Buy me and help the tsunami victims

A group of .NET consultants, including yours truly, have volunteered hours of their time for bid on eBay, with all of the proceeds to go to, an organization working to help the tsunami victims in Southeast Asia. It’s an awesome opportunity for people looking for just some short advice-type consulting (or short project work, though that’s probably harder to pull off in this short a time period) to get both the attention of a world-class consultant (c’mon, when else are you going to get a chance to chat one-on-one with Jeff Richter, Clemens Vasters or Kimberly Tripp?) and help out some victims of Fate’s fickle hand all at the same time. Details are on the eBay page; if this works, we already have some tentative plans to extend it into the Java space, as well–if you’re a Java "celebrity" (their term, not mine), drop me an email if you’d be interested in helping out.

Want to truly open your mind? Argue from the other side

Last week I was getting ready to write up a memorial entry on December 7th, commemorating the Americans who died at Pearl Harbor, when a flashback carried me back to visiting Hawaii earlier this year, and looking around at Pearl Harbor itself at all of the Japanese tourists there and how the memorial must mean something entirely different to them. What, I can’t say, but I was struck by how many there were, almost all of them Japanese and American–very few Europeans, it seemed.

Which led me to an interesting spot; what would the reaction be, I wonder, if I were to have posted this:

    I post this blog entry (on December 7th) in commemoration of the most successful surprise attack in the history of modern warfare. Never before and never since has one nation so utterly struck out of nowhere as did the brave Japanese warriors who decimated the American Pacific Fleet as it lay sleeping in its berth at Pearl Harbor. Banzai, brave warriors!

It’s just as valid a perspective on the date as any other, more "American" commemoration might be, yet clearly, because history is written by the victors, it will be in the significant minority.

The flashback carried me into an interesting line of thinking: to truly understand something, you must see from a different perspective. For example, for a Spring advocate to truly understand the foibles of EJB, I believe you must use it enough to argue its strengths, and for the EJB advocate to do the same to Spring, must do the same. For the Java developer to be able to criticize .NET, or vice versa, you have to argue for it (and implicitly against your favored position) in order to see how they see the world, and understand how the world looks to people from that perspective. What triggered the rant in the first place was the recent "Architecture of the World Wide Web" document–the Web services crowd, with its WSDL-first and (generally) RPC-oriented way of viewing the world (with all apologies to the brave few who are advocating the messaging-oriented religion), is going to essentially pooh-pooh the document as something that "may have worked then but won’t work now". And yet, I wonder, how many of those people out there building Web services ever gave REST a try?

Am I arguing that REST is "the way to go"? Perhaps, for some systems. Is the WS-* stack then the "right choice"? Again, perhaps, for some systems. But there’s clearly architectural principles in each that deserve recognition, and you’re never going to recognize them unless you try each approach and see what works and what doesn’t. Go on, give it a shot: use the other thing (be it REST, WS-*, .NET, Spring, EJB, Java, whatever) for a while. You might find you actually like it. 😉

XMLSpy, how could you?

A while back, on the advice of friends I both deeply respect and care about, I decided to take the plunge, swallow the red pill, and develop as a non-admin on my laptop. For the most part, it’s been a pretty smooth experience, thanks to the tips that Keith Brown offers up in his latest book and online wiki, except for the odd program that just doesn’t like to play by the rules. (Interestingly enough, I can’t think of a Java tool I use that’s been affected by this change–most of the headaches have come from tools that have more to do with the .NET space than the Java space. This I attribute to the fact that Unix-y folks have a rich tradition of not developing as root, so they’re accustomed to the idea and build their systems accordingly.)

One such utility that shocks me in its noncompliance is Altova’s XML Spy; when attempting to install as non-admin, it claims that the .exe is corrupted and needs to be downloaded. After installation, when you run it as non-admin and attempt to fill in the keycode, it tries to write the license file to the Program Files directory, which of course a non-admin doesn’t have access to. (Fortunately, filling out the keycode as admin and then re-running solves the problem.)

Bad Altova! No biscuit!

Particularly since this is such a simple thing–just write the license file to (a) the Registry, or (b) the user’s home directory (C:\Documents and Settings\Ted\xmlspy.lic, for example); there’s really zero need to put this into Program Files given the other options.

(And by the way, Java folks, just keep doing what you’re doing. 🙂 (Now if only we had a bit stronger configuration story, but that’s another story for another day; in fact, the strong .NET configuration story that I’ve been preaching may have a pretty huge flaw in it for precisely this same reason–you can’t write back to the .config file if it’s stored in Program Files, either. So in some respects, at least for user-configuration settings, .NET is in the same boat as Java, except it’s worse, because they lack a Preferences API equivalent. *sigh*)

Another EEJ review, this time on The Rational Edge

Bill Higgins has written a review of EEJ for IBM’s developerWorks, and I’m flattered indeed:

    This book is the best compendium to date of proven techniques for developing high-quality enterprise IT systems that are based on the Java programming language and J2EE platform.

