly. If you fail to do this then you may get caught out for plagiarism which will mean that the time that you have spent putting your piece together will be entirely wasted.

Desperation

If you are truly desperate and simply don’t have sufficient time to complete your paper then you have two options, ask for an extension from your university, perhaps tell a white lie to get this granted or alternatively, you could pay someone to write it for you. There are great websites where you can hire an online essay writer to complete your task for you, simply arm them with the information that they will need and sit back whilst a professional completes your piece for you.

The post How to Write a Research Paper Quickly appeared first on All Peers.

June 24, 2016

KatasoftKCDC 2016, Day 2 [Technorati links]

June 24, 2016 10:00 PM

It’s day two of KCDC! There were plenty of great talks to absorb in Day 1, and everyone spent the evening eating some delicious BBQ (I hope). There are plenty of talks lined up for day 2, so let’s dive in! (And if you missed my first day wrap-up, start here: KCDC 2016, Day 1.)

Angular 2 and TypeScript

Spencer Schneidenbach kicked the day off with an info-packed session about getting started with Angular 2. He gave a crash course in TypeScript, the Microsoft-built superset of JavaScript that adds type safety, async/await, and all kinds of other goodness that many developers will find exciting. Then, he talked about everything that’s been removed and simplified in Angular 2 (goodbye, factories/providers/services!) and what the new syntax looks like.

As a fan of Angular 1, I was skeptical of Angular 2 at first (everything looked so weird in the early releases). Seeing the final version of the syntax, plus the power of TypeScript, has convinced me that Angular 2 is going to be a strong contender for the second round of the “SPA War.” I’m looking forward to diving in and trying it out.

Lunchtime OH: “Oh great they are serving beans? Nothing better than a bunch of gassy developers in small rooms.” 😂 #kcdc16 #KansasCity #BBQ

— Mary Kergosien (@MEKergosien) June 24, 2016

Token Authentication in ASP.NET Core

I was excited to have the opportunity to talk about token authentication in ASP.NET Core, which I’ve written about here on the blog. Over a hundred people turned up, which was easily the largest crowd I’ve ever spoken to. Not so good for the pre-talk nerves, but everything went smoothly and it was a great learning experience.

Check it out. My friend @nbarbettini from @goStormpath talking about Token Authentication at #kcdc to 130+ people. pic.twitter.com/QBSga1XhnZ

— Brian Retterer (@bretterer) June 24, 2016

I’ve posted the slides online for anyone who’s interested!

Saying Goodbye to KCDC 2016

It’s been another great year at KCDC! I love the diversity of engineering represented here in the Midwest. There’s plenty of .NET and JavaScript, but also Java, PHP, Python, R, and just a few people who agree with me that C# is one of the best backend languages for modern APIs. 🙂

“Really dedicated folks stay till the last session of the 2nd day for compiler talk” – @jimwooley on Roslyn #kcdc16 pic.twitter.com/zIzhJVDcW8

— Nate Barbettini (@nbarbettini) June 24, 2016

I’m looking forward to next year! Before I leave, I’ll be grabbing one last delicious meal to hold off the Kansas City BBQ withdrawal. Until next time, KC! <3

The post KCDC 2016, Day 2 appeared first on Stormpath User Identity API.

KatasoftStormHack 0x01 [Technorati links]

June 24, 2016 09:13 PM

StormHack: Hack all the things!Last week was AWESOME at Stormpath.

OK, I’ll admit it, every week is awesome at Stormpath. BUT. Last week was awesome-er because last week was StormHack 0x01!

What is StormHack?

StormHack is a place where dreams come to fruition and awesome concepts come to life! No, seriously, StormHack is our internal company hackathon, and it’s pretty rad.

Hackathons come in a variety of forms, from free-wheeling build-anything adventures to focused efforts aimed at attacking tech debt. This StormHack landed somewhere in the middle as we rallied around a core goal (or, as I called it, our macro-hack): All project proposals had to nudge the needle for Stormpath in some way. Some proposals were upgrades to existing offerings, while others were pie-in-the-sky concepts that had been back of mind for ages.

