Thursday, April 14, 2005

Life-Caching



Click here for AmazonTrendwatching.com has identified a trend called life caching. What is "life-caching"? It's the emerging capabilities for...

...collecting, storing and displaying one's entire life, for private use, or for friends, family, even the entire world to peruse. ...[it] owes much to bloggers... millions of people have taken to digitally indexing their thoughts, rants and God knows what else; all online, disclosing the virtual caches of their daily lives, exciting or boring. Next came moblogging, connecting camera phones to online diaries, allowing not only for more visuals to be added to blogs, but also for real-time, on the go postings of experiences and events. And that's still just the beginning.


Trendwatching notes services like Nokia's Lifeblog, which uses the Nokia 6620 as the hub of a collection service for notes, videos, high-res (1.1 Megapixel) still photos, sound clips, etc. and is capable of delivering the life-cache to an Internet blog site.

Think Gmail's 2+ gigabyte limit and miniatured high-density MP3 players that are worn on a lanyard (like the iPod Shuffle). Microsoft Research's Rick Rashid had a neat sound bite:

...you can store every conversation you've ever had in a terabyte. You can store every picture you've ever taken in another terabyte. And the Net Present Value of a terabyte is USD 200...


Three interesting ramifications to the life-caching trend that I see:

Security - if you're able to carry around a USB flash card that centralizes your music, photos, videos, documents, etc., then security will be a huge concern. You don't want to lose the equivalent of your entire life to a stranger. So... how can you protect your data?

Privacy - publishing an increasing percentage of your life-cache to the Internet raises a variety of privacy concerns. Will the bad guys (and it's difficult to even identify who the bad guys are these days) get hold of your data in such a way as to compromise your identity, subsume your credit or otherwise cause heartache? With life-caching, the ChoicePoints of the world aren't disclosing the data the bad guys require... you are.

Counter-googling - attendant with privacy issues is the one-to-one marketing trend called counter-googling, in which legitimate companies build up directories of useful information about customers and prospects based upon the public life-caches they've assembled. Companies will know more and more about you -- even without the ChoicePoints of the world -- and will use that data to target your whims, desires and weaknesses to extract additional dough from your wallet.
 

Wednesday, April 13, 2005

Firefox's SwitchProxy



Click here for AmazonNews.com reports that RoundTwo -- formerly known as MozSource -- has re-dedicated itself to building Firefox extensions. Their contention is that the same users flocking to Firefox in droves will also be looking for safe and reliable products to enhance the Firefox experience.

They are thinking of products like SwitchProxy, which allows you to select and choose from a list of a variety of web proxies. The proxies can provide (but certainly don't guarantee) a level of anonymity for surfers by adding a layer of indirection to your surfing. The web server you're visiting, for instance, will record the IP address of the proxy... and not your IP.

Ah, but where to find anonymous proxies? The MozMonkey Forum has a lengthy thread discussing this very topic. For your viewing pleasure, I've coalesced some of the lists mentioned.

In addition, there are tools like the ProxyTester, which will examine lists of proxies and let you know the ones that are still alive and kicking. And, of course there are tools to test the anonymity services provided by these proxies: ProxyJudge and Anonymizer's Privacy Tester may fit the bill.

In any event, use these lists at your own risk - they are culled from MozMonkey and have not been checked or examined in any depth. The onus is on you to determine suitability and applicability to your particular web surfing requirements. Nuff said.

http://www.stayinvisible.com/index.pl/proxy_list
http://www.steganos.com/?area=updateproxylist
http://abcdelasecurite.free.fr/html/modules.php?op=modload
http://www.geocities.com/nothing75487548/proxy.txt
http://www.geocities.com/switchproxylist/
http://www.aliveproxy.com/socks5-list/
http://free-proxy-servers.com/
http://anoniem-surfen.eigenstart.nl/
http://www.geocities.com/switchproxylist/massive.txt
http://www.multiproxy.org/anon_proxy.htm
http://www.i-hacked.com/.../Finding-and-Using-Anonymous-Proxies-9.html


News.com: Start-up wants to improve on Firefox
 

Tuesday, April 12, 2005

The Real  Die-In



Click here for AmazonMarc Fencil is a senior majoring in political science at Ohio University. He also happens to be -- at the moment -- a Marine serving in Iraq. His eloquent and powerful letter-to-the-editor was printed in Ohio University's Post Online. It was a response to the recent "die-in" sponsored by the Leftist moonbats so typical of academe.