Thanks, Bill! (BTW, check out Bill’s weblog for some good reading, such as his summarization and links to the great debate going on between IBM folks and Microsoft folks on UML (IBM’s camp) vs Domain-Specific Languages (Microsoft’s camp). Definitely worth a look-see; I’m not convinced by either side’s arguments yet, but the discussion is definitely worth keeping an eye on.

Long live the Moleskine!

Reading this blog just reminded me how much I love the Moleskine notebooks–they’re small enough to stick in the front or back pocket of your jeans, the hard cover makes them easy to write in, and the little pocket at the back of the book is great for holding little slips of paper and stuff (like receipts when you’re traveling). My favorites are the square-ruled ones, since the grid makes for easy class diagrams, but the straight ruled notebooks are good for notes and ideas, too.

My friends all tease and chide me that I need to get a PDA, but frankly, I *like* having paper notebooks for some reason–maybe it’s the connection back to historical roots, or perhaps it’s just the idea of not having to worry about battery life. Regardless, I’m not giving mine up any time soon.

(Borders and Barnes & Noble also have some larger notebooks that are square-ruled, both in the Moleskine-size, as well as a more 5×7-ish size, which is my current "bible", as I’ve mentioned before. They’re not quite as nice, but they also serve the same purpose. Call me old-fashioned, if you will, but there’s just something still really enjoyable about writing with pen on paper.)

One of my favorite books just came out again

I was at SoftPro books in Denver (great store, if you’re ever in the area, just off of Arapahoe and I-25) today with my brother-in-law (another geek who lives in Portland and wrestles daily with unmanaged code, poor soul), and happened to see that the latest edition of Windows Internals has shipped. Immediately went into the shopping basket–no other book I’ve ever found goes into as much intimate detail about the core parts of the Windows operating system as Solomon and Russinovich do. It’s a distinct reminder of the OReilly "Inside the Linux Operating System" book–they get into that level of detail, if not more.

Readers with a mind for detail will of course recognize Mark Russinovich’s name as one of the principals behind SysInternals, as well, where many cool little utilities (many of which come with source) hang out.

And those who live in the Java world? You should still buy this book, along with a Linux internals, Solaris Internals, and any other similar kind of book for your operating system–knowing what’s going on "under the hood" can be an invaluable asset, if nothing else than simply because that way you can figure out where the bottlenecks *really* are in your system because you know the operating system itself that much better….

Meanwhile, I’m curling up and seeing what’s changed since Win2k. Talk to you in a few days.

My interview with Ward Cunningham just went live

One of the beautiful things about being the Editor-in-Chief at TheServerSide.NET was that I got the opportunity to sit down and interview all these interesting and fascinating folks, and one my favorite interviews was the one I did with Ward Cunningham, which just went live on TheServerSide.NET. Ward’s a very approachable and down-to-earth guy, a quality I highly respect in somebody who is so respected within the industry.

(And yes, by the way, Ward DOES work at Microsoft now. His reasons for doing so are… well, just pretty typical of his personality:

    Me: We know a little bit of who you are, you are Ward Cunningham but what do you do at Microsoft? What are you part of, which group and what is your job here?

    Ward:At Microsoft I am an architect in the Patterns and Practices Group. I had consulted to Microsoft on a patterns project and I was impressed that they were investing money in organizing and harvesting patterns. They said "Why don’t you come and join us" and I said "Well that will be different." It was just at the right time to try something different.

Gotta love a guy who ups and takes on a full-time role with The Borg just to do something "different". 🙂 )

Meantime, there were a bunch of other interviews I did that are available for your viewing pleasure on the site, as well:

    Rocky Lhotka (whom I just hung out with last night in Sacramento as he came to speak at the Sacramento .NET User’s Group on his CSLA.NET framework–more on that in a future post, there’s some interesting concepts there)
    Bryan Keller, the PM for J# and JLCA, whom I interviewed about a week after the April 2nd Microsoft-Sun agreement went live and we were both still kind of in shock over it….
    Bryan Harry, who’s involved with Team Studio now but is most famous (infamous?) for having been the principal involved in creating Visual Source Safe (which, despite the bad rep it’s been given, was a pretty cool product back in its day)
    Keith Ballinger, Lord of All Things WSE up until a few weeks ago, but still has one of the better Web services books on the market…
    Billy Hollis, another extremely down-to-earth guy and a great person to hang out with, as I do at the patterns&practices Summits…
    Keith Short, whose book "Software Factories" I’m thoroughly enjoying right now….
    Doug Purdy and this Other Guy Who Just Happened To Show Up When He Heard That I Was Going To Interview Doug….
    Jim Miller, one of the CLR Architects and quite possibly one of the brightest (and humblest) guys I’ve ever met…
    Harry Pierson, who runs the Architecture DevCenter on MSDN and is a blast to hang out with around small race cars at TechEd….
    Lori Lamkin and Chris Lucas were two fun interviews for me to do, because they were about Team System prior to its announcement; Prashant, the PM in charge of Team System, gave me the OK to interview them ahead of time and release the interviews on the day (literally on the minute) that he announced it at TechEd. I loved that. 🙂