By the end of the week, our ten teams had built some amazing new tools and upgrades that we’ll be talking more about over the coming days and weeks. You can also look forward to a blog post from our emcee, Python developer evangelist Randall Degges, that will detail how we planned for this event, what worked well, and tips for running your own internal hackathon!  Today, I’d like to show off what I think was the awesome-est part of StormHack: The people who made it happen!

 

The post StormHack 0x01 appeared first on Stormpath User Identity API.

Ian GlazerProfessionalizing Identity: What happens next? [Technorati links]

June 24, 2016 06:20 PM

Apologies for not getting this out sooner.

After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback.

There was a common theme to these conversation – I signed the pledge; so now what happens?

From a long term perspective, I simply don’t know.

On a shorter timeline, here’s what I do know.  Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group.  This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc.  My hope is that around the beginning of 2017 the organization gets going in earnest.

Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization – 180 more days isn’t going to kill anyone.  Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset.

In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.

KatasoftKCDC 2016, Day 1 [Technorati links]

June 24, 2016 01:17 AM

It’s time for the great gathering of Midwest programming minds known as the Kansas City Developer Conference! I’m excited to attend KCDC 2016 again (and, of course, eat more great Kansas City barbecue).

Wow, Kansas City, I’ve never seen so many boots w dresses… and I’m from Texas 🙂 #kcdc16 pic.twitter.com/BXmHxQjFwo

— CoriDrew (@coridrew) June 24, 2016

With the official release only days away, .NET Core looks ready to break into the mainstream this year in a big way. A number of other technologies are heating up, too: ES6, TypeScript, Angular 2, and microservices architectures to name a few. I’ll highlight the most exciting talks happening over the next two days!

The KCDC 2016 Keynote

Jonathan Mills kicked us off with a great opening keynote that emphasized the changing nature of developer jobs (C is now more in demand than Java, due to the rise of embedded devices and the IoT), and how conferences are a great way to expand your knowledge into new areas. He encouraged everyone to get out of their shells and chat with their fellow attendees (they don’t bite!).

Love that the @kc_dc morning keynote is basically just trying to teach a thousand anti-social devs how to talk to each other. #kcdc16

— Ben Kittrell (@bgkittrell) June 23, 2016

JavaScript and ES6

Behind .NET technologies, it seems like JavaScript is the second most popular topic this year at KCDC. Jeff Strauss gave a great overview of the new features of ES6 and how it can improve your JavaScript code in a few big ways. Even though browser support for ES6 is still spotty, tools like Babel can give you the best of both worlds today by transpiling ES6 down to “vanilla” JavaScript that any browser can run.

I try to never miss Cory House’s sessions, and he packed the house today (out the door, literally) with his talk about the keys to professional JavaScript. He emphasized things like:

So, apparently @housecor delivers a good session… #kcdc16 pic.twitter.com/yhLg5rlAuF

— jonathanfmills (@jonathanfmills) June 23, 2016

I have to admit, I only follow a few of these practices myself. His talk definitely inspired me to write cleaner JavaScript.

ASP.NET Core

There were a number of good talks about ASP.NET Core today. Jay Harris presented an overview of how .NET Core “reboots” the ASP.NET franchise and positions it as a modern, cross-platform web framework. Robert Boedigheimer followed up with a hands-on talk about building a modern, responsive website using ASP.NET Core and Bootstrap.

@jayharris talking about #aspnetcore and the benefits of using the right tools at @kc_dc #kcdc16 pic.twitter.com/GxUO4OQYw3

— SpencerSchneidenbach (@schneidenbach) June 23, 2016

Wrapping Up

The first day of KCDC 2016 was exciting and info-packed. The only downside of a thirteen-track conference is the sheer number of talks you have to decide against when picking just one each hour! Tomorrow morning, I’ll be giving a talk of my own on Token Authentication in ASP.NET Core. I’ll post the slides as well a wrap-up of the Friday sessions in tomorrow’s highlights post.

And hey, if you’re at KCDC too, hit me up on Twitter so we can connect!

The post KCDC 2016, Day 1 appeared first on Stormpath User Identity API.