Yes, a handful of coddled wankers, whose most recent hardship consisted of having to wait ten minutes for a lukewarm mocha latte at the corner coffee klatch, continue to demonstrate their staggering and profound ignorance while siding with the Zarqawis of the world. Arrayed against freedom, arrayed against the forces of good, arrayed against History itself - the Leftist moonbats orbit the provably false hypotheses of "WMD lies", war-for-oil, and Halliburton. That's the extent of their brilliance: rehashed movie magic from the Leni Reifenstahl of the twenty-first century. Perhaps the moonbats are actually orbiting Michael Moore himself. Goodness knows, he's big enough to have his own gravitational field.

Just read the whole thing.

It’s a shame that I’m here in Iraq with the Marines right now and not back at Ohio University completing my senior year and joining in blissful ignorance with the enlightened, war-seasoned protesters who participated in the recent “die-in” at College Gate. It would appear that all the action is back home, but why don’t we make sure? That’s right, this is an open invitation for you to cut your hair, take a shower, get in shape and come on over! If Michael Moore can shave and lose enough weight to fit into a pair of camouflage utilities, then he can come too!

Make sure you all say your goodbyes to your loved ones though, because you won’t be seeing them for at least the next nine months. You need to get here quick because I don’t want you to miss a thing. You missed last month’s discovery of a basement full of suicide vests from the former regime (I’m sure Saddam’s henchmen just wore them because they were trendy though). You weren’t here for the opening of a brand new school we built either. You might also notice women exercising their new freedom of walking to the market unaccompanied by their husbands.

There is a man here, we just call him al-Zarqawi, but we think he’d be delighted to sit down and give you some advice on how you can further disrespect the victims of Sept. 11 and the 1,600 of America’s bravest who have laid down their lives for a safer world. Of course he’ll still call you “infidel” but since you already agree that there is no real evil in the world, I see no reason for you to be afraid. Besides, didn’t you say that radical Islam is a religion of peace and tolerance?

I’m warning you though -it’s not going to be all fun and games over here. You might have bad dreams for the next several nights after you zip up the body bag over a friend’s disfigured face. I know you think that nothing, even a world free of terror for one’s children, is worth dying for, but bear with me here. We’re going to live in conditions you’ve never dreamt about. You should get here soon though, because the temperatures are going to be over 130 degrees very soon and we will be carrying full combat loads (we’re still going to work though). When it’s all over, I promise you can go back to your coffee houses and preach about social justice and peace while you continue to live outside of reality.

If you decide to decline my offer, then at least you should sleep well tonight knowing that men wearing black facemasks and carrying AK-47s yelling “Allahu Akbar” over here are proud of you and are forever indebted to you for advancing their cause of terror. While you ponder this, I’ll get back to the real “die-in” over here. I don’t mind.


LGF: Marc Fencil's Letter-to-the-Editor
 

Will LAMP Eclipse Java?



Click here for AmazonThe new software company ActiveGrid has introduced its application server, which is based upon LAMP technology. LAMP (Linux-Apache-MySQL-PHP/Perl/Python) is the open-source stack used so successfully by companies like Google and Yahoo to build massively scalable server-based applications. And, personally, I feel LAMP should be used in the majority of situations where Java/J2EE apps are used today: I've seen too many J2EE apps that went over-budget and too many similar LAMP budgets that went under-budget. And I'm comparing apples-to-apples, though corporate confidentiality agreements prevent me from elaborating upon project specifics.

All that being said, I'm highly skeptical about ActiveGrid's claims that J2EE app servers are no longer necessary. It's great marketing hype, but I would have to see how ActiveGrid stands up to true session-integrity requirements.

For example, consider when you're using your broker's website online. You're in the middle of specifying a stock transaction when the server on the back-end dies. Session-integrity would allow another server to pickup seamlessly where the other left, without losing any of the information entered in the session up to the point where the first server died. Now those are the kinds of systems J2EE was designed to handle.

An open-source software company called ActiveGrid is challenging the established thinking among builders of large-scale business applications.

The premise of ActiveGrid, which released an early version of its server software and tools on Monday, is that application servers based on the Java 2 Enterprise Edition (J2EE) specification are no longer required. Company Peter Yared was even handing out "No J2EE" pins at LinuxWorld earlier this year...

...In an essay, Yared argued that the day of powerful applications servers that centralize many functions, like database access and caching, are passé.

Instead, a distributed grid of back-end application servers will function more like a "text pump" moving text-based XML files around the network. And scripting languages, he says, are very good at handling text and easily building Web pages.


News.com: Will LAMP eclipse Java?
 

