Tuesday, November 4, 2008

Speaker at PMI Congress in Brazil

Hello All,

I will be presenting a case study on my experience on going from formal methodologies of project management into scrum. The conference will be in Recife - PE and is held by the PMI Chapter of Pernambuco.


Monday, July 14, 2008

Google Releases Web Security Assessment Tool

Google has just released an open-source web security assessment tool called ratproxy.

"Ratproxy is a semi-automated, largely passive web application security audit tool."

According to the documentation of the tool, ratproxy offers several important advantages over more traditional methods and tools like WebScarab, Paros, Burp, ProxMon and Pantera.

  • No risk of disruptions.

  • Low effort, high yield.

  • Preserved control flow of human interaction.

  • WYSIWYG data on script behavior.

  • Easy process integration.

Best way to decide, might be biving it a try!

Wednesday, June 18, 2008

eBay DevCon 08 - Slides for Presentations

Unfortunately we did not receive a CD with all the presentations from the eBay Developer Conference 08 (eBay guys, here is a suggestion for ebaydevcon09) you can go to the Conference Sessions pages and download some pdfs of the presentations.

Not all of the presentations are there at the moment!

eBay DevCon 08 - Wed18 11:30 PayPal Integration Strategies

This speak was given by Chad Hofman (Technical Integration Manager, PayPal) and Kurt Kellberg (Intgration Engineer, PayPal).

API interfaces can be used by SOAP and NVP. It is recommended to use SOAP only if you really know SOAP. NVP is simple to use and can get you up and going easily.

API Certificate Credentials are mandatory for large merchants and are a little bit safer than Signature Credentials. Handling timeouts is something that must be done by the developer integrating, though many APIs respond in less than one second and 95% of all API Responses under five seconds. APIs that move money takes longer.

Logging is obviously a good idea for all developers and is recommended that at minimum onde should log the CorrelationID from the API Response and ideally to log the entire API Request and Response (make sure to strip out the sensitive data).

Know the difference between ECS (Express Checkout Shortcut - it is a clickable button and must redirect to PayPal) and ECM (Express Checkout Mark - just a graphic, use with radio buttons or a drop-down menu). All graphics should be hosted at PayPal.

The presentation showed on which flows and pages from the Express Checkout the developer integrating with PayPal may interfere with the look and information being displayed.

This presentation is much more useful if you download and read it. It is full of integration examples and pitfalls. Very useful to the developers.

eBay DevCon 08 - Wed18 10:30 force.com & eBay - Building apps in the Cloud

This speak was presented by Dave Carrol, Principal Developer Evangelist, Salesforce.com.

By the way, there is a difference between force.com and salesforce.com. Force.com is the software platform which provides the services used by all the salesforces.com applications. Some of the services included in the force.com platform include, database, infrastructure, integration, logic, user interface and application exchange; all of those provided as a service.

Salesforce business is based on SaaS, which stands for Software as a Service, and offers a multitude of basic and advanced services that one can use to integrate and build your own application.

Their infrastructure scales horizontally in a so-called Pod Architecture, with mirrored database clusters and app servers in 3 data-centers in US. The database service offers 8,700,00+ customizations and 160,000 SQL statements per sec allowing the user to create tables, add fields, build relationship, automatic backups etc.

The Web Services SOAP API handles 1.75 billion API calls per month with a lifetime 28+ billion total API calls.

There is an Apex code which is a language that allow users to program a logic which is compiled and run in the server. The integration of this language has some specific database relation, like triggers for example, and is transactional. It is not a general language, but it has a Java-like instance, strongly typed, transactional, schema-aware and secured (no endless loops allowed). It is also possible a higher level of development based on declarative logic (point and click) and formula-based logic (similar to excel).

Dave finished his presentation by showing the development platform (based on Eclipse) and creating a simple application using the web interface provided by the salesforce platform.

