Charles Miller points out that the human side of security is often the weakest link - your firewalls and intrusion detection systems are worthless if you let someone cart your systems off. The story talks about terror links, and Charles speculates about drug dealers - but that doesn't seem right to me. Industrial espionage, on the other hand, sounds to me like a possibility. Why try to hack a system to get a look if you can just walk off with it?
The Baltimore Sun has a story on the rising tide of passwords and access codes that we all have to deal with - the primary subject of the story has 279 of them - and thus has to cheat by storing them in an encrypted file on a handheld.
That's one solution. The more common one, I'd guess, is to have only a handful of passwords that you use for everything. Both solutions have their drawbacks - if either is compromised, you pretty much get hosed off fully. There's not really a solution for this using passwords; we need biometric solutions so that we eliminate the memory problem altogether.
The 3.1 release of BottomFeeder is approaching - the things we wanted to get done are done, and a number of bugs and limitations have been addressed. The latest change was to the xml recovery file. Clearly, I took the wrong approach the first time - I have 158 feeds, and the recovery file was 35mb - and took a very long time to save. So in the latest dev build, that recovery file saves only the structure - the feed information, the folder structure - but not the items. That makes the file dramatically smaller, and makes save time reasonable.
Then you should start with Avi's post, and then work your way through Chris Double's posts - here and here
The subject of object or schema migration is quite large, and I'm hardly an expert on most of it. There is an area I can talk about with some authority though - migrating old versions of objects forward when using BOSS. Here's the situation - say you save objects to disk (what Java developers would call serializing them). Flash forward a bit, with the objects still on disk, but the definition of the object having changed (i.e., you added or removed instance variables). So, for instance, say you had this when you saved the objects to disk:
Smalltalk defineClass: #Item
superclass: #{TextObject}
indexedType: #none
private: false
instanceVariableNames: 'read guid '
classInstanceVariableNames: ''
imports: ''
category: 'Viewer'
and you changed it to this:
Smalltalk defineClass: #Item
superclass: #{TextObject}
indexedType: #none
private: false
instanceVariableNames: 'read guid category'
classInstanceVariableNames: ''
imports: ''
category: 'Viewer'
Well, now there's an issue - the old objects had 2 instance variables, the new one has three. What do you do? Well, you create some class side code that tells the BOSS framework how to migrate the objects forward:
binaryRepresentationVersion "current version number for BOSS" ^'1.0' binaryReaderBlockForVersion: oldVersion format: oldFormat " An attempt is being made to read instances of an obsolete version of this class. Answer a block that converts old instances (represented as an array or string of instance variable values) to new ones." oldVersion == nil ifTrue: [[^self nilBinaryMigrationBlock].
The first method answers the version number - this will be encoded with every object you save in BOSS format. When it's read in, this version number is available (it's nil if you never assigned it). The second method determines how to handle migrations - in this case, by sending a message based on the inbound version. That method - nilBinaryMigrationBlock above - actually contains the block that will do the migration. Given the examples we started with, it might look like this:
nilBinaryMigrationBlock | inst | inst := self basicNew. ^[:oldObj | | newObj sz array| sz := self allInstVarNames size. newObj := Array new: sz. newObj replaceFrom: 1 to: oldObj size with: oldObj startingAt: 1. oldObj become: newObj. oldObj changeClassToThatOf: inst].
What does that do? It creates an array (which matches the instance variable slots), and then copies all the old attributes into the array up to the old object's size. Now, this method is written somewhat naively - on the assumption that there are N new attributes. If you dropped attributes or changed their order, you would have to write the code based on that. Still, this gives you an idea of what's happening. What you end up with is a new object, with all the old object's data - see the #become:.
The beauty of this is that you can do it with live systems - more than once, I've had to change the shape of the object used for blog entries - and I've managed that with schema migration. It's a powerful technique - but also easy enough to trip over. If you change the shape of an object rapidly (as you initially develop an application, for instance, or under rapidly changing requirements) - it's easy enough to get the older migration methods wrong (especially if you are sometimes dropping attributes). If you need to do this with a production system with important data, testing is absolutely required
CNet News points out that the RIAA is starting to sue suspected file swappers. Boy, they really know how to win friends and influence people, don't they?
Scoble references David Coursey, who seems to think that the tablet pc, handwriting recognition, and translation services are going to be huge. IMHO, he misses one very, very simple thing - even those of us who type slowly can do so faster than we write longhand. The tablet pc will have some interesting niche applications - but handwriting is not going to replace typing anytime soon.
