What You Need to Know about the POODLE Security Vulnerability

Dominic Lachowicz

November 5, 2014

On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. A vulnerability in version 3 (SSL 3.0) has been recently discovered by Google researchers which could allow the traffic to be decrypted in certain situations, This vulnerability, dubbed "POODLE", allows an attacker to read information encrypted with this version of the protocol in plain text. The POODLE attack allows for what’s called a “man in the middle” attack, which allows a potentially hostile actor to intercept sensitive data, such as payment and cardholder info. SSL 3.0 is a security protocol that has been around for nearly two decades. Although SSL 3.0 is an older, outdated protocol that's been replaced by more secure alternatives, many pieces of software will fall back on SSL 3.0 if...

Merchant Warehouse Open Sources Netty

Dominic Lachowicz

April 17, 2014

The Merchant Warehouse team is excited to announce that we’re open sourcing Netty – a small, fast, embeddable web server and ASP.NET application server. Netty was inspired by Jetty – an embedded Java web server and Servlet container. Like Jetty, Netty is designed to run in-process, which is extremely useful when you want to quickly start serving static or dynamic content, but don’t want or need the overhead of using IIS. Anything that you can host in IIS, you should be able to host in Netty including: ASP.NET web pagesSOAP web services written using WCF or ASMXRESTful web services written using WebAPIStatic content, such as HTML, CSS, JavaScript, and imagesAnd more!  Why would you want to use Netty? Netty is a great software testing companion. Spin up a web server in your test...

The Heartbleed Bug: What You Need to Know

Dominic Lachowicz

April 11, 2014

The Heartbleed Bug is a very serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows hackers to steal information that’s protected under normal conditions by the SSL/TLS encryption – the standard used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and their sensitive data. This allows attackers to eavesdrop on...

Merchant Warehouse Announces zucchini

Dominic Lachowicz

March 12, 2014

Today Merchant Warehouse is excited to announce that we're open sourcing our extensions to cucumber-jvm, called zucchini. These extensions make it significantly easier to use the popular Behavior-driven Development framework. Zucchini is a set of extensions to the cucumber-jvm Behavior-driven Development framework. These extensions make it significantly easier to use the popular BDD framework. Cucumber lets software development teams describe how software should behave in plain text. The text is written in a business-readable domain-specific language and serves as documentation, automated tests and development-aid - all rolled into one format. We love Cucumber, but it very much feels like a Ruby framework ported to Java. Like square pegs and round holes,...

Merchant Warehouse Open Sources Extensions to Log4net

Dominic Lachowicz

March 5, 2014

More exciting news from the Merchant Warehouse engineering team as they open source the Company’s extensions to log4net, called syslog4net. These extensions allow log4net to inter-operate with Syslog servers, in particular, Splunk. Log4net is the defacto logging standard for the Microsoft .NET runtime. Logging frameworks like log4net enable developers to record events in their application, providing an audit trail that can be used to understand the system’s activity and diagnose problems. Syslog, on the other hand, is an IETF standard for message logging. Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. With Syslog, software applications and physical devices like printers and routers can send...

Creativity and Teamwork – Merchant Warehouse Hosts Inaugural Hackathon

Dominic Lachowicz

February 27, 2014

In late January, Merchant Warehouse hosted its inaugural Hackathon. Its mission: to unite, rollout, and disrupt. But what exactly is a Hackathon and why would we have them? In a nutshell, a Hackathon is a three-day event where our engineers have free rein to work on projects they think will be useful, fun or cool. The 72-hour extravaganza kicks off with very little fanfare. Heads down - for the next two days, regularly scheduled projects take a back seat while engineers build, code and hack away on something that fascinates them - whether it be an issue they want to solve, a process they’d love to streamline or improve, or something completely fantastical they want to build. They’re encouraged to play around with Merchant Warehouse’s rich wealth of data and they have a chance to...

Saved by the ‘Shark’ – Leveraging a Valuable Tool

Dominic Lachowicz

November 14, 2013

Fifteen years ago Gerald Combs released a little network protocol analyzer called Wireshark (then called Ethereal). At the time it only dissected five protocols and only ran on Linux and Solaris. He decided to share it with the world and released it as open source software. Immediately after the release he started receiving code from people around the world. They had problems similar to his and were able to modify the little analyzer to suit their needs. They were also kind enough to contribute those modifications back. Those contributions haven’t stopped to this day and Wireshark has grown into a mature, feature-rich, award-winning network analysis tool. People around the world use it to troubleshoot networks, develop software and protocols, and to learn about networking...

Leveraging Behavior Driven Development: Making it Work

Dominic Lachowicz

August 27, 2013

A few years ago, I read Eric Evans’ seminal book “Domain-Driven Design” and (more recently) Vaughn Vernon’s equally excellent follow-on “Implementing Domain-Driven Design”. Both of them have had a transformative effect in how I build and design software. In many startups, you’re called on to wear many hats. In addition to traditional development manager and architect roles, I’ve often found myself filling in for product owner and quality assurance roles. Coming from a Lean/Agile background, the way that one typically captures requirements (and to a lesser extent, test cases) is through a User Story’s acceptance criteria. Acceptance criteria are generally expressed as a checklist – they’re how you know when you’re done your job. I’d always felt that – even with my system’s architecture,...

Lean Prototyping: Learning and Doing in Today’s Development World

Dominic Lachowicz

August 21, 2013

It was my Junior year of College at the University of Pennsylvania. I was in CS350, working with Professor Jonathan Smith on the semester’s final project –implementing a basic web browser in Tcl/Tk, complete with JavaScript support via Rhino. I was about a week into the project when I recognized that I’d have to scrap my design and most of the code. In order to implement tables that reflowed, I’d need to rethink how I designed my layout engine and probably throw away a substantial amount of code. I was talking to Professor Smith, lamenting that I’d need to redo so much work. He just stood there and grinned at me. With a fatherly look about him, he calmly walked to his bookshelf and gave me a copy of Fred Brooks’ Mythical Man Month. He said something to the effect of “welcome to software...

Making the Most of Your API: Lessons Learned When You (and a Partner) Aren’t Speaking the Same Language

Dominic Lachowicz

July 30, 2013

Over the past couple of weeks, a few members of our development team have been working part-time to upgrade one of our applications to the latest version of a partner’s SOAP-based API. This partner recently announced that they were (rather abruptly) discontinuing support for the previous version of their API. One of their goals was to maintain API compatibility, so in theory, all that was supposed to be required of us to complete this upgrade was to: Upgrade our operating system (OS) to Windows Server 2008.Import a few new digital certificates into our certificate chain. Our partner was enhancing their system to use a stronger security mechanism.Point our application at a different URI that supposedly supported the same set of SOAP messages. In theory, this should have been a quick...