Here is the link to the presentation.

eBay DevCon 08 - Wed18 09:30 eBay & PayPal Trust & Safety

This is a discussion panel having John Canfield (Senior Director, Trust &Safety Global Policy Management) as moderator and Liam Lynch (Senior Director, Marketplaces Chief security Strategist), Michael Barret (VP, Information Risk Management, PayPal chief Information Security Officer) and Amjad Hanif (Senior Director, Trust & Safety Product Management) as panelists.

Q: What suggestions would you give to PayPal developers to make their site safer? - The IT industry is not worried about security as it should, but the developers and customers are assured that PayPal do put a lot of effort on that, focusing on the basic issues (cross site scripting, sql injection and buffer overflow) is a big step forward. The PayPal and eBay teams rely on the community feedback to guide their development.

PayPal & eBay are more worried about the overall security of the users.

Member to member communication on eBay will be done anonymously to prevent emails from being harvasted. All communication will be done through eBay platform. Another option will be to have an email used only to member to member communication.

There were some complaints from users about their accounts being canceled on reports from other users related to fraud. The accounts are gone for a week, no matter how low is the percentage of violations reported on one account, specially for those dealing with brand products.

Tuesday, June 17, 2008

eBay DevCon 08 - They talked about me... :)

Today in the morning I spoke with Lucy Suros, who is a writer blogging about the eBay Dev Con. She was very kind during our conversation and told this brief chat on the PayPal Developer blog.

"Just this morning I spoke with Daniel from Brazil. He works for UOL, one of the largest content providers in that country. He traveled all the way to Chicago to learn how he might be able to leverage PayPal for billing and payments, and was particularly interested in PayPal’s plans to more aggressively expand into Central and South America. UOL sounds like a cross between New York Times, iTunes, AOL, and craigslist. Daniel notes that Brazilians don’t feel safe entering their credit card information on the Web. Sounds to me like a perfect fit for PayPal."

Click here for the whole post!

eBay DevCon 08 - Tue17 14:30 Keynotes

Another keynote session started now with Rajiv Dutta (President of eBay).

Mike Shaver (Director of Ecosystem Development, Mozilla) is an Evangelist from Mozilla and came to present about The Web. "The web loves people" ... "We love the web right back"! He spoke about how developers can help make the web better, what are tools for web today, cloud computing, web-friendly sites, firefox 3 etc.

Tony Hsieh (CEO, Zappos) co-founder of Link Exchange (was a cooperative advertising network) in 1996 sold to Microsoft in 1998 for US$ 265 million. He is now CEO of Zappos, a US$ 834 million business and spoke about his relation with the customers, focusing on the best service they can offer to them, listening to them (24x7 support and 1-800 number in every page).
Zappos takes "the best sale for the customer" motto seriously: if a customer cannot find a referred show in their shop, they redirect the customer to one of the competitors' sites!!
The word "transparency" was repeated many times during Tony's speak! Having the right culture and spreading (they have a book explaining the company's culture) to everyone. Tony shared some stories with the audience (flowers to the widow, money in the returned purse, pizza order) to emphasize the cultural aspects of the company and its employees. "Culture and brand are two sizes of the same coin".

John Donahoe (President and CEO, eBay) is now on stage commenting on how eBay tries to assimilate this concept of focusing on the client just presented by Tony from Zappos, by executive meetings with them. He said at the beginning of his presentation "You [developers] are very important to us!". He also mentioned that eBay is very excited with Project Echo and asked for feedback, thoughts, support and ideas from the developer community.

The days has reached an end (on eBay Devcon, at least) :)

eBay DevCon 08 - Tue17 13:00 Fighting Online Fraud

This speak was given by Ryan D'Silva (Product Manager, Risk Tools, PayPal) about PayPal's fraud combat actions right after lunch today which, by the way, was really good.

Online fraud nowadays is huge and the losses are bigger then the economies of some countries, including Ireland. Fraud costs everyone from the merchant and the customers to banks and PayPal (detection and investigation costs, customer dissatisfaction, accounts closing, dispute and claims costs) itself.