And people wonder why we say that Smalltalk productivity is higher than things like C++. Seriously - how in the heck do you test anything with a 14 hour turn-around time? I'm sure that individual sub-systems can be tested without the full thing being recompiled - but that testing - by its very nature - won't be comprehensive. I can see why the security of MS operating systems is so bad, and - I expect it won't be getting better. Gads - 14 hours? How can anyone actually work like that?
BottomFeeder 3.1 has been released. There are a lot of improvements in this release:
And, as they say, lots more. Check it out - if you have the 2.9, 3.0, or current dev version, simply use the upgrade tool to grab the latest components. If you don't have it installed, or have an older version, go the site and download the app.
The Register explains again how the RIAA is winning friends and influencing people. Quick, call the PR people!
"I got really scared. My stomach is all turning," Brianna told the Post. "I thought it was OK to download music because my mom paid a service fee for it. Out of all people, why did they pick me?"
It turns out that Brianna's mum paid a $29.99 service charge to KaZaA for the company's music service. Brianna, however, thought this meant she could download songs at will. How naive!
When reporters charged into Brianna's home, she was helping her brother with some homework. She is an honors student at St. Gregory the Great school.
Remind me again why I should buy CD's?
Leaving the sinking ship: Bill Joy leaves Sun. Now he can wear his tinfoil hat fulltime....
We are fast approaching the release of Cincom Smalltalk (Fall 2003 Edition) - we expect to release in November. If you are a contributor of goodies to VisualWorks or ObjectStudio, we need any and all updates from you by October 15th - if you want them included in the upcoming release.
Ed Foster talks about how popular Product Activation is (snicker). He also brings up a thought I hadn't had on the subject:
Several readers pointed out the security danger to customers if the next version of a Blaster-type virus were to succeed in crippling a software company's product activation capability. "What if the next version makes the XP and Windows 2003 registration site inaccessible?" wrote one reader. "Can you afford to have some of your servers stop functioning? I think these registration schemes can multiply a virus attack's disruption to the economy and the Department of Homeland Security should take a look."
That's an angle I hadn't even thought of - a worm who's payload action was to deactivate specific applications or operating systems. That would cause some pain....
The RIAA has settled its case against the 12 year old girl they sued - and they only extorted $2000 from her parents. Charitable sorts, these music industry people....
Scott McNealy says IT is too complex:
"Our industry is way too complex," he said. "A lot of employees are delivering features that we want to build into products. Hence, (IT) is way too expensive."
McNealy said the IT industry's fixation on the components of computing, such as operating systems, application severs, network switches, and so on, is inane. "It's like throwing a piston ring on the table and saying, 'Drive to L.A.,'" he said.
Someone needs to show this guy EJB, and then ask him again about needless complexity. Pot, Kettle. Kettle, Pot....
Matt Croydon::postneo sums up a lot of what I've been pondering in my various rants on the subject of the RIAA.
Management in IT has a persistent problem with reality. Regardless of how well things are working with whatever they have now, there is a consistent industry meme that change - massive change - to some new platform will help immensely. It's as if they never apply lessons from thier own lives to their work. Here's an example from The Register:
Most companies deploy a modern platform to improve the application development cycle " thinking they'll see productivity, management and control benefits from these 'new' environments. It doesn't always pan out this way.
...
In the case of the J2EE users the more respondents (32 per cent) said that it was getting worse " 18 per cent said it was getting better. The situation was revers with .NET users with 44 per cent found the management of the development life-cycle improving " 13 per cent said it was getting worse
Id guess that the .NET people who thought things were better were moving from an existing MS toolkit - i.e. - it was an evolutionary change. Notice just how bad things are in J2EE land - productivity declines for a good plurality. Wholesale change simply for the sake of change is a stupid idea. Think about it in a business context - how well do (effectively random) workflow changes go? Why would similar changes in IT development go any better?
The Register reports that many employees have problems with even the most basic computer skills. This isn't a Mac/PC issue either - they are actually talking about things as basic as startup/shutdown, and saving files. This may be the explanation:
According to City & Guilds, a lamentable lack of even basic IT training is one of the main problems. One in five firms responding to the study admitted employees have only basic IT skills and over one in ten said their workers have no IT qualifications at all. The problem is apparently compounded by the fact that more than one in 10 employers state that IT skills are non-essential when hiring recruits
Simply amazing....