Monday, April 11, 2005

The Collaborators



Click here for AmazonThe consistently brilliant Power Line has followed up on the bizarre story of AP photographers who won the Pulitzer Prize. Some of the photos appear to have been taken in collaboration with terrorist insurgents.

New York Times photographer D. Gorton analyzed the photos and weighed in with his take on this photo:

Leaving aside the ethical specifics of this situation, if I knew that an event was about to occur that included possible violence, I would do exactly what it appears the photographer did in making this picture:

(1) I would choose an elevated mobile platform where I had an unobstructed view of the scene, and where I had maneuverability to observe as well as rapid exit...such as a pick up truck

(2) I would be at enough distance to be somewhat protected and inconspicuous

(3) I would choose a medium telephoto lens that could be hand held in a moving vehicle, yet give me large enough images to be clearly recognizable.

So, the assassination picture has all the earmarks of a planned image, indicating that the photographer had taken most of the considerations that I have written about above.


Power Line: The AP
 

Sunday, April 10, 2005

When Software Kills



Click here for AmazonThe Therac-25, a computer-based radiation therapy machine, massively overdosed patients at least six times between June 1985 and January 1987. Each overdose exposed a patient to several times the normal therapeutic dose and resulted in the patient's severe injury and, in some cases, death. The overdoses occurred primarily because of errors in the data validation routines contained within the Therac-25 software.

For example, a normal therapeutic dose of radiation might consist of exposure to around 200-rad. Physicists believe that the Therac-25 exposed patients to 15,000-rad... or more.

How could such a thing happen?



Poor design and implementation of a multi-tasking application was the primary culprit. If the operator of the Therac-25 performed data-entry under special circumstances, shared variables between the keyboard-handling routine and other tasks could become corrupted. These other tasks included verification that the machine's settings were correct.

The upper collimator, on the other hand, is set to the position dictated by the low-order byte of MEOS by another concurrently running task (Hand) and can therefore be inconsistent with the parameters set in accordance with the information in the high-order byte of MEOS. The software appears to include no checks to detect such an incompatibility.


Basically, aside from the poor design and implementation, there were no paranoia checks.

During machine setup, Set-Up Test will be executed several hundred times since it reschedules itself waiting for other events to occur. In the code, the Class3 variable is incremented by one in each pass through Set-Up Test. Since the Class3 variable is 1 byte, it can only contain a maximum value of 255 decimal. Thus, on every 256th pass through the Set-Up Test code, the variable overflows and has a zero value. That means that on every 256th pass through Set-Up Test, the upper collimator will not be checked and an upper collimator fault will not be detected.

The overexposure occurred when the operator hit the "set" button at the precise moment that Class3 rolled over to zero. Thus Chkcol was not executed, and F$mal was not set to indicate the upper collimator was still in field-light position. The software turned on the full 25 MeV without the target in place and without scanning.


Subsequent studies of the software and the processes around the events in question led to recommendations for basic "best practices". Most were obvious: documentation, processes, and standards should have been established - and never were. Even formal testing and rigorous stress tests never took place.

But one recommendation, in particular, is near and dear to my heart:

* Ways to get information about errors -- for example, software audit trails -- should be designed into the software from the beginning.


One of my personal heroes -- Dan Bricklin, the co-inventor of the spreadsheet -- made a similar point a while back. And I blogged about it last year. It's a point worth considering - again.

Because if you write software for a living, you have a responsibility to be dead serious about your code's quality. You never know when someone will borrow, reuse or transplant your code into another package, device, or system. And your code could end up in another system like a Therac-25, where lives hang in the balance.
 

Fortify Your Loops



Excel-web sharingThis is another post in a continuing, yet oddly sporadic, series of entries on building reliable software. Here's another outrageous tenet of my philosophy:

Ban the While Loop

Yes, that's right: ban the while loop. Get rid of any while loops in your code. Today. Here's why.

Consider the following, oh-so-typical code:

myQuery.FetchFirst();
while (!myQuery.IsEndOfFile()) {
    ... processing steps ...
    myQuery.FetchNext();
}


What's wrong with that? Nothing you say? Au contraire, mon frere. Consider the jamoke who comes after you and adds some additional logic, like so:

myQuery.FetchFirst();
while (!myQuery.IsEndOfFile()) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }

    ... processing steps ...
    myQuery.FetchNext();
}


Guess what? If the boolean bSkipRecord ever gets set, you're in infinite-loop-land and you might as well go out for coffee and a cigarettes -- indefinitely -- while this code runs and runs and runs... basically like the Energizer Bunny plugged into a 220-volt outlet.