Merchants are probably the ones suffering most of the part of theses losses, because banks and acquirers tend to support the buyer instead of the seller in these cases.

Ryan spoke about the necessity on being PCI Compliant for the Seller. It is not mandatory, but it is a great idea, though keeping the locks closed is a very difficult task.

The speak went on again on talking about how to avoid phishing and using the PayPal Security Key. A good resource on phishing fighting is here.

It is important that each merchant identify what is fraud in his business, because these may vary a lot. Analyzing the transaction history for any account is a fundamental tool on understanding and identifying fraud indicators.

After knowing your business, develop a process: Identify the riskiest payments, Investigate suspicious patterns, Contact and confirm their order,

AVS (Address Verification Service) was presented as a service that could be used as an indicator for fraud. CVV2 may also be a tool to aid the fraud detection.

Check on worldbank.org fraud reports maps on countries that generate much suspicious activity, so you could use IP filtering and mapping.

It was a very participative speak and at the end Ryan had to speed up a little bit so he gave a quick presentation on tools that PayPal offers to help merchants identify possible fraudulent purchases and buyers. They have a team of chargeback specialists to support false or fraudulent chargebacks.

The PayPal Developer forums are monitored to find questions related to fraud, and the developers will receive responses as fast as possible. PayPal has the most interest in helping developers to help their customers to fight fraud.

eBay DevCon 08 - Tue17 11:00 Phishing Lessons from the biggest fish in the sea...

This speak is about Information Security, given by Michael Barrett (Chief Information security Officer, PayPal).

Trying to block fraudulent emails was not the answer because bad guys would increase the amount of email they sent. PayPal focused on the backend to counter attack phishing.

However, there is no silver bullet when fighting on-line fraud. The approach is educate and prevent. Preventing can be done by educating, and no consumer should ever click on links in emails, open a new browser nor go to "www..com". The problem with these issues are that links are convenient for users, it would require hundreds of millions of users to change their behavior, and even more, it would require mass removal of links from emails. Trusting the email is one of the biggest challenges we have to overcome.

One of the ways to start the education, are the web pages themselves. Give some space in your web site to inform the user what Phishing is and how to avoid it.

Another step PayPal took was to talk to the ISPs. There are thousands of ISPs around the world, but they are talking to the larger ones (which respond to about 50% of e-mails sent today). This was a very effective approach and they are now signing their messages and the user have visually the information on his/her inbox about which messages have been signed.

The security team of PayPal talks a lot about Safer Browser. Use built-in blacklists which are supported by the new browsers and other configuration and add-ons to turn your browser more intelligent on handling phishing sites.

Extended Validation Certificates which is "just another" SSL certificate. PayPal uses verisign to provide these certificates, but is recommended to suggest this kind of certificate to the merchants site, and this will help consumers to trust their web sites and also the whole community dealing with selling and paying on-line. This functionality will show a green bar on your web browser URL indicating you this is a safe web site.

PayPal is using a Security Key, an electronic token, and over 70% of PayPal security Key users were likely to use PayPal more because of it.

Again, partnership is key. Michael speaks about the Unified Front, a partnership including PayPal, eBay, Tahoo!, Google, MSN, Verisign, AOL and the Law Enforcements Authorities in USA. Normally, companies do not share what they are doing to run their business, but when the subject comes to fraud detection and prevention, sharing information is the best solution.

This is what they've been doing and the number of Phishing related to Paypal has decreased dramatically since 03/2006. This study and results can be found in one pdf they have published.

eBay DevCon 08 - Tue17 10:00 It's all about money

This speak from Jason Korosec (GM, Developer Platform, Product Management, PayPal) has started as a lesson on the history of money, currency and value behind it. That is not what the abstract for the speak promised, but it has been a quite interesting lesson... so far! ;)

Jason showed the value network where PayPal acts, as an intermediator on the relation between Seller and Buyer to the whole financial system (Payment Network, Issuer Bank and Acquirer Bank).