June 22, 2016

MythicsA Review of the New Oracle Database Appliance X6-2S and X6-2M for Small and Medium Orgs [Technorati links]

June 22, 2016 07:37 PM

This week, Oracle announced the first few systems of the next generation of the popular Oracle Database Appliance (ODA), the X6. The big news with…

Matthew Gertner - AllPeersWhy I Love the Game Colour Switch [Technorati links]

June 22, 2016 05:06 PM

Since the rise of the Smartphone you are now able to essential control your life from your pocket, you can manage your bank account, search for things on the internet, find directions, take photos, create projects or video call your international friends and you can do it all on the move. More importantly however is that your smartphone or tablet has become a gaming device that allows you to play games whenever you want, wherever you are. The range of games available is enormous and the best games that have been created for these devices are the ones that you simply can’t leave alone, the games that force you to steal minutes of your day just to play on. Recently I downloaded my favourite game yet, it’s called Colour Switch and when you download it I would advise you to carry your charger wherever you go as your battery will no doubt suffer from the hours of endless fun that you spend playing the game.

icon

Premise

The premise of the game is simple, your are playing as a small circle of colour, each time you tap the screen your circle will jump up, it is your jump to keep jumping as high as you can. As you jump you must navigate your way through a series of multicoloured shapes that move, you can only move through the part of the shape that is the same colour as your circle. After you have moved through each shape you will gain a point, in between shapes you will hit a colour changer and once you’ve changed colour you must navigate through the next shape through the part that matches your colour. If you attempt to jump through, let’s say a square, and your little blob is yellow, then you can only jump through the yellow part of the square. If you jump through the wrong colour then it’s game over and you must start again. The aim is to get the highest score possible and you will spend hours trying to beat your old score, if you’re interested then you can play the game here.

Conclusion

I can’t begin to tell you how much time I’ve spent in the last few weeks trying to beat my scores, each time that I think I’m not going to be able to beat it I manage to surpass it, but then I want to beat that score and on I go. I’ve told so many friends about Colour Switch and now we are all trying to beat each other’s scores and sharing it on social media. I love Colour Switch so much, my bus journeys to work fly by with Colour Switch and the same goes for the other Poki games that I’ve found. They are simple, fun, easy to play and far too easy for my to wile away my hours with my phone in my hand, not texting, not on social media, just hooked on these brilliant little games.

The post Why I Love the Game Colour Switch appeared first on All Peers.

Matthew Gertner - AllPeers5 Hacks to Boost Your Productivity at Work [Technorati links]

June 22, 2016 04:55 PM

One of the best ways to make yourself invaluable at work is to enhance your efficiency. Co-workers and bosses know which employees stand out in terms of getting things done quickly and capably. To excel in your field, your goal is simple: Become the best version of yourself. Fortunately, there are many life hacks that can aid in your endeavor to boost your productivity at work. Start with these five basics.

Just Say No

24917439040_8211d567df

Image via Flickr by TechStage

The act of declining invitations is a skill that’s important to develop. One of the worst situations you can face as a professional is a series of simultaneous deadlines. It’s the byproduct of trying to take on too much. As you try to increase your value to the company, you’ll feel the temptation to agree to every project available. In the process, you’re just as likely to become a detriment to the organization.

A single missed deadline harms multiple parties. Even if your overall percentage of met deadlines is strong, some co-workers will remember you as the person who failed to work in a timely manner on the one you missed. The best way to avoid this is by saying no any time you have a doubt about your current workload or the open project. Your peers will view you as someone with complete awareness of your capabilities.

Focus on Goals

To-do lists are popular for good reason. They help workers break down their daily tasks in itemized fashion. But on occasion, they’re also part of the problem. Anything you don’t include on your to-do list automatically falls by the wayside until you complete the listed tasks. That’s not the best way to demonstrate productivity at your job.

What you should do instead is prioritize goals. Your to-do list represents the minutiae of your daily life. Your goals are something different, and should go beyond your vocation. While they’re broader and harder to pinpoint, you should take the time to do so. Otherwise, you’ll discover that you are spinning your wheels by completing countless pointless tasks. Completing major goals, within and outside of work, will differentiate you from your peers.

