Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
Identity - Not Just the Law Any More
 
Mark Guzdial and the Computer Science Education Travail
 
Does Visual Studio Rot the Mind?
 
Grady Booch on the Limits of Software
 
Modeling the Office Open XML Packaging Conventions
 
Appreciating ALGOL 60: Launching Computer Science
 
Orcmid's Lair: Global Social Identity
 
What We See Is Not What We Get: Character Codes and Computers
 
Blinking at Quarks: Is It an Object that I See Before Me
 
The Quarks of Object-Oriented Development

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24
2005-05-01
2005-05-08
2005-05-15
2005-05-29
2005-06-05
2005-06-12
2005-06-19
2005-06-26
2005-07-10
2005-07-17
2005-07-31
2005-08-28
2005-10-09
2005-10-16
2005-10-23
2005-11-13
2005-11-27
2005-12-04
2005-12-18
2006-01-08
2006-02-05
2006-02-12
2006-02-19
2006-03-05
2006-03-12
2006-03-26
2006-04-23
2006-04-30

Encouraging Open-Source Development

ACM News Service: Red Hat Exec Talks of Challenges to Open Source.  2004-10-21: I have a little trouble parsing this.  According to Michael Tiemann, there's a paucity of open-source developers and it is important to have more people take an interest in open-source development.  Tiemann's thinking is that open-source can scale by having more projects, since 80% of a typical project is controlled by 10 to 15 developers.  Apparently forking is not a problem if more developers come to a project, but having a different project would magnify the appeal and the availability of developers.  There is a tacit assumption, it seems to me, that this will attract different developers, not recycle and overwork the same senior developers.  Well, OK for now.

There are also comments about evolving the Linux Standards Base from 2.0 to 3.0 so that more vendors can play and there is presumably then more room for portability across the different supported Linux platforms.

John Ribeiro's 2004-10-18 IDG New Service article lays it out plainly, with more on the advantage of promoting open-source in Asia and elsewhere.

So I have peeled off another ten days of backlog.  I am not sure how I let this happen, apart from being pre-occupied with school work right now.  I think the habit of making backlogs of drafts started when I had a downtime at the end of July where I had locked down my blogs against new posts until I could be satisfied that I had an incident response procedure in place against corrupted postings from Blogger.  But the backlog is still there.  This is something to eliminate by the end of the month and before embarking on the new year.

posted by orcmid at 12/01/2004 07:06:57 PM, rating data by NewsGator Online

Streamlining Software Upgrade

ACM News Service: CFI Research Projects Could Rewrite Computing Rules.  2004-10-26: One of the Canadian Foundation for Innovation grants described in this blurb is Ying Zou's proposal to improve software upgrades, a collaboration of Queen's University, IBM Canada, and the University of Waterloo.  The idea is to streamline upgrade processes for developers working on subsequent releases in a way that quality won't be decreased.  The ability to predict performance is an aspect of the work.

Neil Sutton's 2004-10-21 ITBusiness.ca article provides more on how CFI works.  The research work will take more searching.

Looking back on this blurb that I drafted in October, I am not sure what had me be all that interested.  Trusting that there is more to the blurb and article than what I gleaned here, I am going to post this marker.

posted by orcmid at 12/01/2004 06:56:44 PM, rating data by NewsGator Online

Trusting Wireless Routing

ACM News Service: Researchers Study Wi-Fi Weaknesses.  2004-10-29: There are stealth attacks that can be made against ad hoc wireless networks and they seem to also apply for wired ad hoc networks too.  The attacks show up as a form of denial-of-service or traffic interception (and spoofing) attacks.  It is suggested that this could be mitigated by trusted relationships among nodes based on reputation schemes.  I wonder if there is a pattern that can be applied to spam as well?

Mike Martin's 2004-10-25 Enterprise Security Today article provides further anecdotal description. I am on a hunt for more information.

posted by orcmid at 12/01/2004 06:54:31 PM, rating data by NewsGator Online

CNR Area Pisa Italiano

Area Pisa Italiano.  2004-07-29: Looking for information on the MAFTIA project led me to one of the distributed mirrors in Italy and so I tracked down more about the CNR Area della Ricerca di Pisa.  On the other hand, Turin is looking good these days because we have friends there too ... .There is IEIIT and il polito (Politechnico Torino).  Some open-source work on network tools was supported here.  They have a Software Engineering research area.

