my recent reads..

Atomic Accidents: A History of Nuclear Meltdowns and Disasters; From the Ozark Mountains to Fukushima
Power Sources and Supplies: World Class Designs
Red Storm Rising
Locked On
Analog Circuits Cookbook
The Teeth Of The Tiger
Sharpe's Gold
Without Remorse
Practical Oscillator Handbook
Red Rabbit

Tuesday, March 25, 2008

A380 - how to spend €billions and still get simple things wrong picks up on a Telegraph article asking "why are there still ashtrays in the Airbus A380?"

Good question, but not the only example of seemingly stupid "missed opportunities" to innovate in the A380.

One of the first I noticed was the new positioning of the inflight entertainment controller in the seat back. At first it seems perfect, since it avoids the accidental activation which is a real problem when the controller is built into the armrest (which is the case in most other cabin fitouts I've seen).

But then consider the way it is oriented - mounted on the side. This results in a classic failure to "get the mappings right" (one of Norman's design rules in "The Psychology of Everyday Things"). If you use the controller without removing it from its holder (which turns out to be a very handy usage), then you need to transpose the controls 90°. Up means right, down means left etc. Ironically, when the controller is mounted in the armrest, the horizontal layout tends to "get the mappings right" if you use it in-situ because of the way the hand is positioned.

It could have been so perfect if the controller designers were collaborating with the seat designers, with a clear focus on usability. The controller could be mounted vertically, or redesigned for a side-side layout.

As it is, a missed opportunity to produce the very best design. And a very, very minor usability problem is one of my lasting impressions of my first A380 flight, overshadowing all the billions of euros invested in the plane.

What else? Well, I'm surprised they persist in using the special 2-prong audio jack. I'm sure there's some weird logic about discouraging passengers from nicking the headsets (even though policing headset issue and collection still seems to rate as one of the cabin staffs' most important duties!)

But as I look around the cabin more and more people are using their own earphones. The ones that aren't probably forget to bring the special adapter. For planes like the A380 starting their service life in the 21st century, I'd expect it would be the norm for most air travellers to be carry a headset of some description, and it would make sense for cabin designers to take advantage of the fact and use standard audio sockets, and provide headsets "by exception". Win-win: passengers get to use their own familiar headsets without needing an adapter, and cabin crew get to save time for more important things.

See, I can get cranky about the smallest details;-)

Expect users to be just as critical, nitpicking and cranky about the software we give them! And rightly so... it doesn't really matter how much time and money has been invested if you don't get the simple things right.

Earthcore & Infected

Scott Sigler has the book launch of Infected coming up on 1-Apr. No joke, you can pre-order on Amazon already.
..a cinematic, relentlessly paced novel that mixes and matches genres, combining horror, technothriller, and suspense..

Sigler's been one of the stars of the free podcast-audiobook scene, and its great to see him on the mainstream bookshelves. In fact, you can still get Infected as a podcast download here at podiobooks. Sigler reads his own works, and he's got the voice for it too. See the Infected promo page at podiobooks for more info.

Earthcore was the first Sigler novel I came across, also highly recommended. I found it some time ago, before I started blogging about books actually, which is why you are only seeing a post about it now.

I listened to Earthcore as a podcast available here at podiobooks. In fact I think it was my very first podiobook download, and got me hooked on the whole podiobooks idea (from which I've since discovered other great authors like Terry Fallis and Nathan Lowell).

These authors are all making podcast versions of their works freely available. It is a fantastic way to discover new authors and enjoy their books in audio. They deserve our support if you like what they do. Podiobooks takes donations directly. And for authors like Sigler we can buy their books in print too!

Originally posted on It's a Prata Life

Monday, March 24, 2008

Got a License to Operate Your Brain?

Geoffrey Grosenbach took a diversion on the Ruby on Rails podcast recently, with a fascinating two-part interview with John Medina (part 1, part 2).