Reply Immediately

Strategists call this the Inbox Zero system. The concept is simple. You might receive urgent emails and recognize that you need to craft a detailed response. Rather than do so immediately, you mark the message as unread, planning to reply in detail later. You might not realize it, but this tactic is a poor strategy for a couple of obvious reasons.

How much time did you just spend reading the email? By delaying reply, will you forget about the message entirely? That’s unlikely. Instead, the query will continue to distract you throughout the work day. You’ll consider then discard various options for reply even as you ostensibly complete other tasks. That’s wasted time, and that’s not even the worst part. You’ll also find yourself distracted, reducing the quality of work on the tasks you complete in the interim. The best thing you can train yourself to do is reply to emails as soon as you get them.

Use Productivity Apps

One of the best ways to improve your workday is by leveraging the power of your smartphone. Tens of thousands of developers constantly work to create and perfect productivity apps. Whatever your profession, others in the field have offered suggestions on improved performance.

You can download apps to take better notes, use Microsoft Office products, optimize your workflow, manage your inbox, and connect you to other experts in your field. You should get in the habit of perusing web sites that rank productivity apps. That way, you’ll always have your choice of the best programs to optimize your work life. You also need the right phone to use them. The Samsung Galaxy S7 has a large HD display, fast processor, and long battery life to help you work on multiple tasks to boost your productivity.

Just Do Something

The final piece of advice is most beneficial when you’re struggling to accomplish anything. Procrastination is the bane of productivity. When you’re sitting at your desk doing nothing, you’re at your worst.

The five-minute rule is the way to overcome what may be your worst habit. The concept is simple. Just do something for five minutes. It doesn’t matter what. As long as you work toward some goal, you’re enhancing your productivity and overcoming sluggishness.

Becoming more productive is a worthy goal. Follow the five tips above, and you’ll soon feel like the best version of yourself.

The post 5 Hacks to Boost Your Productivity at Work appeared first on All Peers.

June 21, 2016

Matthew Gertner - AllPeersHow to help children overcome travel anxiety [Technorati links]

June 21, 2016 06:49 PM

Learn how to help children overcome travel anxiety in this post

Photo by US State Department courtesy CC user Liftarn on Wikimedia Commons

Family holidays can be a lot of fun. There’s the anticipation and excitement of going to a new place and exploring sights and sounds that you’ve never experienced before. To make it even better, you get to take your children with you, and you can have fun discovering all the hidden treasures a new location has to offer.

Unfortunately, some children do not travel well. The thought of traveling, either by plane or by road, for a long period of time, simply terrifies them. Flying can be especially scary for smaller children, who can easily get frightened by the large crowds in airports, as well as the loud strange noises on a plane. If your child suffers from travel anxiety, you know first-hand how stressful and draining it can be for both of you. Traveling can turn your normally serene child into an agitated, fussy, screaming and struggling bundle and this can quickly wear you out.

Sometimes, travel anxiety can catch you unawares. Your child might have been a fantastic traveler previously and only recently became fussier about it. It happens. In spite of all your holiday preparations, travel sickness and anxiety is the one thing you can never predict. The best thing you can do is to have a plan on how to handle the situation should it ever arise.

Here are some tips on how to help children overcome travel anxiety:

Fear of the unknown can be overwhelming for a young child. Talking to them about the trip ahead and what will happen might ease their anxiety. If you are taking a flight, start a fun discussion on planes and how they work. Try to prepare your child by reading books or showing them movies about planes, to prepare them for the trip.

The same applies to a road trip. Discuss the trip with your child and tell them about all the interesting things you’re likely to see on the way. This way, the trip, strange surroundings, sights and sounds won’t come as a complete surprise and they will be able to relax and enjoy it.

The best way to calm a child down is by comforting them. Once you board the plane, your child might start struggling or crying. You should do everything you can to calm them down and this might include hugging or holding them, singing a song or constantly reassuring them that you’re there and everything is going to be fine. Sometimes, all the child needs is the physical reassurance of your presence.

