I am proudly following the Internet Explorer 6 death march …
Creating a rogue CA certificate
January 12th, 2009 by PeterA presentation at the CCC 2008 congress showed how to create a rogue CA certificate, based on the well-known flaws in the MD-5 hashing algorithm. There is also an exhaustive explanation on the web. Verisign already reacted and switched to SHA-1. For students it might be interesting to see that a very basic crypto algorithm flaw can possibly harm a whole Internet security infrastructure. What happens if SHA-1 is broken tomorrow ?
CORBA oneway
December 15th, 2008 by PeterIn my middleware course, we discussed the true meaning of oneway in CORBA IDL. The standard and most other sources agree that oneway has at-least-once defines that oneway has at-most-once delivery behaviour, meaning that such operation calls might not be processed by the server, but if they are, then only once. But some students (and many sources) then automatically equate oneway with asynchronous procedure calls, which is wrong (check CORBA AMI). There is still no returning of a result value. The client calls and continuous immediately.
It also turned out that the detailed oneway semantic is not as ORB-dependent as you might think. Since GIOP 1.2, there is the SyncScopePolicy that allows to specify ‘how reliable’ the client ORB should deliver the message. Beside the standard (non-regulated) behavior, you can demand at least acceptance by the servant-side TCP stack (SYNC_WITH_TRANSPORT), reception by some servant (SYNC_WITH_SERVER), or even the processing as with a normal synchronous method (SYNC_WITH_TARGET).
Spamming for research
November 11th, 2008 by PeterSome authors from Berkeley published a paper about their infiltration of the largest known Spam bot network. The article is an interesting example of carefully interpreted statistical data, but also a good analysis of anti-spam technologies and their effectiveness. Of course, the usual suspects could not resist to draw generalized (and wrong) conclusions from it …
Java EE 6 on the way
November 7th, 2008 by PeterTime is running so fast …
Sun is about to release a new beta version of their application server GlassFish, which will implement the next J2EE / Java EE version 6. As usual, Java EE 6 is based on a JCP document.
One new focus is on profiles, which allow to take a subset of the (huge) Jave EE API set and build an according “compliant” application server. The major use case are – of course – web applications. So the only profile under discussion so far is the “Web Profile“. This includes the unavoidable inclusion of REST support.
The more interesting part is called “pruning”. The Sun people aim at some cleanup of the historically grown API set, which is really a good idea. Most of the currently discussed removal candidates have more powerful replacements since EE 5, so this is not extremely painful. The early review draft document of the EE 6 spec says:
“Technologies that may be pruned in a future release are marked Proposed Optional below. Technologies that have been pruned are marked Optional below. There are no Optional technologies for Java EE 6.”
The “proposed optional” marking is so far only given for JAX-RPC and JAXR (search for “POPT” in the JCR document). So you can see that Sun remains extremely conservative with non-backward-compatible changes. This is somehow bad, because the burden of nearly unused small API’s is still there. Who ever used JavaMail ?
GlassFish will also add support for several JVM-based scripting languages such as JRuby. This smells like a reaction on the .NET idea, and is anyway a good step. The Java language / component model still contains huge design mistakes from the past (e.g. call-by-value vs. call-by-reference, package structure as directories, naming conventions as component layout, …), so it is wise to open up for alternatives. The realization strategy is nebulous, and the David Wheeler argument again strikes. JRuby wraps Ruby code in Java classes, which are instantiated by a Java application server, which is run by the virtual machine, which relies on operating system libraries, which rely on the operating system core functions, which …. Layers over layers over layers.
Peering and Transit
September 8th, 2008 by PeterA nice article about the underlying rules of peering and transit fees in the Internet autonomous systems (AS). If you ever wanted know why your HTTP request for the local newspaper home page travels through New York, here is the answer:
DRMAA Version 2 – Call for Action
September 5th, 2008 by PeterI recently announced the start of the specification work for DRMAA2.
Most interested people know that the DRMAA group is extremely conservative regarding major API changes. Of course, this is one of the reasons for the broad adoption of the spec. The upcoming months are therefore one of the few chances to trigger major changes in the API layout. Challenge us with JSDL, SAGA, OGSA-BES or anything else – we are quite open for ideas. Contact details are described on drmaa.org.
Parallel programming: Doomsayers and simplifiers
September 5th, 2008 by PeterMichael Wolfe summarizes in his article the heated debate about how to do multi-core / SMP programming in the right way. Great article, and completely agreed from the researchers point of view, even though I find his conclusion not really helpful.
The sad truth is there are not so many useful general (parallel) algorithms for the big mass of applications. To be honest, how many programs on your machine multiply matrices ? The big history of parallel processing in computer science helps in understanding the challenges, but not in finding the solution for a typical real-world application. From my perspective, we have to teach the students the balance between auto-magically solved problems (loop parallelization, scalable concurrent programming constructs) and things that will be always part of the application design, like the reasonable definition of task parallelism granularity. Sounds like exercises, exercises, exercises …
Internet reliability
August 27th, 2008 by PeterSecurity of distributed systems becomes more interesting again. The ancient Internet technologies more and more show their architectural weaknesses. I recommend every serious computer science student to understand the recent problems with BGP (here and here, or better here) and DNS (here, or better here). This is the stuff you have to deal with in the future of the Internet (and no, IPv6 is not a solution).
Password check against LDAP server in PHP
August 26th, 2008 by PeterI have a long and unfriendly history with PHP. Since I moved to serious languages such as Python, these dark times are over. However, a colleague asked me for some help with his PHP application. He wanted to check user name and password against the LDAP interface of a Lotus Notes server. Here is the code snippet.
I left out the HTML form code that fills the $_POST variables. The “uid” attribute as anchor to find further information might not work in other directories than Notes. Use a tool on your server to find the right one.
Please note that PHP silently performs an anonymous bind if the provided password in ldap_bind() is empty. Please also note the very “advanced” result structure of ldap_get_entries(). No further comment …
[sourcecode language='php']
if ($_POST["user"]) {
if (trim($_POST["pw"])==”") die(“Empy password not allowed”);
$server=ldap_connect(“our.ldap.server.se”);
if (@ldap_bind($server, $_POST["user"], $_POST["pw"])) {
print “Good one
“;
} else {
print “Go away
“;
}
// for fun, get all available info about this guy
$query=ldap_search($server, “”, “(uid=” . $_POST["user"] .”)”);
$res=ldap_get_entries($server, $query);
for($entry=0; $entry < $res["count"]; $entry++)
for($attr=0; $attr < $res[$entry]["count"]; $attr++) {
$attrname=$res[$entry][$attr];
for ($val=0; $val < $res[$entry][$attrname]["count"]; $val++) {
$actval=mb_convert_encoding($res[$entry][$attrname][$val], "HTML-ENTITIES", "UTF-8");
print $attrname . ": " . $actval . "
“;
}
}
}
[/sourcecode]