Reviews

A Few Things Worth Noting from the Web 2.0 Expo

0

I spent the majority of this past week attending the Web 2.0 Expo and Conference in San Francisco. The sessions were amazing and I had a really good time. I have an entire notebook full of notes that I need to transcribe, but here are a few of the more memorable things.

Application Delivery Systems – The CTO of Citrix talked about so-called ADS hardware components that can do everything from rules-based data filtering, data compression, TCP multi-plexing, dynamic caching, DDoS protection, and plenty more (price dependent of course). Some usage examples and results were provided by one of the guys from Foldera.

RSSBus – turn just about any data source into an RSS feed, including activity in a file directory, Excel spreadsheet changes, database query, etc. Installable on a network or via localhost. Runs as a small server using .NET framework. RSS feeds can be secured using standard NTLM methods. Single-point administration (no user-defined reports if using in multiple user environment). Reports can also be coded using just about any programming language: PHP Python, etc. Project generally based on Python.

mod_ndb – Apache module that allows querying a MySQL Cluster using HTTP 1.1 methods (get, post, delete). Cuts out the middle man (MySQL Server). Realizes most benefit when combined with a scripting language (such as cURL through PHP). Configured through Apache httpd.conf (no mention of support for htaccess) directives. Delivered with several output formats (JSON, raw), future release will support user-defined output formats. No built-in security, but could use other Apache auth mods (like mod_auth_mysql). Note that MySQL Cluster has many limitations of it’s own, and this is only relevant when using a multi-app-server/multi-Cluster setup. Interesting concept though. The slides will be online after next week’s MySQL conference.

Wesebe.com – The two founders gave an interesting talk on securing web applications. They detailed the concept of a Privacy Wall, which as one of them outlines on their blog means “don’t have any direct links in your database between your users’ “public” data and their private data. Instead of linking tables directly via a foreign key, use a cryptographic hash that is based on at least one piece of data that only the user knows—such as their password. The user’s private data can be looked up when the user logs in, but otherwise it is completely anonymous.” See blog link for an example. (Note also Wesebe’s Data Bill of Rights, which states that a users’ data is theirs to do as they please – including downloading or removing entirely)

Vulnerabilities 2.0 – Alex Stamos from iSec (white-hat security firm) gave a talk about the new vulnerabilities in web 2.0 applications (namely those using AJAX). Of special note, XSS attacks now include javascript-injection since many Ajax-enabled applications evaluate JS code directly. (Another session suggested using parse instead of eval, especially with JSON-like return structures) Also, no current Ajax-framework is secure out of box. Also, make sure to physically scan any code output from a client-side JS proxy interface (i.e. anything that transforms server-side code to client-side code) to be sure no administrative functions are being exposed. Don’t allow Ajax calls that change state using the same parameters for every user (e.g. “makeAdmin()” with no user id or other parameter).

The author of The 4-Hour Work Week gave a very short and very interesting talk (video link) about focusing on the few critical tasks rather than the trivial many. He also talked about outsourcing your personal life or anything else that would cost 50% or less of what it would cost you to do on your own. For example, if laundry takes you 4 hours a week to do and your time is worth A (total income/10k/2), then finding someone who can do it for B (A*4/2) each week is worth while. He applied this not just to personal tasks like laundry, but to menial business tasks such as writing reports, updating spreadsheets, etc.

I have plenty more notes, including from a few usability, design and mobility (“placelessness”) sessions. If you are interested in anything in particular, let me know. Otherwise I’ll keep posting excerpts from my notes once I’ve had a chance to transcribe them.

Oh, and in case you were wondering, “Web 2.0” is still very much undefined. To illustrate that, conference attendees got t-shirts saying “Web 2.0 is _______” with a spot to write in your own definition. Mine’s still blank. If it’s possible to define it after-the-fact based on the overall conference theme, Web 2.0 is about harnessing collective intelligence and the switch from surfing -> services, pages -> rich interactions, sites -> content experiences, and web masters -> everyone.