Well, I have acquired this idea about living or working or sabbaticaling in Italia.  It is one of the miracles of having Vicki in my life.  I can't talk about remote possibilities of finding some kind of assignment or subsistence in Italy because she might start packing, and if she can't pack she might be upset, so I keep these mostly to myself.  But my eye is quickly drawn to the topic of Pisa and the nearby provinces.

posted by orcmid at 12/01/2004 06:47:14 PM, rating data by NewsGator Online

Digital Libraries on Demand

ACM News Service: ESA Joins European Effort to Create Digital Libraries for Science.  2004-10-29: This is a fascinating teaser about placing digital library infrastructure on grid technology for distribution and preservation of massive forms of data, or any other digital library application that might be created quickly and achieve broad availability.  The DILIGENT project started in September 2004 and is going to last for three years.

The 2004-10-26 article in the European Space Agency's ESA News goes deeper into the scientific importance, illustrated by all of the data from space experiments and satellites.

Oh, sob, the project is being coordinated by Donatella Castelli at CNR-ISTI in Pisa.  Well, it will still be going on after I complete my Masters.

The system appears to provide for federation of digital libraries, preserving the autonomy of individual collections while sharing access and use of materials.  Although there are major applications in environmental and terrestrial science, another member of the user community is Pisa's Scuola Normale Superiore Centre for the Data Processing of Texts and Images in the Literary Tradition. Broadcaster RAI is making educational A-V archives available.  Nice work in Italy.  Ci sono meraviglioso.

posted by orcmid at 12/01/2004 06:39:25 PM, rating data by NewsGator Online

Sxip - Pronounced "Skip" Is Digital Identity

Sxip.org - Sxip Overview.  2004-10-31: The first thing I notice about this site is that it uses HTTPS from the get-go. Recommended by Martin Terre Blanche as an open mechanism for single sign-on, Martin also raises concern for the root-authority model that appears to be at the heart of the Sxip open-source methodology.

Since all of my web sites do ASP, I can't wait to see if the PHP form of the developer's kit can be converted.

One cool thing the folks did (beside find a four-letter domain name, remarkable by itself), is have sxip.org for the general stuff, sxip.net for the technical stuff, and sxip.com for the business stuff.  I notice other teams often use .org for the open-source site, .com for the commercial site.

Martin expresses a concern for the reliability of the model and what can make it dependable, including from a dependable top-level root. I wonder if it could be made to work with a reputation-oriented trust system (in the OpenPGP manner) or whether it really must be authority based.

Since I have learned about Ping Identity, I wonder what the connection is between these two open-source methodologies.  It would be nifty to do the whole job in JavaScript, especially for the lightweight authentication and attestation/assertion machinery that I am looking for.

posted by orcmid at 12/01/2004 06:30:25 PM, rating data by NewsGator Online

When to Optimize, When to Tune

ACM News Service: Think Like a Customer, Use Your Stopwatch.  2004-10-31: This is a highly-pragmatic and practical set of views, especially with regard to where to tune and when to find an algorithmic optimization.

Geoff Koch's 2004-10-15 SD Times article carries a more-careful, progressive presentation of how tools are used and the sensibilities that are applied when searching for improved performance.  There are some interesting tips, including the importance of making sure that optimized code is not unmaintainable.

Randy Camp of Musicmatch uses an approach that is interesting to me because he talks about focusing on the place where the greatest performance loss occurs.  Also, there is a reference implementation created to provide a framework for assessing improvements.  Since I am building a reference implementation for a project, it will be useful to consider how it could be used to optimize for a simple production version based on that design.

The article has some fanciful ideas at the end, including having appropriate algorithms be automatically selected based on conditions at hand.  This is in fact something functional programming is set up to do, and I'll tuck that thought away too.

posted by orcmid at 12/01/2004 06:28:59 PM, rating data by NewsGator Online

Smartcard Trustworthiness

ACM News Service: Adding Reliability and Trust to Smart Cards.  2004-10-31: It is interesting to notice that European smart cards have not achieved the higher levels of Common Criteria security certification.  The article then mentions the Java VM-equipped smart cards as if an improvement.  Now you need operating-system certification, and I don't see how that makes things easier.

Just the same, this 2004-10-27 IST Results feature is about VerifiCard, a project to provide tools for the formal parts required under Common Criteria (in the form of ISO 15408 compliance).  It will be interesting to see how this all works out, considering that the JVM-based smart card is programmable.

posted by orcmid at 12/01/2004 06:25:59 PM, rating data by NewsGator Online

Emulating Obsolete Document Formats

ACM News Service: NARA Conference Demonstrates Emulation Technologies.  The preservation of electronic documents is not so well-established as the archival preservation of printed materials, and emulation of no-longer available software implemented on no-longer-available platforms is one avenue for preservation of access.  This blurb features the open-sourced Multivalent, a Java-based universal document viewer (with plug-ins accepted) from Robert Wilensky's team at Berkeley, and GridForum's DFDL project for an XML-based Format Description Language that is useful for specifying how to pull data from binary-format document files.