Parents everywhere will tell you how valuable toys are in distracting their fussy children. The choice of toys, of course, depends on the individual child. When packing for the trip, ensure you include a couple of their favorite toys to bring along with you. Something as simple as fun, rolling kid’s luggage can help increase their excitement and turn the trip from an ordeal into something more enjoyable. Consider packing your child’s toys or clothes in kid’s luggage that looks like cute animals and have them roll it themselves, to help them feel useful during the trip.

Alternatively, you could distract them from their anxiety, using movies or music. Planes these days have inboard movies specifically geared towards children, so ask the flight attendants to show you some. The attendants are also experienced in dealing with anxious children and might have play packages that can help distract them. You can never be certain that these will be provided, so always pack your child’s beloved books or carry their favorite songs on an iPod to use during a trip.

In certain cases, a child’s travel sickness might have an underlying cause, such as hypoglycemia. It might be a good idea to take your child for a checkup prior to a major trip, to get any medical issues out of the way. For example, an ear infection or stomach trouble can worsen your child’s reaction to a trip, and a dose of medication can be of great help. Sometimes doctors can prescribe medicine to help your child calm down during the trip. Parents often have mixed feelings about this, so rely on your discretion to decide whether this is something you want to do.

Traveling with an agitated, wailing child can test the patience of any parent. During such times, it is important to keep calm yourself while reassuring your child. This might not always be easy to do but it helps to know that children often outgrow their travel anxiety. Most even calm down as the excitement of traveling takes over. The best strategy is to be prepared and to keep in mind that the anxiety will soon pass when you arrive at your destination.

The post How to help children overcome travel anxiety appeared first on All Peers.

CA on Security ManagementDon’t get desensitized to cybersecurity threats [Technorati links]

June 21, 2016 02:00 PM
Cybersecurity threats are effectively omnipresent and have been for some time. Many of us are practically desensitized to them. Anyone who knows the signs of… The post Don’t get desensitized to cybersecurity threats appeared first on Highlight.

&nbsp;
June 18, 2016

Matthew Gertner - AllPeersZero Waste Sapioponic House – the Most Exciting Eco Project Ever! [Technorati links]

June 18, 2016 10:59 AM

We all do our best to be live in harmony with nature. Or at least we try – some don’t, but let’s not waste time with them right now. As technology advances, we now have more ways to reduce our ecological footprint, hoping to leave more of the world as it is today to the generations to come. The most exciting project of them all is the “Zero Waste Sapioponic House” initiated by Adam Kokesh, activist, youtuber and self-published author.

A-1

What does “sapioponic” mean?

Sapioponic is a term that I think has much more right to be included in dictionaries like “selfie”. It covers the complete recycling of all waste material resulting from human activity – like the everyday organic waste turned into nutrients for the gardening system, and all energy needs generated using self-sustaining sources. Basically it covers the complete re-use of every waste generated by every human activity within the house.

Zero waste living off the grid

Kokesh’s objective is to build a homestead that can completely cover every need of four people, living completely off the grid. And by “completely”, he means that he won’t rely on outside sources for anything except an internet connection. He will need that if he wants to continue to post YouTube videos or play online slots from time to time.

The house is planned to rely on solar radiation as its source of electricity, and rainwater as its only source of water. All water collected will be used and recycled, except for what evaporates – that is the only waste produced by the house. Heating, if needed, will be realized through passive solar energy and an occasional fire, while cooling will be made with cooling tubes and transom windows.

The water collected will first get into a water organizing module, which will handle its filtering to drinking water quality. The wastewater will be used in a way similar to aquaponic systems, providing nutrients to the planters with live cultures of red worms. The plan is to turn any solid waste into plant food, which in turn becomes human food and leads to the creation of more solid waste. That closes the circuit.

The project is massive, and will take quite some time to complete – up to 9 months, according to The Homestead Guru website. But once completed, it is planned to offer a completely independent way of life for a family of four. Those interested in his progress can follow Kokesh on Twitter, YouTube and various other social media outlets.

The post Zero Waste Sapioponic House – the Most Exciting Eco Project Ever! appeared first on All Peers.