I saw this in the vwnc mailing list, from Stephen Travis Pope:
1. Squeak is not the only Smalltalk that should be considered for real-time multimedia applications. My "Siren" package for sound/music was originally developed in Xerox PARC Smalltalk (in 1984), then evolved along with the commercial VisualWorks family. For a few years (1997-2001), its main platform was Squeak, but we moved it back to Cincom's VisualWorks non-commercial (VWNC) about 2 years ago. VWNC is free for non-commercial applications; it is the full Xerox/ParcPlace lineage Smalltalk system.
We gave up on Squeak because of issues with its performance, stability, poor development tools, non-support for team programming, non-support for object databases and CORBA ORBs, and the confusion about its multimedia I/O facilities.
In VisualWorks, Siren uses the "DLCCC" API (like native methods in Java) to access streaming sound and MIDI I/O. The GUI builder is excellent, the VM performance is awesome, and it's been stable for a decade or so. We're planning a new release of the VWNC-based Siren for later this month.
2. An open VM is not as important as a VM that can be easily extended with interfaces to low-level facilities. If I can write reliable real-time programs, and access external facilities easily, I'd actually rather *not* have to muck around in the VM.
That's pretty cool - if music and ST interest you, check it out!
RSS is getting noticed in government - the New Zealand government is publishing a standard for RSS use
Scott Knowles chaired a blog panel in the DC area last night - sounds like I should have attended....
Get ready for more heck from Sobig:
The destructive Sobig.F mass-mailing virus has been programmed to stop working on September 10 but that's not necessarily good news for IT guys around the globe.
That's because security experts expect a more sophisticated variant of the Sobig worm to start crawling through inboxes immediately after the September 10 deadline. "Sobig.G is very likely. It has been a serial process ever since Sobig started spreading in January this year. Variants come out one at a time and they never overlap," warned Chris Belthoff, Senior Security Analyst at Sophos, Inc.
This should just be loads of fun. I didn't get Sobig, but I did get buried in emails with the virus either attached (or replaced with an alert by Cincom's server). The sheer volume was obnoxious.
Stephen Travis Pope followed up to vwnc with more info based on interest in this:
Here is an update on the progress of the Siren sound/music package on VisualWorks non-commercial (since I've received several queries in the last hour since my earlier posting).
There's a description of new Siren here. This is our paper from the up-coming Int'l computer Music Conference (which takes place early next month in Singapore, our deadline for the release)
We use DLLCC APIs to widely known cross-platform libraries for all I/O:
- PortAudio library for sound I/O;
- PortMIDI for MIDI I/O; and
- libSndFile for sound file I/O.
We also have a DLLCC interface (not quite working -- won't load at run-time) to the FFTW library.
Siren is still focused on composition and performance. We use our CSL library (a portable synthesis/processing framework in C++) for synthesis and processing. We talk to it over the OpenSoundControl (OSC) protocol at present, though one could certainly link directly to it using DLLCC.
Siren and CSL are linked to the CREATE Real-time Application Manager (CRAM), a new implementation of our DPE (distributed processing environment).
We plan to release Siren 7.1 real soon...
Sam Gentile has an interesting piece of news - TogetherSoft has a full C# edition of their design tool - written in C#.
The new Borland Together Edition for Microsoft Visual Studio .NET is positioned to be the first independent, integrated design, modeling, and code environment for the Microsoft .NET Framework to simultaneously connect enterprise architects and developers through Borland LiveSource technology. After over a year of research and development effort, this new environment, written in native C#, marks the latest advancement of the Borland Application Lifecycle Management(ALM) offering for .NET.
According to analyst research firm Gartner Group, the .NET Framework is gaining broad traction in next generation e-business solutions such as Web, mobile, and consumer facing applications"
Wow - TogetherSoft always seemed very much a Java outfit to me. This is fascinating.
InfoWorld's Chad Dickerson talks about migrating to the Mac. The mere fact that this article is getting written shows tremendous progress for Apple.
I've written not-so-favorable columns about Macs before (on a Windows XP system) and I've had a Mac at my desk for months, but it occupied the last port on my KVM (keyboard, video, mouse) switch -- a true IT afterthought. On a recent Friday, weary from shopping for a new PC, I grabbed the 3-year-old G4 at my desk (a 450MHz processor, same as my Dell) and took it home to see what all the Mac and OS X fuss was about. My plan was to add it to my existing home network, which consisted of two PCs and a Linux server. I plugged the Mac into the fourth port on my four-port KVM switch, mostly excited about iTunes. My Linux-served MP3 collection forced my unwitting experiment in enterprise Mac integration.