* This post was originally published on April 22, 2007 at http://www.csb7.com/blogs/whyblogwhy/2007/04/22/a_few_things_worth_noting_from_the_web_2

Book Review: Maiden Voyage by Tania Aebi

0

Image from Amazon
Maiden Voyage

The completion of this book marked the first milestone of the first milestone towards my dream of Cruising– read at least 3 books about the topic. One down, two to go…

As I mentioned in previous posts, this book was very slow to start, but once I was past the first chapter it became much easier to read, drawing me in to the life of Tania in those days some 20-years ago.

The story is a true tale, written by the author, about an 18-year-old girl from Manhattan who, with no real purpose in life, is challenged by her father to circumnavigate the globe solo in a small sailboat. It begins when she is a few miles off of the coast of NY on her return leg after several years at sea, and then flashes back to tell the entire story from the very beginning. Up until she left, her sailing experiences had been sparse, and she had never sailed single-handed. However, armed with a plethora of technical manuals, sailing charts and a stronger-than-nails will, she thrusts herself into the situation and learns quite quickly what her boat, and herself, are capable of.

The story is wonderful, though a little rough in some spots. She never hesitates to remark on her mistakes or personal hang-ups, and as the story unfolds she also candidly relates her own personal history. She tells of friends made and friends lost, her mothers death, her strained relationship with her father.

I found this story to be truly uplifting – a story of the remarkable human spirit for adventure. It was certainly a great read for someone considering a similar adventure, and I imagine anyone with a love for personal-triumph stories will enjoy this book.

I was left with a few concerns after reading it though. Her trip takes place in the late 80’s. I know the rest of the world is much different today than it was 20 years ago, but I wonder to what extent it would be noticeable while at sea? Tania talks about having to avoid certain ports because of geo-political reasons, but she still manages to spend several months traveling close to many nations that would now be considered dangerous for US travelers. Her stories of the people that she meets while docked at some of these ports are always positive and related with fondness – total strangers that take her in and help her, asking nothing in return. I wonder if the world has changed too much the worse since then?

Tania currently writes articles for many sailing magazines, gives speeches on her trip and has been known to lead sailing excursions for women of all ages. To date, she has not written any other books.

* This post was originally published on August 19, 2006 at http://www.csb7.com/blogs/whyblogwhy/2005/08/19/book_review_maiden_voyage_by_tania_aebi

Book Review: Digital Fortress by Dan Brown

0

Digital Fortress is Dan Brown’s debut novel from 1998 (reprint May 2004). In it, Susan Fletcher is the NSAs lead cryptographer working in their cryptography division, nick-named Crypto. Crypto’s latest toy is a super computer named TRANSLTR — 3 million processors chained together in a 6-story deep silo cooled with 2 freon generators, capable of cracking any encryption key through the use of brute force1. When rogue programmer Ensei Tankado, a former programmer for Crypto and one of the developers of TRANSLTR, posts news on the Internet of his new encryption method that is uncrackable and puts the only copy of the encryption key up for auction, Susan’s boss, Commander Strathmore, decides to test Tankado’s code against TRANSLTR using a sample of the encryption code posted on the Internet. However, after TRANSLTR fails to return a result after 15 hours (14.75 hours longer than it’s taken to crack any previous keys) Strathmore summons Susan in to help him track down the programmer. The story forks to follow Susan Fletchers fianc , David Becker, as he tracks Tankado in Spain while Susan and Strathmore battle elements both internal and external to Crypto as they try to find the truth behind Tankado’s code.

Unlike Brown’s other books (Angels & Demons, The Da Vinci Code and Deception Point – all written after the initial press of Digital Fortress), I struggled to complete this one. It had some of the fact-based-fiction that he is probably best known for, but I imagine that he hadn’t quite honed his skill when he began this novel. There are only a few places in the story where he segways out of the plot line in order to give us a piece of archaic knowledge, and even then they aren’t tied that heavily in to the plot.

Also, the characters in this novel are very typical – Jabba, the overweight & sarcastic computer technician (think The Comic Book Guy from The Simpsons); Commander Strathmore, the overly ambitious and seemingly altruistic “company” man; Numataka, the evil at-all-costs CEO of a world-wide technology company; Greg Hale, the “buck-the-system” programmer. And while Brown makes a point to flesh out Susan Fletchers character, the rest of the characters remain paper-thin.