So, what do we do in cases like this instead of a while loop? Basically, fortify all of your loops. Make them into for loops.

for (myQuery.FetchFirst(); !myQuery.IsEndOfFile(); myQuery.FetchNext()) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }

    ... processing steps ...
}


Now when Einstein adds his logic, we no longer have the catastrophic result of the system hanging (or an internal denial-of-service attack, as I like to call it).

Going a step further, we can fail-safe the loop. By "fail-safing", I mean assigning a maximum number of loop iterations and recording an error if we hit that maximum. This serves two purposes: to short-circuit a possible infinite loop and to detect the fact that the loop constraint did not work as intended.

for (ixCount = 0, myQuery.FetchFirst();
        !myQuery.IsEndOfFile() && ixCount < MAX_TBL_COUNT;
        myQuery.FetchNext(), ixCount++) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }
    ... processing steps ...
}
if (ixCount >= MAX_TBL_COUNT) {
    // Note that our loop did not work as intended!
}


So, I guess we can boil this lesson down to two tenets: (a) fortify your loops; and (b) fail-safe your loops.
 

Friday, April 08, 2005

Oh, Those  Perils of Outsourcing!



Click here for AmazonThe Times of India reports that call-center employees of MSource, a financial services outsourcing arm of MphasiS, ripped off about $350,000 from Citibank account holders:

They allegedly transferred a total of Rs 1.5 crore (US $3.5 lakh) from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.

Twelve people, including the alleged mastermind, have been arrested. The police are trying to determine the extent of the scam and whether the accused committed such crimes earlier...

...Asked to divulge the name of the bank, the accounts of which have been hacked into, Dayal said he could not reveal names of the company’s clients as they had signed a non-disclosure agreement. But, according to sources, the bank is Citibank.

According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers’ e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank’s New York-based customers into their own accounts, opened under fictitious names.

The money was transferred to the accounts on February 22, March 23 and March 31. The amount was later withdrawn by cheques drawn in their (accused’s) names or on the names of other people. The customers, from whose accounts the money had been withdrawn, alerted the bank officials in the US, after which the crime was traced to Pune...


In other words, it appears from this report that Citibank's security operation never detected the fraud: the account-holders apparently were the outer edge of the security perimeter. If this holds true, it's potentially a bigger story than trusting outsourced BPO vendors with key corporate secrets.

Forrester Research is predicting that this incident, in combination with incredibly high attrition rates, will serve to dampen the market for BPO outsourcing by as much as 30%.

A couple of take-aways:

1) MphasiS' Pune centre was both BS-7799 security-certified and CMM Level 5-certified. Certifications are no panacea.

2) Citibank needs to examine whether their account-holders detected the fraud before they did... and, if so, how their security organization dropped the ball.

Times of India: BPO staffers hack bank A/Cs, steal Rs 1.5 cr
 

Moonbats on Parade



Click here for AmazonThe irreplaceable LGF points us to ZombieTime's photo coverage of the Eyes Wide Open Anti-War Display, which occurred in San Francisco on March 25. The accompanying picture, which purported to illustrate the number of "Iraqi civilian" deaths is indicative of the lot:

So -- am I hard-hearted? What's wrong with mourning the "civilians"? As I looked at the placards honoring the Iraqis, it occurred to me that the vast majority were adult men. Hmmmm -- why would this be the case? Perhaps because most of them were combatants? While there undoubtedly have been innocent victims of the war (and yes, each of those deaths is a tragedy), not every single Iraqi who died was a "civilian," as the AFSC would want us to believe...

...I'd estimate 75% at least -- of the casualties were (in order, from the start of the war) soldiers in Saddam Hussein's army, Republican Guard troops, Ba'athist "insurgents," Sunni militia members, foreign jihadis, and all manner of thugs, fanatics and killers.

In other words, the enemy. Terrorists. The American military has gone to extremes to minimize civilian casualties, and the vast majority of the time if someone was killed by U.S. forces, that person was killed while actively engaged in the battle to kill Americans.


And be sure to scroll down to the last photo, where you'll find a clue as to the true agenda of the Left Bank Moonbats.

ZombieTime: Eyes Wide Open Anti-War Display
 

Thursday, April 07, 2005

The AP's Pulitzer Prize-winning Photos



Click here for AmazonThe Cassandra Page posted a very popular blog entry entitled, "The Top 10 categories of MSM/DNC bias" on April 2nd. With excellent linkage to real (and, often, nearly unbelievable) incidents, it quickly became one of the most popular blog entries in the last few weeks. Well, it's now up to 20 categories... and counting. Read the whole thing.