Joab Jackson's 2004-11-18 Government Computer News article provides more discussion and links to the sources.

posted by orcmid at 12/01/2004 06:21:00 PM, rating data by NewsGator Online

If Metadata Is the Answer, What Is the Question?

ACM News Service: EPA Builds a Better Search.  2004-11-18: This article is actually about how employment of metadata standards can enhance search, location, and retrieval capability, not being entirely divorced from the preceding note about handles and DOIs.  The thrust here is toward a standardized metadata scheme based on use of Uniform Resource Names (URNs).  So there are then unique identifiers available for identifying material.  It seems we are looking at a blend here.  There's metadata and there are URNs, and then there's getting them working together.  Use of standard classification schemes is probably helpful, but who knows how reliably that will work.  I can just see Semantic Webbers salivating, though.

The 2004-11-15 David Perera article in Federal Computer Week gives more and points out that there are draft recommendations on Categorization of Government Information out for public comment ending Dec. 5.  There's no direct link to the material.  Well, assigning unique identifiers to each piece of online government information should certainly let us know whether our UUID and URN schemes are big enough!

No, I have no explanation why these notes are posted to December 1, which hasn't happened yet.  My best guess is that when I set the new date for posting this old clipping, I managed to click the 31 instead of the 30 for November, and the Blogger system does the obvious thing and translates that back as December 1.  Well, yes, if you have done geeky calendars like I have, that is the obvious thing, because it makes it easy to calculate tomorrow's calendar date even if today is the last day of a month (or year).  But if you forget the ever-so-easy validation step then ...  Oh, never mind.

posted by orcmid at 12/01/2004 03:03:22 PM, rating data by NewsGator Online

Identifying the Objective, not its Location

ACM News Service: Getting a Handle on Data.  2004-11-18: This blurb on a Julian Perkin 2004-11-17 Financial Times - IT Review article (paid subscription required) speaks about the problem of locating content on the Internet that is likely to move, be renamed, or cached in different ways.  The Handle System and DOIs (originally: distinguished object identifiers) are identified (I couldn't help myself) as possible solutions.

I'd like a solution to that, especially when it might be possible to find the nearest copy, on a local machine say, or go to a suggested global place, or conduct a search, etc.  This fits a problem I have around supporting certain kinds of collaboration.  I see it as more static than P2P, but a solution might have a P2P quality too it.  The concern I have for "doi:" as a protocol is that it requires an intermediary and it is not clear who gets to play or federate into the system.  Along with "who owns your data" we now have "who owns your link?"

I'll keep watching.

posted by orcmid at 12/01/2004 02:58:10 PM, rating data by NewsGator Online

Criteria for Web Application Security

ACM News Service: Group Aims to Create Hallmark of Security.  2004-11-13: The Applications Security Consortium is an industry group that is focused on application firewalls for secure web applications.  A test program is being created but what I find most important is the list of criteria, including:

• detection and blocking of malicious executable commands
• prevention of data insertion through illicit control of format and type
• prevention of cookie tampering
• protection of application fields from modification
• protection of URL parameters

Although the group is focused on perimeter defenses and certification of firewalls, this strikes me as something that also requires design attention.

Matt Hines and Daw Kawamoto write in the 2004-11-08 CNET News.com article that the programs launch happened at a Computer Security Institute (2014-04-24: now part of Blackhat) conference in the preceding week.

OK, OK, so now that takes care of the backlog for November.  Now I have the ancients ones to deal with, real soon now.

Update 2014-04-24: The Computer Security Institute has vanished from the Internet.  But Blackhat seems to carry on what became CSI online.  Thanks to Lisa @humanitycampaign.org for the broken-link notification.

posted by orcmid at 11/30/2004 03:34:40 PM, rating data by NewsGator Online

Who Can You Trust?

ACM News Service: Understanding Spyware - Risk and Response.  2004-11-13: This blurb emphasizes what I call the ultimate trust irony for computer security.  The easiest means of inserting spyware deeply onto a system is via software that is alleged to provide anti-spyware measures and heightened computer security.

