Today is a good day to code

The Security Question

Posted: December 31st, 1969 | Author: | Filed under: Companies, Sun Microsystems, Uncategorized | Tags: | No Comments »

The Security Question

Picture of Irv Owens Web DeveloperIt seems that something like three in every ten tech articles is about some virus, exploit, or other security warning. They are starting to sound like the local news, predicting doom and gloom because clicking on this email, or that link can wipe out your computer. I think they are being particularly unfair to Apple, being the largest company with a reputation for security. It wouldn't suprise me too much to see them pay someone to write a Mac virus so that they would have something to talk about. I guess dual-core processors isn't a juicy enough topic, they need something more scary so they go for the “flaws” in Mac OS that Apple patched. Give me a break! Any developer that has written a stitch of code knows that whenever you release any piece of that software to the public things come up that you didn't, and probably couldn't forsee. Mainly surrounding users, and they way they use the applications. Much of the more egregious user problems can be ironed out by getting complete specs and building proper functionality into software, but 90% of this stuff comes down to education.

Now they are harping on Dashboard in Mac OS X 10.4 “Tiger.” They are trying to make it out to be the next ActiveX as far as bad security goes, or bad development decisions. Dashboard is an incredibly useful feature for legitimate development. No software developer should allow malware writers to determine what features or software goes into their products. That would be kind of like allowing terrorists to dictate your country's foreign policy wouldn't it? Those types of decisions should be made by the users and the software developer. Security should be thought of after the features are included. Dashboard is relatively safe. You would have to be root, or be able to execute a perl script that would gain you root access to be able to destroy someone's computer. Since you have to jump through some hoops on a Mac to enable root user access, and for most applications you don't need to be root anyway, the effects of this will be minimal.

If you download a widget from what appears to be a legitimate site that turns out to be porn, just delete it and if it offends you, let Apple and the BBB know what the details are and how you feel you have been wronged. If you download a widget from a sketchy website and it asks you to authenticate and you do it, then it deletes all your files, you probably deserve to have it happen. No one would get into a car and drive it without learning how to not drive off into a ravine, computers are the same way, there are some simple rules about how to operate it safely, and it is up to the media and users to learn about how to do this.

Instead of just reporting on the bad stuff, giving hackers and malware writers more reason to write malicious code, how about educating Ma and Pa computer user about how to spot nasty code, or malware. I'll start.

  • If you open something from the web and the OS prompts you to enter your password, don't do it until you are absolutely sure about what you are doing. If a password is needed, the company that sent you the object should give a good explanation as to why.
  • In the case of Dashboard, I agree with a poster on macrumors; In your preferences, turn off “Open Safe Files after Download.” Make sure you have to explicitly execute the file to run it. This will prevent widgets from installing themselves
  • Think about where you are when you are downloading. Do you know these people? Is it a friend's site? What is their reputation? I don't download anything from a site of which I know nothing. If your pop-up blocker is saying that it has blocked ten pop-ups from this site, then you probably don't want to download anything from them.
  • Make sure you have a valid email address or phone number for anyone whose software you install. Chances are that if they don't respond to email or phone calls, then their software isn't any good. Unless of course you know personally the programmer.
  • Don't use Windows 98, Windows 95, or Windows 3.1 anymore. Go ahead, treat yourself to an update. Last time I checked Windows XP ran decently on a PIII 1 GHz computer with 256 MB of RAM. You probably shouldn't be running a pre-security era operating system if you plan to use the internet. If you are on a Mac, OS X 10.4 will run on a circa 2001 iMac G3, or an old PowerMac blue and white just fine. I am currently running “Tiger” on the iMac 500 and it is reasonable, but better yet, it is way more secure than Mac OS 9
  • Don't open email from people that you don't know personally, or who have a phone number that you have called. If you are unsure, just click new and send an email back to that person and see if you get a decent response. Better yet, delete anything that looks suspicious. I have friends ask me whether I got the email they sent, and I say no becuase I follow an aggresive policy regarding email. Usually we can catch up over IM anyway. Its that simple, just delete, delete, delete.
  • If you are on the web and you see that you have just won a new iPod, or that you have just won a trip, or you have just won a new laptop! Just remember that in this world nothing is given for free, and most of the time these are just hoaxes to get you to give up your personal information so the companies can spam you in various and sundry ways. If you get an email to that effect, or these silly refinancing emails, don't trust them. You have to ask yourself, how did they get my email address in the first place? They probably bought it from some spam outfit looking for a quick buck. They probably aren't reputable.