I bring the Cassandra post up because of the recent Pulitzer Prize awards. Twenty news photos from the AP received awards.

Riding Sun (hat tip: LGF) and the Jawa Report have examined all of the photos... and what they found was more disturbing than the concept of "Governor Gary Coleman".

I looked at the twenty photographs and broke them into groups on the basis of content. Here are my results:

*U.S. troops injured, dead, or mourning: 3 (2, 3, 11)
* Iraqi civillians harmed by the war: 7 (4, 5, 8, 9, 10, 13, 18)
* Insurgents looking determined or deadly: 3 (6, 15, 20)
* US troops looking overwhelmed or uncertain: 3 (7, 12, 14)
* US troops controlling Iraqi prisoners: 2 (16, 17)
* Iraqis celebrating attacks on US forces: 2 (1, 19)

Equally telling is what the photos don’t show:

* US forces looking heroic: 0
* US forces helping Iraqi civillians: 0
* Iraqis expressing support for US forces: 0
* Iraqis expressing opposition to insurgents: 0


After analysis, Jawa states, " two... photos clearly show that the AP has ties to terrorists and insurgents fighting the U.S." The accompanying photo is a case-in-point. The AP just happened to be there when insurgents dragged some civilian innocents out of a vehicle and capped them in the middle of a busy road.

The AP - collaborating with the enemy? Who'da thunk it?

Riding Sun: Analyzing the AP's Pulitzer-prize-winning Photos
 

Bruce Schneier on the Publicity surrounding Quantum Cryptography



Click here for AmazonIn an era where endpoint security (i.e., what is running on my workstation?) is the Achilles' Heel of network security, the PR around quantum cryptography is, uhm, somewhat disturbing.

Bruce Schneier said it best:

Security is only as strong as its weakest link and cryptography is the best link we have... I break a lot of things for a living, but I almost never break the crypto.


Forbes: Building a hacker-proof network
 

Bench Press



Click here for AmazonFunny comment on Pete's blog regarding bench-press accidents (along with a link to a pretty scary drop of an 800-pound bench):

If you find me crushed to death by the weights, put a few more plates on before you get help.


Exactly. And take a few pictures. At least the farewell comments of the mourners would be, "damn, I didn't know he could bench 500!".

Pete also referenced my own frightening experience of benching while failing to use a spotter. That won't happen again.
 

Wednesday, April 06, 2005

The Wharton School on the Future of Blogging



Click here for AmazonI haven't read something quite as disappointing as the Wharton School's analysis of the "Future of Blogging" in some time.

The article's omissions -- whether through sheer inexperience with the blogosphere or willful neglect -- are almost shameful. The following are some excerpts that caught my eye - my comments are in bold.

"This is not a fad. It's the rise of amateur content, which is replacing the centralized, controlled content done by professionals." --Dan Hunter, Wharton legal studies professor

True, but I'd hardly term articles by Powerline's three high-powered attorneys, 'amateur content'. In most cases, bloggers like Hugh Hewitt and Powerline offer superior investigative, organizational, and writing skills -- along with advanced knowledge of the legal system. Contrast that sort of experience with, say, that of an AP stringer... and while there's a mismatch between amateur and professional - it's not the one that Wharton intended to highlight.

...In the future, Fader says, a technology may be created to rate credible bloggers. The system, which would operate like eBay's buyer and seller ratings, could create a blogger pecking order based on readers' opinions...

Uhmmm, well, there already are blogosphere rankings like TTLB's Blogosphere Ecosystem. And Technorati has been tracking blog popularity through link relationships for quite some time. Either system can be used to rate credibility.

...investigative journalism will still be the hallmark of the media. "First-hand reporting will be the distinction between blogging and journalism," Hunter adds.

You must be joking. Investigative journalism like Rathergate and the Eason Jordan affair? Or first-hand reporting from the frontlines of Democracy in Iraq or the tsunami-devastated towns of Banda Aceh and Phuket?

Bloggers do firsthand and investigative journalism better than the MSM - because bloggers are everywhere... and their credibility is at stake with every story, due to the inherently self-correcting nature of the blogosphere.


While corporations can chalk up blogging as a marketing expense, the story is a little different for individuals. Can blogging pay the bills? If you are lucky, you can pay the hosting fees, but that's about it, say Wharton experts.