Meanwhile, the plot seems only to advance through the luck (dumb or otherwise) of the characters involved – characters too lazy and argumentative to do something that would take 5 minutes, a college professor with the reflexes of a combat hardened Navy Seal, an assassin who can hit his mark from across a park unless a main character is his target, etc., etc., etc.

Unfortunately, the biggest disappointment in this novel isn’t any of the above, it’s the premise itself. Supposedly, TRANSLTR operates by filtering all of the communication that is sent over the Internet and running it through the super computer. This is not only impossible but also a complete misrepresentation of the Internet. The Internet is built on a model of distributed networking. Every new computer that logs on to the internet becomes a part of that network. This enables (I’m overly simplifying here) a message to get from point A to point B using any available route, or even multiple routes if the message is large enough. If one route goes offline, there are hundreds of other ways to route the data to its final destination. To propose that all routes lead to TRANSLTR would mean that every message, no matter the origin nor destination, would first have to travel to the NSA and through TRANSLTR. This would result in such a bottleneck of data as millions upon millions of bits of information tried to enter TRANSLTR at once that the Internet would crawl to a stop.

Finally, if there’s one thing that bugs me the most, whether in a book or a movie, it’s the use of what I like to call “the Hollywood OS” – those magical scenes where the author pens an event that relies on the reader/viewer to be familiar enough with computers to think that they can do anything but not familiar enough to realize that they can’t do “that”. (For example: the scene in Boiler Room where one of the characters puts a floppy disk in a computer causing a dialog to pop up reading “Copying Hard Drive to A:”, as if an entire hard drive could fit onto a single floppy disk.) In the case of Digital Fortress, there are several instances where Brown assumes the worst in his reader and uses impossible or just plain goofy technology to further the plot. For instance, in the computer lab within Crypto, Brown writes that each computer is locked using a 5 digit PIN. I doubt that the NSA, the keeper of all of the digital secrets of the US government would stop at 5 digits when protecting TRANSLTR, their supposed most expensive and secret toy. (In comparison, the corporate standard for network passwords is at least 8 characters, alphanumeric with at least one letter and one number.) Later on, there is a scene in which one of the characters has installed a special piece of hardware onto the keyboards of the computers in the lab that records the keystrokes of everyone in order to steal their PIN. While such keystroke loggers do exist, I think it would be rather silly of the NSA to overlook this vulnerability in their operating system of choice. Still further on, the climactic scene in the NSA’s data center revolves around the availability of a set of firewalls that are failing in sequence. Each firewall is represented on a large overhead screen by a set of concentric rings, while inbound “hackers” attempting to get through the failing system are represented as black lines around the edge of the circles, much like (as Brown himself notes) sperm around an egg. The NSA agents watch helplessly as their firewall is systematically disected, all the while insiting that it’s too late to save any of the data. Any data center technician will tell you that when all else fails and the integrity of your network is about to be compromised you always have an ace in the hole – just pull the plug.

Since we’re on the topic of the data center scene, I found it particularly annoying that during this huge climax, with computer technicians counting down the minutes (and later on the seconds) left until security breach, the banter among the main characters is as wordy as ever, with huge dialogs taking place within a matter of seconds. At other times, the story feels rushed with characters completing some feat or another in record time.

Obviously, I was not at all impressed with the story. It was one of those books that I had to force myself to finish, the only reason for finishing it all was because I had already vested so much time into it in the first place. The last 20 pages were particularly grueling. Compared to his other books, this was a big let down. If you want to read the best part of the novel, the most Dan Brown part so to speak, flip to the very end of the book where Brown explains the origin of the word “sincerely”. That is about the only thing that I will take away from this book.

Without wax,
Chris

Footnotes:
1 Brute force refers to a method of hacking that attempts to crack a password or encryption key by trial-and-error, continuously trying new alphanumeric combinations until a match is found. It is generally thought that trying to crack a 128-bit encryption key using brute force, even with a specialized computer, would take 10^19 years to crack)

* This post was originally published on November 22, 2004 at http://www.csb7.com/whyblogwhy/index.php/2004/11/22/book-review-digital-fortress-by-dan-brown/

Go to Top