Probably the most important thing is to upgrade. Don't be afraid of updates from Apple and Microsoft. The short term pain of applying the patch and possibly having some buggy behavior is worth keeping the mountains of files you have on your computer and not losing them to some virus. Whether or not you like Windows XP / 2000 or Mac OS X, they are much more secure than their predecessors.

On the server side, admins should go ahead and update their IIS, JRun, Apache, Tomcat, JBoss, or whatever HTTP server they are using, it is a pain in the behind, I know because I just had to do it, but the more recent versions are way more secure. In most environments you might see some improvement in performance too, of course you should test it thoroughly before deploying the upgrade, and I know that most admins are way overburdened as it is, but isn't it better to have a updated server than to have to keep fixing the same old issues?


What Does Google Want With Weak AOL?

Posted: December 31st, 1969 | Author: | Filed under: Companies, Google, Microsoft, Sun Microsystems, Uncategorized | Tags: , , | No Comments »

What Does Google Want With Weak AOL?

Picture of Irv Owens Web DeveloperI'm sorry, but Google buying AOL would be a huge waste of money. First off AOL has nothing that Google doesn't have, and buying it to compete with Microsoft would be stupid. The analysts still don't get it, Google isn't afraid of Microsoft, or anyone for that matter, nor should they be. They are the 500lb gorilla of search. You could take MSN search, multiply it by two, add AOL search, then add the traffic of all the other search engines sans Yahoo and it wouldn't add up to half of Google's search traffic.

The reason Time Warner is of course considering selling AOL to Microsoft is because it is lame. There are only two good things that have come out of AOL in the last decade. The first is AIM, the second is Winamp which does indeed whip the llama's ass. Still, the success of Winamp has not lead to a decent music service, and AIM has not lead to anything except a great platform with an annoying client. They just launched an email service for non-AOL members a little over 6 months ago. They are cash rich and bloated.

For that matter, two sagging fat companies like Microsoft and AOL does not a Google killer make. Why can't they see this? If they read more Sun Tsu – The Art of War, which should still be required reading for any executive in corporate America. Everyone needs to write off broad-based search. Google has won, there is no catching them. Instead they should focus on what they do that Google doesn't in an effort to contain them to search. By trying to follow them in whatever they do, they are following their plan. That is one of the over-riding concepts to the Art of War, if your enemy is larger and more powerful than you are, you have to annoy them into making a mistake. Having them follow you all over creation will weaken them, and allow you to destroy them at home. In this instance Microsoft will follow Google on everything they try to do, while taking their focus more and more off their operating system only for Google to release the Goffice and the GoogleOS. Effectively destroying Microsoft. What Microsoft should do is focus on making Office more available on the web, meaning web based Word, Excel, and PowerPoint for enterprises. They should be focusing on making Vista more than Windows XP service pack 3, it should be robust and provide new and amazing features.

AOL should focus on getting its large base of rural customers onto broadband even if it means losing money. That is the only way to push in the TV over IP that the TimeWarner partnership was supposed to bring. The fact that the majority of their users are on dial-up should signal a problem for them, in addition to the growing impatience of their parent corporation. If they weren't so fat, they would wake up and realize they need to do something right now other than looking for another sugar daddy to keep them providing the same stale services they have been serving up for the past decade.

Other than Yahoo, no one has been able to change their business model to fit Google. Obviously both of them have been reading the abovementioned book. They are playing each other perfectly. Watch that space as the battle between Yahoo and Google will be the future of computing. Short of a miracle of clarity, which Microsoft is capable of, they are going to go the way of IBM. Rich, but not important to the cutting edge of information technology.


How the JSTL Could Save My Life

Posted: December 31st, 1969 | Author: | Filed under: Companies, Sun Microsystems, Uncategorized | Tags: | No Comments »

How the JSTL Could Save My Life

Picture of Irv Owens Web DeveloperThe JSTL is short for Java Standard Tag Library. What it does is to take common tasks done by web developers and make them easily callable by using a standard xml style tag within a HTML / XHTML / XML page. This is great because using JSP at and before 1.0 was often difficult because developers had to embed entire classes in web pages, or create external classes and link to them. JSP 1.1 introduced the JSTL and made some other improvements like being able to write code fragments, or Java without having to follow all of the usual rigors of writing Java.