Fast forward to Monday and the KVM switch is in storage. I don't need it because the Mac does everything I need. It replaced the Linux server and one of the PC clients, and I've mainlined the keyboard and mouse directly into the Mac. My experience with OS X at home felt like crossing a chasm.
Now, you might ask: What does this really have to do with enterprise IT? The answer is simple: I used the Mac running OS X to replace a PC client and Linux server; the level of functionality was raised; and I did more with less. All the GNU and Unix tools I've used for years were right there in OS X: ps (process status), rsync, top, SSH (secure shell), Apache, Samba, and various Unix shells. I was able to access Windows file systems, and I easily shared Mac files to the Windows machine on my network via Samba, the open source file-sharing stalwart. I hardly struggled even for a second.
Wow. Bear in mind that Dickerson is the CTO of InfoWorld - so a lot of IT guys and IT chiefs are going to see this article. For years, Apple couldn't buy a break in the IT press. This is great news for them.
Scoble says that Longhorn will have "over 1000 new features". I don't want any new features, thank you. What I want is an end to buffer overflow problems in the OS, and and Office suite that doesn't suck. Do that instead of the 1000 stupid features....
Ted Leung points to an RSS distribution scheme - the purpose being to ameliorate a presumed future bandwidth problem with RSS. I'm skeptical, because RSS really is no different than any other page fetched by Http - if sites like CNN, Drudge (etc) have solutions for their main page, then the truly popular RSS feeds will end up using these self same solutions. I'm skeptical of inventing something new when the problem has already been solved....
Via WebSense, a link to a Washington Post column covering the blog panel I missed. Now it really sounds like I should have attended....
Sounds like Eric Cooper is having second thoughts about Java after working with Python. Now we need to show him Smalltalk....
It turns out that the RB parser in VW 7.1 broke the IDL Compiler - which is kind of a problem if you are trying to do cross-language CORBA development with VisualWorks. Customers have been getting a patch from support - and it's online now. Check out this patch page for VW 7.1
Sam Gentile isn't happy about the latest buffer overflow problem reported for Windows - partly because it also impacts Win2K3. That's not surprising; the code base is, after all, shared - and it's a veritable mountain of C++ code. What's interesting to me is the reaction:
I had just sold management in the company I am clienting for on the ability of W2K3 to avoid these, with the line that during the Windows Security Push, all 9,000+ Windows developers stopped and poured over essentially every line of Windows code remove these kinds of situations and make W2K3 the most secure OS. Now two of these in the last month. To say that this has stopped a massive redeployment is an understatement. The company was looking to just skip Win2000 Server and move many NT4 servers to Win2K. These kinds of situations are simply unacceptable. So is the patching strategy. To require a reboot for every security path installed is simply unacceptable. An OS like Win2K3 should never have to be rebooted and should be able to go a year or more without a reboot. A way must be found to apply these patches without causing reboots. Now that the operating systems have gotten super stable and operate for these kinds of times, we cannot have a patch requiring reboots. Patches like this can be applied to other OS like Linux and Mac OS X without reboots. I hate to bring up the fact that we had VAX/VMS systems up for years in the 1980's. This has just got to get better.
When the consultants who rely on you for a living start to get angry, it's not a good thing. This is exactly the sort of thing Apple could capitalize on....
Jeffrey Zeldman reports on the upshot of the Eolas suit - ON Windows, users of IE could see plugins (pretty much all plugins) cease to work:
Besides paying over half a billion dollars to the patent holder, Microsoft is supposed to cripple its market-leading browser so that IE/Windows will no longer seamlessly play Flash, Quicktime, RealVideo, or Adobe Acrobat files, Java applets, and other rich media formats. Once the company does this, any site that uses these technologies will no longer work in the browser most people use.
Before you start dancing in the streets at MS getting hammered, step back and realize that this patent applies to more than just IE - it applies to all browsers, regardless of vendor or platform. If Eolas pushes this further (and why wouldn't they?), we could see the net return to all the power we had in 1993. And it's not just browser developers that are going to take it in the shorts. If this holds up, sites everywhere are going to have to change the way they deliver content in order to work with the new (crippled) IE. Go read Zeldman for full details - this just stinks.
Update: I wonder if AOL's dropping of Netscape was related to this? Getting a contract with MS and dropping their own browser certainly relieved them of some potential liability.