Uhmm, better get some new experts. The major blogs are making serious coin. Drudge is reported to have made millions in advertising revenue from his site. Using the blogosphere's leading ad network, Blogads, I've calculated some ballpark revenues for the following sites:

$6000/week - Daily Kos
$4000/week - Instapundit
$4000/week - Eschaton
$3750/week - Little Green Footballs
$3000/week - Talking Points Memo
$1800/week - Hugh Hewitt
$1600/week - Wonkette

Of course, this doesn't count their ad revenue from GoogleAds, associates' revenue from Amazon, and other ad networks. So, even in my brief survey, there is some ca-ching occurring on the major blog sites.


The article was passably interesting, but certainly did not appear to have a good handle on the evolution of the blogosphere. In fact, if I said, "Haloscan" to the unnamed authors, I'm betting I'd get a "huh?" in return.

A disappointing effort, especially given the Wharton's School's excellent track record.

News.com: Wharton on the Future of Blogging
 

The Future of Pay-per-Click



Excel-web sharingIn a story that hasn't seen wide publicity, Google and Yahoo News have been sued by an online gift shop for allegedly overcharging on "pay-per-click" (PPC) advertising.

Lane's Gifts and Collectibles says in a Miller County lawsuit that the Internet companies charged it for advertising traffic not generated by bona fide customers... Lane's alleges a conspiracy in which the companies worked with one another to create an online environment that harms advertisers.

The companies, it says, "have grown the Internet PPC (pay per click) advertising market while failing to disclose that they have routinely and systematically overcharged and-or overcollected for PPC advertising revenue from their customers."


In the past, Google and Yahoo have both disclosed the risk of fraudulent click-throughs. After all, who can guarantee that someone clicking on your ad isn't your competitor (trying to drive your costs up) or a bot of some kind?

Here's another real risk I haven't seen publicized: distributed zombie attacks on the PPC model and specific customers.

If the crooks controlling zombie networks so decided, they could easily blow up the PPC market by randomly clicking on advertisements -- thousands a minute. It would be extremely difficult for the ad networks to detect and then shield advertisers from the effects of random, distributed source IP addresses.

Or the zombie networks could target a specific advertiser by driving up their specific CPC costs.

Either way, the CPC business could get ugly quick.
 

Tuesday, April 05, 2005

Software Development Best Practices: Minimizing Nesting



Click here for AmazonI'm going to spend a little time blogging about my personal software development best practices. These posts will come in no particular order, but will outline the rules I like to follow when developing software. Reliability, maintainability and simplicity are my personal mantras for development.

Minimizing Nesting



Unncessary nesting is, if not evil, pretty darn annoying. Whenever possible, developers should strive to minimize nesting. Why? Let's say I have the following code:

//
void CEventHandler::OnNew(const CString& strFileName) {
  //
  CString      strName = CleanFilename(strFileName);
  CString      strLog;
  //
  do {

    //  File-type valid? If not, quit.
    //
    if (!IsFileTypeValid(strName)) {
      break;
    }


    //  Mark file as added.
    //
    m_pPage->m_mapFileClassification.SetAt(strName, (LPVOID) XMP_FILE_ADD);
    m_pPage->ScheduleRefresh();

    //  Event handling.
    //
    strLog.Format("Added: '%s%s'", m_pPage->m_strPath, strName);
    if ((m_pPage->m_folderSettings.m_dwEvents & CFolderSettings::FileCreated) != 0) {
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionLog) != 0) {
        Log(strLog);
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionRoute) != 0) {
        m_pPage->ScheduleRoute();
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionEmail) != 0) {
        m_pPage->ScheduleEmail();
      }
    }

  //
  } while (0);
}


Note that I could have made the IsFileType a nested IF clause: if the file type is valid, then do all the rest of the stuff. But I didn't. Because (and this really happened), I later realized that it was in the wrong place. The file-type validity check needed to occur after the scheduled (display) refresh embodied by ScheduleRefresh. So I simply moved those lines of code:

//
void CEventHandler::OnNew(const CString& strFileName) {
  //
  CString      strName = CleanFilename(strFileName);
  CString      strLog;
  //
  do {

    //  Mark file as added.
    //
    m_pPage->m_mapFileClassification.SetAt(strName, (LPVOID) XMP_FILE_ADD);
    m_pPage->ScheduleRefresh();

    //  File-type valid? If not, quit.
    //
    if (!IsFileTypeValid(strName)) {
      break;
    }


    //  Event handling.
    //
    strLog.Format("Added: '%s%s'", m_pPage->m_strPath, strName);
    if ((m_pPage->m_folderSettings.m_dwEvents & CFolderSettings::FileCreated) != 0) {
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionLog) != 0) {
        Log(strLog);
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionRoute) != 0) {
        m_pPage->ScheduleRoute();
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionEmail) != 0) {
        m_pPage->ScheduleEmail();
      }
    }

  //
  } while (0);
}


Now, if I'd originally nested the IF, I'd have to move a bunch more code around... shifting a lot of indentation... and, in general, opening the door to possible errors.