There’s a few more coming that I won’t tell you about (oooh, the suspense), but they were with people of similar stature and interest to those in the .NET (and maybe a few even to the Java) community. Don’t want to keep checking the site? There’s this little "XML" icon on every TSS.NET (and page that links to an RSS feed, and since you’re here, you probably already know that that means…. 😉

In the meantime, for those who hadn’t heard, TSS.NET and are now property of TechTarget, and The Middleware Company has been effectively dissolved as a result. Looks to be another interesting new chapter in the life story of TheServerSide…. Good luck to Floyd and the others in their new home….

So much for my 30 seconds of legal fame…

Well, the case of Sun Microsystems v. the Poor Innocent Website Hoster Known As Ted Neward has entered its next phase, and the net result is, I’m going to make a small change to my domain name registration, and they’re going to call off the legal dogs. C’est tout, as the French say.

The crucial breakthrough came when Mark Herring, Director Community Strategy at Sun, got wind of what was going on, and decided to send me an email asking basically if I was open to talking with him to discuss the whole thing and figure a nice easy way out of it. We talked (about fifteen minutes ago, in fact), and the net result of the whole thing is that:

    They were a little horrified to see how far the legal guy (who, it must again be noted, does not work for Sun) had sort of run with the whole thing. They have "made sure that doesn’t happen again", and were very apologetic about that aspect of the thing. (Note that, however, I’ve never disagreed with some of the original things he brought up in his initial letter–namely the lack of appropriate trademark and/or copyright respect on the site, and those are changes I still need to make.)
    The domain name for is currently set to be "" (as was mentioned in the earlier back-and-forth between myself and the lawyer in the first place); they’ve asked me to change that to be me, personally, as in its current incarnation it looks like it’s a business entity owning the site. This is reasonable, and I’ve agreed. Shouldn’t be a major doing, except just the time required to do it.
    They earned a LOT of respect from me for Sun’s Director Community Strategy and the head legal resource there–they called, we chatted, it was a very friendly conversation, and we’re all happy. Folks, Sun-the-company is NOT a Bad Guy here–they were genuinely shocked at what was going on, and they basically took steps to fix it and create a win-win situation for everybody, at least in this instance. They were polite, there was never any sort of attempt at browbeating or "We’re a big company with $2billion in the bank, you’d better go along or we’re going to sue you into insensibility" or anything along those lines. They even offered to throw in a free T-shirt by way of compensation, which is probably generous, given the total amount of time I had invested in the situation (a couple of emails and a phone call).
    No, I’m not going to give up J2EE in favor of Python or Ruby, though I still harbor no small amount of interest in getting into those platforms anyway; Dave Thomas’ praise of Ruby definitely has my interest piqued, and Python’s just close enough to Java/C# and yet still dynamic like Ruby to merit investigation. (Truth be told: I’ve downloaded Python bits several times over the years, and flipped through the O’Reilly Python book in the bookstore, but just never sat down to learn the thing. *sigh* Too many languages, not enough time.) remains alive and well, modulo the aforementioned changes; of course, now there’s the issue of me actually doing something with the site….

So, for now, it’s more business as usual at In the meantime, though, I’m working on a few JDK 1.5 papers to post (probably both here and there), and hopefully will have them up before the end of the year.

Barring, of course, a legal inquiry from Neward Enterprises Inc over copyright infringement. 😉

Still think Microsoft is the buzzing corpse of vulnerabilities? Check OSVDB

I just recently finished a two-day Java Security seminar gig for network giant Cisco, and as is usual when the topic of security comes up, there were a few jokes primarily at Microsoft’s expense. A little voice nagged me at the back of my head, though, warning me that I probably shouldn’t laugh at the jokes (much less perpetuate one or two), as I know anecdotally that the guys at Microsoft are pretty serious about locking things down; witness the XP SP2 release, for example, the first time in the company’s history that they’re willing to break users in exchange for a more secure system.