One could create a function or method without having to wrap it in a class. Perhaps some of you are thinking, “Why would anyone want to pervert Java in this fasion, all this would lead to is a bunch of unmaintainable code.” The people who are thinking this probably already have a good library of Java classes laying around that they can call on to do simple tasks.

The first time I wrote “Hello World” as a JSP page the old fashioned way I immediately went back to PHP and ColdFusion. It just didn't make any sense to write all that code simply to print one fragment of a sentence “Hello World.” If I remember correctly, it took something like four to seven properly formatted lines to get a single line of output. To a developer that has been doing ColdFusion or PHP, this is ludicrous. So, let's compare the JSTL with ColdFusion and PHP and you'll see why I am so pumped about it!

To begin, I downloaded the netBeans 4.0 IDE from Sun. This is probably the best Java IDE around. It allows for visual J2SE development, for desktops, making creating interfaces a breeze, admittedly a tough point for me, it also assists in JSP development. A development copy of Jakarta Tomcat is installed inside the environment so you don't have to have a JSP wrapper installed. In addition to the usual help documents there are sample applications included in the download. You simply have to create a new project of the type sample, and select the JSTLSample project. This will create a plethora of code and examples for you to browse at your leisure.

One of the tough points was that initially I couldn't get my JSP to work. The reason I found was because I didn't have the JSTL class files in the right place, and I didn't really know where to look. Fortunately, I had the samples as an example, and I was able to figure it out. I got everything to work by downloading the proper files for the JSTL from the jakarta website.

At first, I didn't know where to put them, but after some poking around I discovered that you had to put them in a folder called “lib” under the “WEB-INF” subfolder in the project. There were a bunch of files in there after I unpacked the downloaded archive, and I didn't really like that, so I kept looking and found out that all those jar files could be archived into one massive jar file. I got that out of one of the tomcat “ROOT” folders that were part of another intallation. Anyway, once I got that in place, I was ready to go. All JSP pages that are going to use the JSTL need to call it out by pulling in a taglib.

There are several taglibs that provide the funcationality for the ever expanding JSTL standard library, and there are custom taglibs created by some very intrepid JSP developers of which I hope to be someday. The way you call out the most basic JSP taglib is as follows:

<@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" />

This initializes the core JSTL library which gives you commands to iterate over a dataset, set variables, and evaluating expressions. The other libraries include a functions library that does things like localization and finding and replacing substring elements with other values. It also includes a sql library that has everything a developer would need for setting up a data connection to a database using a JDBC driver. You can set the datasouce, then you can pass SQL to the server and handle the returning dataset. There is a formatting library that will allow you to do date and number formatting. The functionality is very good for such a young technology.

There is some overhead in processing the tags vs raw Java, but it is negligable, and with the great increases in code readibility I am sure we all can agree it is worth it. Now, a code example of JSP using JSTL. This is the first JSP page I ever wrote.


${i}

That's it. This code will, in a HTML body, count from 1 to 100. To compare that to ColdFusion:


#i#

Kinda looks the same doesn't it. It is pretty obvious that the developers working on JSP are going for the same ease of use and readibility that ColdFusion provides as well as allowing for complex Java coding in the back end. Of course as with ColdFusion, you can make your own Java tags that perform whatever task you can dream up.

With some community support, the JSTL could become every bit as functional as ColdFusion, and remain pretty much open source. The great thing here is that on can maintain more control over their source as they are distributing compiled files that have their Java code inside of it instead of ColdFusion templates that can be opened in any text editor revealing all the juicy proprietary code inside.

The reason the JSTL will save my career is that I have not seen any public statement from Adobe about what they intend to do with ColdFusion, and with the JSTL I am less concerned, because I know that I can ramp up on it quickly since I have been working on Java for the better part of a year, and I can produce clean readable code. The ability to extend the JSTL with ease is also very appealing especially for custom server functions for web applications. I'd say that JSP's future looks very bright indeed, and we'll all continue to hope for the best for ColdFusion

Here are some links for more info on JSP

Jakarta's Taglibs
Good Article from Sun Microsystems on the JSTL
A good article from JavaWorld on the JSTL


The Future of Scripting

Posted: December 31st, 1969 | Author: | Filed under: ColdFusion, Companies, Microsoft, Programming, Sun Microsystems, Uncategorized | Tags: , , , | 1 Comment »

The Future of Scripting

Picture of Irv Owens Web DeveloperInitially I wanted to stay away from scripting languages as a developer due to the fact that they weren't really programming languages at all. For some time I was reluctant to even call myself a programmer until I built my first Java desktop application. In CNET's open source blog today, they ask the question has scripting peaked?