The Wes Ames article for the IT Professional September/October 2004 issue is available as a promotional PDF download.  The paper provides a nice explanation of the progressive levels of spyware and then looks at detection and prevention approaches.

posted by orcmid at 11/30/2004 03:30:29 PM, rating data by NewsGator Online

Perfecting Secure Coding

Dana Epp's ramblings at the Sanctuary : Secure Coding - We can't stop trying.  2004-11-13: Dana Epp makes a number of contributions to an appreciation of secure coding.

The first is that "information security is about risk mitigation, not risk avoidance."

The second is that we should be dealing with attack-pattern types.  There are common patterns in the variety of attacks, and developers should be aware of those patterns,

The third consideration that Dana raises is about how vulnerabilities can be obscured by the use of higher-level tools that obscure what is going on.  Dana refered to higher-level languages, but I think there is far more to it beyond the confines of a given language.  I think this is a very big deal.

The fourth consideration is out beyond the code.  Dana has in mind Microsoft's SD3+C concept:  "Secure by Design, Secure by Default, and Secure in Deployment." [The "+C" is for "Communications" and I am not sure how that is supposed to be parsed in conjunction with the preceding list ];<).  Michael Howard has a video on the topic where he speaks about communicating the secure way of doing things, whether sample code or otherwise, and being proactive in communicating security and having customers be aware of security ramifications.

Dana argues that we must "reduce, redirect or eliminate the impacts of attacks," and apply that to configuration, deployment, and design.  In short, look out over the entire lifecycle of a secure product where it is situated for use.

Finally, Dana mentions the SCL list, so now I am going to have to find out what that is!

Eureka!  I know how November 30 was turned into November 31.  (Look ahead to December 1 to see what I am talking about.)  When you have used one of those idiot list boxes for numbers like 0 to 59 (duh?) or 1 to 12, if the selection stays there, you can end up manipulating it the next time you use the mouse scroll wheel.  This apparently happened on returning from the preview of this entry, somehow, except I was on the alert for it.  (Lord, I do hate browser-based applications, I really do.)

posted by orcmid at 11/30/2004 03:18:37 PM, rating data by NewsGator Online

The Future of Software Tools

developerWorks : Exploring Model-Driven Development Blog - The Future of Software Tools.  2004-11-19: This deep find from Scoble's Link Blog provides an IBM Rational perspective that is intriguing in one particular respect: The emphasis on greater software-development process transparency.  I'm for that: auditing, traceability, and accountability.  I think greater support for collaboration (and new tools for it) also makes sense.  Wikis are cool (I don't think Lotus Notes where I am situated) and there is lots of room for more blending.

I am not so sure about new programming models for Rapid Application Development (RAD) though, especially because these tend to end up being somebody's proprietary technology.  And the idea of pay-per-use software tools simply doesn't make any sense in the context of auditability, transparency, accountability, etc.  I want to see how this all figures into what I think is a fundamental injunction from eXtreme Programming: Travel Light.

posted by orcmid at 11/30/2004 02:50:42 PM, rating data by NewsGator Online

It's You? Ping You're It!

Slashdot | E-commerce Single Sign-On Not Dead Yet.  This find is about a federated identity system that is neither Passport nor Liberty Alliance, but an open-source effort from Andre Durand, who headed up Jabber.

Ross Wehner's 2004-11-28 Denver Post article makes a great read and provides more information on how Ping Identity will work, as well as what the point of open-source introduction is all about.

The Ping Identity Corporation home page is not that thrilling, probably because I have scripts and mobile code disabled by default.  There is a passle of PDF resources of various kinds, and some require registration and e-mail confirmation and activation.  While waiting for the e-mail, I learned that SourceID Liberty 2.0 Beta is available for download.  It is also certified as "Liberty Interoperable."  The presence of a customizable workflow engine is emphasized as an important core element of the Beta release.

I am interested in digital identity for a number of reasons, and in open-source approaches for a sizable fraction of the cases I have in mind.  It will be a while before I have digested all of this.

After my registration activation came through, I confirmed that there is a substantial amount of information.  The open-source aspects of SourceID are handled at a separate SourceID site.  Many of the same materials are provided, and my new password works there too, naturally. There are several toolkits and proofs-of-concept available for download.  They are implemented for Java and .NET, which raises interesting questions for me, trapped in the world of C/C++ for my earliest applications of identity!  The use of SAML (Security Assertions Markup Language) is also something I want to check out, though.  Oh, there is an RSS feed too.

posted by orcmid at 11/30/2004 01:20:14 PM, rating data by NewsGator Online