PayPal claims the developer community (and helps them doing it) to build applications that would allow the Seller and Buyer to use the whole Value Network in a simpler manner.

As a suggestion, one should take the PayPal Developer Certification exam and this would open the doors to reach the Buyers and Sellers in need, or even those who still don't know what they need.

eBay DevCon 08 - Tue17 09:30, PayPal technology Roadmap & Panel Discussion

This speak is a panel with the presence of Gleen Lim (General Manager, alliances and Developer Services) as moderator, Dickson Chu (VIP Global Product), Matthew Mengerink (VP Core Technologies), Osama Bedier (VP, Technology and Engineering).

The first question was about providing a better API for shipping (FedEx for example), and the reply is that this will be considered next year in the roadmap.

Q: Another question was about being able to join more than one account into one drop-down and being able to transfer money between them (like husband and wife). The answer is that this is fundamental feature in the core of the fraud system and a hard to change paradigm. The PayPal team informed that one possibility would be the sub-account feature.

Q: The IPN was intended to be a guaranteed way for the customer to receive any message related to his/her account. There were some recent problems and they are redesigning the system (today it tries for 16 times to send a message) from the ground. It was asked to have a simple button to resend and IPN and they informed the next API will allow someone to ask for IPNs from a starting date to an ending date.

Q: About shipping? - today is not possible to send an update status to eBay platform like, for example, telling PayPal that the items were shipped; PayPal answer is that they will think hard about.

Q: Sending money API? - it is definitely coming. It is also coming a Split Payment API.

Q: What are the plans for global expansions? - they are expanding through the globe aggressively. Central and South America are interesting markets for them. They just rolled out in Mexico and Brazil. These regions are exciting for them and will be a focus.

Q: Support to libraries? - PayPal will not support anymore the libraries that were distributed in the past.

Q: Advanced information about features? - today they are doing release notes; asking developers on what to they want to be exposed within PayPal. PayPal is a web company (innovates like mad) and is also a payments company (needs stability). This year it is more a dialog about new features and not a one-way communication, i.e. PayPal wants to hear the developers.

Note: PayPal wants to help the developers help their customers. This seems to be main topic during this conference. Lots of the moves from PayPal show this and it is the right way to go. If we look at eBay, nowadays they have a community of 70000 developers. Which company could afford that? And they get it "for free". The development of a more complete, stable and secure API is also a concern for the company.

Q: Will it be possible to add other email addresses and migrate accounts from old emails (which are not used anymore)? - this not a frequent request, but they will give some thought about it.

That was it!

eBay DevCon 08 - Mon16 15:30, New PayPal Integration Tools for Developers

On this speak, 3 guys from PayPal team presented basically three sets of tools:
Wizard: The only interesting stuff in my opinion. This wizard has an interface to help developers or merchants to build from scratch an integration with PayPal throuch clicking and providing basic answers. It generates usable code, and it lacks the ability to let user setup optional parameters for APIs. You may take a look at it, after all, you are a developer, right?
Button Designer and Sandbox: This part of the presentation was really basic, except for two things: PayPal will start to have the ability to let merchants manage their sales and profit (if you decide to provide eBay with sensitive information about your buseinss) on eCommerce. Just to remind you, on this presentation they also showed the IPN Simulator.

Post comment: link to the presentation.

eBay DevCon 08 - Mon16 13:30, Inside the Black Box - PayPal's Deployment Architecture

This presentation was given by Jeff Meyer, Distinguished Architect (another nice job name!!) with PayPal. As he explained, more on a Software Architect than SysAdmin side. In my opinion this presentation was very shallow regarding architecture. I wasn't expecting an in depth presentation about the insides of their platform (for obvious reasons like security, business interests and time-boxed presentation), but it could be a little bit more into the platform architecture.
Anyway, Jeff gave some information about the technologies they use, like:

  • Application Servers are Linux Based over Intel

  • C++ is used to write most of the code of the platform

  • Apache on the front-end with CGI

  • webscr to handle the browser based interaction

  • Frontend SOAP and Normal Value Pairs (NPV)

  • SSL

  • Oracle Database (on Solaris)

Well, that was pretty much everything new for someone used to dealing with on-line payments, like me.