Minimizing nesting greatly aids readability and, thus, maintainability. Whenever possible, bail out of logic (break, throw an exception, whatever floats your boat) when you can cleanly exit a method or function. Don't nest when you don't have to.
 

Monday, April 04, 2005

A Mission for the Cybersecurity Foks at DHS?



Click here for AmazonIf the cyber-security folks at the Department of Homeland Security are looking for something important to work on, I have an idea:

How about handling identity management for the citizenry?

Because, as Bruce Schneier says, the social-security number -- a relatively short and easily guessed identifier -- shouldn't be the keystone to a person's identity.

And after the various identity-theft debacles at ChoicePoint, Harvard, Lexis, et. al., DHS could fill the void by providing a conceptually simple system for managing personal identity.

Here's the gist of the idea: DHS would create and maintain a web-site that would be used to manage and verify identity. Call it id.dhs.gov or something.

To create an individual account, a user would pick a 'handle' and a PIN, password, or pass-phrase. Upon account creation, an individual could verify their identity using the same sort of "shared secret" approach that the IRS employs when you e-File.

From the individual citizen's standpoint, the id.dhs.gov site exists to generate unique identifiers that not only designate individual identity, but are also tied to a specific merchant.

For example, say I fill out a credit application with Infiniti to finance a vehicle. Beforehand, I visit the id.dhs.gov site, login, lookup the merchant ("Infiniti Financial Services/IFS") and generate my unique identifier for IFS, which just appears to be a random bunch of alphanumeric characters. This ID is unique for me and is only useful to IFS, since it's tied to the IFS merchant account.

Thus, when IFS goes to look me up and perform a credit-check with Equifax, they would use DHS as a go-between.

DHS would provide web services to merchants to allow, say, Infiniti to go to EquiFax and ask for information on the ID I've given them. The DHS web service would broker the conversation between IFS and Equifax, translating my IFS ID to an equivalent Equifax ID that corresponds to my identity.

So instead or storing SSNs, Equifax, IFS and the other vendors now store DHS IDs. A DHS ID for an individual is different for each merchant.

Thus, if my IFS ID gets disclosed to some unauthorized third-party, I don't care. What can they do with it? Without the help of a DHS merchant, not a whole heck of a lot.

Yes, it requires some DHS integration with the IRS. But if the idea is to enventually rid the world of SSNs, then a DHS-based identity management web site -- and attendant web services -- may make a heck of a lot of sense.
 

Pretty is as Pretty does



Click here for AmazonI saw an interesting blurb in Software Development Magazine in which developer John Elrick espouses the benefits of comment-free code. His sidebar article, a response to Christopher Seiwald's "Pillars of Pretty Code" posits that comment blocks are "crutches"; especially when compared to short, cryptic variable names that could be longer and more explanatory.

He provides sample code to illustrate his point.

Status uNlinkRec(Record **listHead, Record *const recordToRemove) {
  Record *currentRecord, *previousRecord = NULL;
  previousRecord = *listHead;
  for (currentRecord = *listHead; currentRecord; currentRecord = currentRecord->next) {
    if (currentRecord == recordToRemove) {
      previousRecord->next = currentRecord->next;
      currentRecord->next = NULL;
      return OK;
    }
    previousRecord = currentRecord;
  }
  return ERR;
}


I don't have a problem with developers omitting comment blocks (occasionally). First off, I would agree with John that effusive variable names should be required... especially in any language (C, C++, Java) that doesn't incur any performance penalty for long names (another reason fast typing makes a difference! Slow typists are usually loathe to use long variable names... :-).