At the time, I sort of shrugged off that insistent little voice, but it sort of kept at me for a while as I drove home. Finally, as I was cruising through my neglected set of RSS feeds, I noticed that I was still subscribed to the OSVDB RSS feed, a list of security vulnerability announcements that I’d subscribed to a while back to sort of keep an eye on how things were going in the world around me. (For those of you who aren’t familiar with it, OSVDB is a group of volunteers–as I understand it–who find and track security flaws in lots of products, Microsoft and otherwise, business and otherwise.) I figured, "Maybe a sort of summarization of what the ratio of Microsoft-to-others flaws will put some of this in perspective."

Ready for this? For the week of 11/29/2004, for example, there were 12 Mac OS/X, 3 Cisco, 3 Kreed (whatever that is), 1 Solaris, and 1 VMWare vulnerabilities found, among others. Note the lack of Microsoft in that list.

For the week of 11/22/2004, CMailServer was listed 4 times, Star Wars Battlefront twice, Soldier of Fortune II once, Apple iCal once, PHP once unless you count PHPNews as well (which makes it twice), and BNC IRC Proxy twice, among others. Again note the lack of Microsoft in that list.

In fact, for the period of 11/20/2004 stretching back to 11/1/2004, I counted 78 listings, and Microsoft was mentioned just once. Sun was mentioned more often, in fact: once for a DoS vulnerability in their app server, once for an information disclosure vulnerability when an XSS attack triggers TRACE requests, a Solaris SNMP vulnerability due to a hard-coded string that has read/write access to an SNMP agent, and a JRE vulnerability that leads to DoS if an attacker can get JNDI to return more than 32k records for a DNS request. PHPNuke got particularly blasted during those three weeks, with 6 vulnerabilities listed.

My point?

    Microsoft isn’t as much the hotbed of vulnerabilities as you might think; yes, they have their fair share, but the key words there are "fair share", not "lion’s share" or "biggest burden" or "crappy software". What makes their vulnerabilities so dangerous is the ubiquity of their software, not the quantity of the vulnerabilities themselves.
    Open source projects are just as vulnerable to security flaws as any other; the "thousand pairs of eyes" fallacy breaks down when you realize that most software developers simply aren’t trained to see vulnerabilities when looking at source code. Microsoft (and other vendors) are addressing this by amping up security training for their developers–what’s the open source community going to do to meet that need?
    The majority of vulnerabilities aren’t buffer-overrun attacks any more. There’s a lot of information disclosure and denial-of-service attacks that are just as bad as a buffer-overrun attack; thus, don’t assume that just because you’re running Java or .NET means your code is somehow secure against the majority of attackers out there.
    Security vulnerabilities generally arise out of a LOT of edge cases; look at the Sun app server vulnerability listed, for example:

        "Java System Application Server contains a flaw that may allow a malicious user to access confidential information. The issue is triggered when cross site scripting (XSS) is used to initiate TRACE requests. It is possible that the flaw may allow access to sensitive header information resulting in a loss of confidentiality and integrity."

    A cross-site scripting attakc has to initiate TRACE requests against the Sun server in order to yield the header information disclosure–and I’m sure that the QA guys had this one on their list, but just accidentally skipped it, right? How obscure is this? And yet, it’s something that could give an attacker enough information to compromise a system that you care about. Now THAT’s scary.
    Anybody who thinks that you can buy a firewall product and somehow "be secure" ought to be taken out into the courtyard and shot. Repeatedly. With large-caliber weapons.

Sorry, Dion–Vietnam is still with us

Dion Almaer posted

    Ted Neward will be happy. It appears that the Vietnam that Ted thinks is ORM is coming to a close. In Gavin’s talk about Hibernate 3 at JavaPolis: There is talk that Hibernate 3 may be the last release. He was relaying the message that he feels that most of the problems involved in ORM have been taken care of, and that there are other problems to move on to. Is it the end of Vietnam? No more ORM innovation?

No, Dion, not quite. Stopping with Hibernate 3 simply means that Gavin’s unwilling to "put more boots on the ground", not that we’re out of Vietnam. How long do you think it will take some well-meaning-but-unaware-of-what-they’re-signing-up-for developer to volunteer to develop "Hibernate 4" in order to "just add one more thing"? That’s the crucial thing that makes this a quagmire–every time you start working with an O/RM utility/tool/framework, you find "just one more thing" that you’d like to add, and before too long, you’re wishing you could just carpet-bomb the whole thing and start over….

What we need (and even this doesn’t fix the problem entirely) is first-class tools (a la languages) that incorporate both concepts directly, not after-the-fact crutches that allow the underlying dissonance to peek through the layers of supposed abstraction. (And if you look at Hibernate, it doesn’t really abstract away all that much, to be honest; that’s partly why developers can be at least partially successful with it compared to those tools/frameworks/libraries that tried to completely hide away any notion of the RDBMS.)

Anybody interested in starting up an open-source SQL/J compiler?