Post comment: link to the presentation.

eBay DevCon 08 - Mon16 13:30, What's New with the PayPal Developer Program

This presentation was given by Damon Williams, Senior Manager, Developer Program at PayPal, with whom, by the way, we had breakfast.
PayPal really is focusing on bringing the developer's community to work with them. The PayPal Developer Certification is just a part of it. The have a Directory to list the Certified Developers and this has been an interesting opportunity for the ones who took (and passed) the test.
Besides the certification, PayPal provides Marketing Material for the developers to promote their skills and/or companies; provides education through training and conferences; provides tools (sdk, code samples, sandbox).
The new Developer Central is on beta stage, but already with many information for the developers.

While talking to him before the presentation, I asked how many developers do they have for PayPal alone, and the answer was: "around a couple of thousand".

He spoke a little bit about the Recurring Payment and Express Checkout APIs. There was also a brief presentation on the IPN Simulator, now available to developers in the sandbox.

Post comment: link to the presentation.

eBay DevCon 08 - Mon16 Lunch Speak

During lunch Glenn Lim gave his presentation on PayPal and some more numbers:

  • 141,000,000 users

  • 9 years company

  • it's a US$ 2 billion business

  • US$ 3 billion stored in account; spent every 2 weeks

  • It manages 12% of total e-commerce in the world

He spoke about the new Developer Site and API.

Then Peeter Mõtsküla spoke about Skype and (guess what?) gave us some numbers:

  • 28 languages

  • 300,000,000 people connected

  • 100,000,000,000 conversations done so far

He also spoke about the new Skype Developer Site and the new pricing model for the ones who want to have their application to be Skype Certified.

Later on, Mike Miller briefly spoke about his later presentation about ProStore.

eBay DevCon 08 - Mon16 11:30, eBay/PayPal checkout

The 11:30 presentation I watched was given by Jon Jessup from Infopia.
It was called eBay/PayPal checkout and it was focusing on the experience the guys from Infopia had on integrating on-line payments to PayPal since 8 years of partnership.
He presented their impressions on using the Direct Payment and Express Checkout integration options. Basically Express Checkout is the most modern solution and the use of IPN (Instant Payment Notification) is the best option eBay offers now for integration.

Later on, he spoke about the Recurring Payments support PayPal is offering through their API and as a general comment he said that the most difficult in integrating with PayPal is the environment setup; once you are past this part, everything is smoother.
Since the beginning of this year, PayPal started charging its clientes for the AVS check, which forced most of Infopia clients to remove this option from their shop.

Lunch Time!!

Post comment: link to the presentation.

Monday, June 16, 2008

eBay DevCon 08 - Mon16 Keynote

This was the first speak of the day.
Rajiv Dutta (President of eBay) opened the session and gave some numbers which show how gigantic is this company. I've noted some of them which were not on the slides they were using, so let's hope I got them right.
For eBay

  • more than 2000 internal developers

  • more than 70000 developers around the world

  • 84,000,000 users

  • 1 billion page views last year

  • volume of transactions is twice as big as the one from NY Exchange

For PayPal

  • 190 countries

  • 17 currencies

  • 141,000,000 users

  • 1/3 of all adults of England are registered

  • 1.3 million people live totally or partially with PayPal income

After Rajiv, Max Mancini spoke on how important developers are for eBay and how they guide the company's businesses. He mentioned that 50% of volume of eBay comes from 3rd party applications and last year there was 0.5 billion listings coming from these apps.
He spoke about the affiliates program and how the Top 10 affiliates from eBay made over US$ 20 million last year.
He closed his presentation saying that developers "enrich people's lives and improve life quality".
Next there was the presentation of Rolf Skyberg, Disruptive Innovator (what a nice name for a job!! :)) and his presentation was focusing on the new Seller Tools eBay is building to be delivered on Q4 this year.