But there is no question that, under most circumstances, comment blocks help! Few code snippets exist in sanitized, easily digestible modules like the one John used, above. Consider the following production code:

  //  Does first JPG chart exist and is up-to-date? If not,
  //    write a new one.
  //
  bXLS = FALSE;
  if (fileFind.FindFile(strFile)) {
    fileFind.FindNextFile();
    fileFind.GetLastWriteTime(timeXLS);
    bXLS = TRUE;
  }
  bHTM = FALSE;
  strFileOut = strFilePrefix + "1.jpg";
  if (fileFind.FindFile(strFileOut)) {
    fileFind.FindNextFile();
    fileFind.GetLastWriteTime(timeHTM);
    bHTM = TRUE;
  }
  //
  if (bFreshUpdate) {
    bGenerateCharts = TRUE;
  } else if (!(bXLS && bHTM && timeHTM >= timeXLS)) {
    bGenerateCharts = TRUE;
  }


Without the comment block, it would require some analysis on the part of the reader to figure out what was going on: in this case, the system is trying to determine whether a JPEG chart exists and is up-to-date (if not, a new one must be generated).

Variables that are long and descriptive are always preferred over short, cryptic names. But comment blocks should also be used whenever there's any doubt of the intent of the code.
 

Sunday, April 03, 2005

The Amazon/Blogger Toolbar



Click here for AmazonThere's one thing that's been bugging me about being an Amazon "Associate". It would be nice to have a little browser-add-in -- a toolbar -- that would make it easy to blog about specific products.

Say I want to mention a DVD or a book. The toolbar would automagically detect the mention and create the correctly HTML, hyperlink and image tags included. By right-clicking on my blogger text box, I could paste the HTML into my blog post. And it would include my Associates URL encoding so I get credit for any click-throughs.

The folks at Meatme have a simple (5K) Amazon toolbar:



but it's not quite what I need as a blogger. One of these days maybe I'll get around to creating one.
 

Friday, April 01, 2005

Sandy Berger's Plea



Click here for AmazonLorie Byrd of PoliPundit reprised a post that she originally wrote just before the '04 Democratic National Convention, regarding Sandy Berger and his self-admitted theft and destruction of classified documents. Anticipating that the media would casually ignore the Berger story, given the impending convention, she wrote:

If the former National Security Advisor has such disregard for the integrity of documents and the rules and laws pertaining to their treatment, what can be said for his regard for the security of the nation and the safety those rules applying to classified documents protects? And what can be said about that former NSA’s boss who regards the entire matter as a joke? I think we can rightly conclude that for many in that administration, that is exactly what national security was – a joke.


Powerline's Hindrocket adds:

It is undisputed that Berger illegally stuffed original documents relating to America's response to the threat of Islamic terrorism into his coat, pants and briefcase. Berger then destroyed a number of these top-secret documents, so that they will never see the light of day. The idea that this was "an honest mistake," as Berger now claims, is ridiculous. Obviously, he was trying to destroy documents that showed the negligence of the Clinton administration--of which he was a key member--in dealing with the threat of terrorism. Key documents relating to our government's inadequate reaction to the threat of Islamic terrorism prior to Sept. 11 are now gone forever, successfully purged from the historical record by one of Bill Clinton's most loyal servants. This plea bargain appears, on its face, to be a disgrace.


Disgrace, indeed. And, it appears the Clinton administration, once again, got away with it.

Click here for AmazonHaving carefully read Buzz Patterson's Dereliction of Duty, an unimpeachable (no pun intended) eyewitness account of the Clinton administration's egregious disregard of national security, the entire Berger affair simply piles more offal on a stinking dungheap of failures. Certainly the administrations of Reagan, Bush 41 and Bush 43 had their security gaffes: the cut-and-run tactics of the Beirut barracks bombing, for instance.

But the Clinton administration's history of obfuscation, evasion of decision-making responsibilities, dismantling of military and intelligence capabilities, and so forth -- ad nauseum -- forces us to contemplate an ominous future in the event that Hillary were to win the '08 election.

PoliPundit's Lori Byrd: Berger Flashback
 

Those Annoying Newspaper Logins



Click here for AmazonThose who use the Google News site on a regular basis confront this scourge on a regular basis:

Useless newspaper registrations

Yes, they're more annoying than the guy down the hall who does that sh*tty Yoda impression and thinks it's funny.

As if we need another user-name and password combination to remember. Especially a credential-set that delivers us nothing. Not security -- we don't care about the site, we just want to read the article. Not privacy -- again, we just want the content.

Thankfully, the folks at BugMeNot saw the opportunity to provide similarly disgusted users with newspaper-site credentials. Just enter the URL you want to visit and *voila* - a user-name and password, already pre-registered, will appear.

The sooner the newspaper sites come up with effective, non-intrusive ways to profile their audience, the better. But, given the fact that this is the mainstream media we're talking about, I'm not hopeful that they'll get it anytime soon.

BugMeNot: Ridding the world of annoying, useless passwords