The next release of Cincom Smalltalk (VW 7.2, ObjectStudio 6.9) is coming up in November - see here for details. That leads me to thinking about the next release of BottomFeeder. There's a fair bit of domain model cleanup we are considering, and doing that will take some time if we want to do it well. So I think the next release will be on 7.2. Onwards and upwards.
The Washington Post covers blogging of the California Recall. There are no media angles left that blogs aren't covering these days....
For those of you who haven't seen the early releases of VW 7.2, there are a number of niceties coming down the pike:
While these things seem minimal, they make working with the system much more pleasant. It's all part of the long term effort to make VisualWorks easier to use. Another thing to take note of is the delivery of Beta 3 of Pollock. Pollock is the new GUI under development for VW - for news on the process, read Sam Shuster's blog. There's still a lot to be done on Pollock, but what's there has enough meat to take a serious look at.
Also new to preview is GLORP - the open source O/R mapping framework for Smalltalk. While GLORP is not complete, work is progressing steadily - and with a lot of very welcome help from the community
Make sure to check here for updated information on the fall release!
We recently redesigned the training courses for Cincom Smalltalk. I spent a few years teaching the VW Intro course back in the ParcPlace days. The problem with that course was the amount of material it tried to cover, and the amount of classroom lecture time it had.\
First, the material - we tried to cover way, way too much. In an intro course, we tried to take people from no Smalltalk knowledge at all to building a complex GUI and domain in 4 1/2 days. I clearly recall people sitting - eyes glazed over - by mid Wednesday. We got to a point of information overload by trying to do too much, too fast. I don't think this problem was specific to our course - it seems somewhat endemic to the industry.
We had the chance to revisit the material and redesign last year, so I encouraged our course designer to go light on the lecture and heavy on the workshops - I figured that the instructor should introduce the topics, give a brief explanation, and then have the students dive in and get their hands dirty in labs. That's how this new course is set up. Which leads to an interesting dispute:
Some of our European partners and employees have voiced the opinion that we went too far away from lecture and "why" instruction. That was purposeful, but it leads to a question from me - is it the case that - especially in German speaking Europe - lecture based courses that are heavy on the "why" are better receieved than the more hands on course we have designed? I've not actually taught any courses in Europe, so I don't have the first hand experience necessary to say yes or no. Is there a cultural difference here or not? Any and all feedback appreciated
I had to get up an an ungodly (for me, anyway) hour this morning - my daughter's girl scout troop is setting off for a camping trip, and she had to leave the house by 7:45. For me, that's early. So of course I sat down at the PC, and found a Bf bug report. Simple issue - the VW http client code doesn't recognize urls with a # character. Well, that's a problem. One of the cool things about Smalltalk is that - when you find a framework bug like this - you can patch the framework. That's what I did, in addition to raising an internal bug report. This is as opposed to most systems, where you can report the bug to the cendor/maintainer - and hope for the best, developing a hacky work-around in the meantime (if you can). In BottomFeeder terms, this created a problem in spawning a browser on any BlogSpot link - the links to feed items all have # characters. The fix is in now - you can upgrade from the update tool. In the meantime, I should go back to bed....
There's an interesting article on CNet News about Sun and McNealy's management. That's not really what caught my eye though. Down near the bottom of the article is this quote from McNealy:
"The thing that scares me to death is that people are afraid to tell me what they really think," McNealy told CNET News.com in 1996.
That's a problem for lots and lots of companies - all you have to do is spend some time consulting and you'll figure that out. The "rank and file" workers have many complaints, but how many of them ever filter up to the top? In the most successful companies, I'd guess that the feedback reaches the executive offices. In too many cases, it doesn't - for a variety of reasons:
It may even be the case that management would be overjoyed to hear what regular employees think - but some combination of corporate culture and people issues prevents the interaction from ever happening. It would be interesting to find out how many senior execs actually want honest feedback, but are prevented from getting it due to layers of preventative culture.
If Isabel follows the middle of the (current) projected storm track, the drainage we installed this sumer will certainly get an acid test. Right now, the middle of the projection is right up the Chesapeake Bay.
This week I'm going to be doing something I haven't done in a long, long time - teach the VW Intro to Smalltalk class. At this point, the biggest adaptation for me is going to be the work hours - I am so used to working at home and setting my own hours that having to conform to a more normal "9 to 5"day is going to be a shock all by itself. I don't know how much network access or time I'll have during the day, so blogging may well be very light during the day this coming week.
|
| Subscribe to WebVelocity |
| Visit this group |