To close the keynotes session, Adam Gross (VP at salesforce.com) spoke about salesforce and Cloud Computing.

eBay DevCon

Hi Folks,

After some months of inactivity I am back, posting live from the E-Bay DevCon Conference. For the next 3 days I will be posting here about interesting stuff I will be seeing.


Saturday, February 16, 2008

JNDI.properties in JBoss

Need to know which jndi.properties your JBoss Server is using?
Just access this page:


Friday, February 8, 2008

Sun Discontinues Certification Exams

Still about Sun Certifications, it has discontinued some exams for older versions of their Java Platform.

Check here details about this matter.

Tuesday, February 5, 2008


Sun has released the new version of Sun Certified Web Component Developer (SCWCD).
Unlike some of might have expected, it does not include JSF at all.

Actually it has hardly changed since the previous version, focusing on JSP for the view tier.

For more information, check this.

Wednesday, January 23, 2008

Spring Autowiring

I was just struggling with an error message I was getting in my application. I am using struts 2, spring and JSP basically.
In my JSP I wanted to save some properties into the name of an account:

<s:textfield name="account.name" value="%{account.name}">

The action handling the form which posts the "account.name" property above, does have a setter for the Account interface

public class SaveTransactionAction {
public void setAccount(Account account) {


Problem is, for some reason the property was not correctly set into the action, and even worst, I got an exception thrown:

2008-01-23 21:57:52,203 ERROR util.InstantiatingNullHandler (InstantiatingNullHandler.java:110) - Could not create and/or set value back on to object
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jc.mny.domain.vo.Account': Could not resolve matching constructor

As I later found out, Spring was trying to autowire the creation of the Account property for my action, but as it was an interface, it could not find the correct class to instantiate. I had two options:

  1. Change the struts configuration not to use the autowire properties from spring.
  2. Declare the creation of the bean I needed in the applicationContext.xml. This is the one I chose, just added the excerpt below into the file:

<bean id="account" class="jc.mny.domain.vo.AccountVO">

Certified Scrum Master

Today I became, as the subject of the post suggests, a Certified Scrum Master. As stated in the Scrum Alliance web-site, "Scrum is an iterative, incremental process for developing any product or managing any work".
Just finished the training with Ken Schwaber (in the picture with me) and I've posted below some notes I took during the training.

  1. Scrum is not intended to solve your company's development problems. Actually, if you have enough problems, Scrum is most likely to expose them even more.
  2. Scrum is a framework that was built to give the team a tool to organize, measure and estimate their work and the state of the product.
  3. Scrum by itself will not increase quality or make you deliver faster code. Check item number 1.
  4. Think about people and not resources. The teams are made of people.
  5. Transparency is the keyword. Scrum gives to the product owner transparency over your project, showing exactly where you are and how much you still need to finish it.
The training was great, and all the time you could see people saying: "ahhhh, so that's how it is done"...
As I observed today, lots of people believe that Scrum might be the solution for their problems and are actually trying it at their companies. However, listening to the most experienced on it is fundamental, and as Ken suggested at the end of the training: talk to each other.
Finding out what other teams are trying, what is working and what is not is the key to success.

Thursday, January 10, 2008

Ruby First Impressions

I am now giving a try to Ruby.
It seems to be quite fast to build a web application from scratch, and Netbeans has a great support to it.

We'll see...

Saturday, January 5, 2008

Back From Wedding+Honeymoon

After being away for a long time to finish preparation for my wedding, I am back after, honeymoon, christmas and new year´s eve!

Soon to post something useful!