Scripting hasn't peaked out yet. The reason is clear. Building a web site with C++ or Java is like driving an armored tank to your mailbox. It is that ridiculous. The funny thing is that even Microsoft realizes this, giving their ASP.net developers two languages to choose from when developing web applications. There are many reasons for enterprises to choose C# over Visual Basic when building a web application, especially if they already have desktop and client-server applications built using the technology. It would be possible to completely reuse many of the methods used in the desktop application for the web application. The frameworks built into J2EE as well as C# allow for robust development making it less likely that a developer will lose control of their code. Still, using these technologies and frameworks where a scripting language and a light framework would do adds un-necessary overhead to a project and can push deadlines out unreasonably.

Here's what I see. PHP is a fantastic scripting language that has no real back end and therefore is suitable for light to moderate customer facing websites and some intranet applications. Use of PHP in this regard will only continue to grow. I think some of the 25% decline in worldwide use is a reactive measure to PHP's early security vulnerability. PHP is losing ground quickly to ASP.net and VB scripting as Microsoft's Server 2003 is more widely adopted. Personally I think that LAMP is superior for many tasks, but ASP.net is almost ubiquitous now, hosting and maintenance are cheap. I'll continue to use PHP for light jobs, but at the same time I realize that this is just a preference and performance-wise ASP.net is better. Talking about Java… Sun needs to buy ColdFusion from Macromedia / Adobe. It should be THE Java application server. There is no cleaner and easier scripting language, and it has nearly unlimited flexibility and is design-pattern friendly. Why this move hasn't occured yet is beyond me. It would have made sense for Macromedia to sell it, but I think the issue is that Sun has many proud engineers who love to over develop products. The thought of supporting something as business friendly as ColdFusion probably makes them sick. The business case for this is probably that Macromedia probably sees the big picture and that there are big bucks in ColdFusion, especially now that enterprises are seeing it as a way to get around JSP's notoriously long development cycles.

I see scripting as having a bright future, and I'll tend to side with Zend's guys as saying that regardless of how the Evans study got its numbers, PHP is increasing in use not decreasing. I'm not sure if it is true, but if the next version of IIS is going to have PHP support built-in, I'll be seriously considering going with a Microsoft server in the near future and running it alongside ColdFusion. I like PHP, but I just like ColdFusion better.

news.com – Scripting's demise


Privacy on the Internet

Posted: December 31st, 1969 | Author: | Filed under: Companies, Sun Microsystems, Uncategorized | Tags: | No Comments »

Privacy on the Internet

Picture of Irv Owens Web DeveloperPrivacy on the internet is a myth. If you want to keep your personal information, or public information like your address and phone number, then don't have anything to do with publishing on the web. It makes no sense that someone would post something on the internet and then think that it can remain either out of reach of the search engines, which most search engines do an incredible job of, or that your information can be kept from zealous searchers.

There have been a number of articles recently about people unhappy with facts about them being made public, or being publicized. I can only say that anyone who posts on the internet has only one single chance for anonymity, and that is that their site gets drowned out among the noise. If a web publisher's site becomes even marginally popular, they are open for scrutiny and their information is fair game. All web publishers take this risk, especially in the age of search engines where your posts are indexed as soon as you write them. All it takes is one backlink, and sometimes not even that. With domains, everyone knows that your information is not private when you register a domain. That is why you should provide a bogus phone number, and a valid email address. You should get yourself a P.O. box to list on your registration so that junk mail doesn't come to your house. You have to do these things if you don't want to be bothered.

What is interesting about all this is that people never seem to mind when someone figures out where a celibrity lives and thousands of fans, crazies, and journalists descend like vultures to surround their house and take naked and unflattering pictures of them. People seem to figure that they have somehow asked for it by being famous. Well guess what everyone, anyone who publishes anything on the internet takes the risk of being famous. And while this is really cool for many things, it is definately uncool for others. Perhaps people should think about that the next time they read some sensationalist article about a superstar, or look at topless pictures of an actress sunbathing on the internet. They should think about how it would feel if it were them. Perhaps they would have more compassion, perhaps not if they are exhibitionists, but they should at least think about it. Personally I don't really feel bad for the guy, the one with the foetry.com domain. He is probably making a small fortune off advertising on his site, everytime CNET or any of the other media outlets link to him. His PR is probably 6 or better by now. He should enjoy his 15 minutes of fame. That's all most of us get.