Medina is a very engaging speaker, with some controversial but well researched ideas on how the brain works, and why so many of our social conventions in school and the workplace actually conspire against optimal brain performance. I gather its a discussion of many of the ideas from his book Brain Rules.

Well worth a listen.

Sunday, March 23, 2008

Clear Timezones and jQuery

Choon Keat recently posted a great little web tool to help simple scheduling across timezones.

Makes it really easy to have a quick look at how times line-up around the world. For example, I've saved this link to see Vancouver (my sister), Melbourne/Sydney (most of the rest of the family) and Singapore (me) all in one go.

It's done in pure Javascript, and is a good example of jQuery in action if you care to look;-)

See also: for encyclopaedic coverage of everything related to times and dates.

The Psychology of Everyday Things

POET - the familiar name that Donald A. Norman gave his 1988 classic "The Psychology of Everyday Things" which I recently picked up in the library. It has since been updated a little and reissued as The Design of Everyday Things. But I like POET.

There is, after all, great poetry to be found in the workings of even the simplest device. And when things are not so artfully conceived: great tragedy and boon for cranky geeks everywhere.

How can one not enjoy, for example, subjecting alarm clocks that have identical "snooze" and "reset" buttons to exemplary castigation? Or lambasting the purveyor of inappropriate door handles: those that are designed to "pull", but require a label that says "push" because that is the way the door swings?

Norman's approach is refreshing.
Humans do not always behave clumsily. Humans do not always err. But they do when the things they use are badly conceived and designed. Nonetheless, we still see human error blamed for all that befalls society.

Despite being published in 1988 and primarily drawing its examples from the world of simple electro-mechanical devices, the book's philosophy and advice is remarkably enduring.

It is all about user-centered design, and as relevant today as it was in Internet Prehistory. Norman posits Seven Principles of Design:
  1. Use both knowledge in the world and knowledge in the head
  2. simplify the structure of tasks
  3. Make things visible: bridge the gulfs of Execution and Evaluation
  4. Get the mappings right
  5. Exploit the power of contraints, both natural and artificial
  6. Design for error
  7. When all else fails, standardize

The Lego Heresy

I do take issue with one example however. Norman presents the case of a Lego police motorcycle model as an example of excellent design.

Why? The design cleverly exploits physical, semantic and cultural constraints so that there is basically only one construction solution.

Which is great if the objective is to make construction quick, easy and repeatable with a high degree of quality.

Great! Its teaching kids how to be highly productive assembly line workers.

And that is where I think Lego started to go badly wrong. New Lego, personified by custom molded pieces and kits that could only make one design, may win design awards.

But it does not serve it's purpose and it's users. The beauty and enjoyment in Classic Lego came from the very fact of its flexibility and lack of constraints. With a little squinting, it was possible to believe you could build anything. As Norman himself argues, there are situations where it is useful to pervert the design principles (such as with safety features).

Classic Lego is a perfect study in the appropriate application of Norman's principles in reverse, whereas New Lego is just a great way to waste money.

To mangle a famous quote..
Give a child a Lego Police Motorcycle Kit, and you have bought a few hours of peace.
Give a child a Lego Basic Bulk Set, and they are set for a lifetime.

Which would you prefer?

Originally posted on It's a Prata Life

Sunday, March 16, 2008


I've had my head in Neal Stephenson's Cryptonomicon for the past few weeks and finally finished it. Seriously, at a thousand-over pages, its not one to knock over in an evening.

But it is a fantastic tale. Actually more like three tales in one.

It makes me wonder how he does it. The writing is like stream of consciousness, and I guess it would need to be judging how prolific he is (I haven't even started on the baroque cycle). Yet if mere mortals like you or I would try this, I am pretty sure the result would be pure tripe.

Cryptonomicon is anything but.

I am dazzled and intrigued by the miscellaneous tangential twists and turns of the narrative, and the incredibly inventive detail that scatter the way, like breadcrumbs leading to a safe haven.

Little things such as his similes.
.. dead-monitor-screen grey..
Now isn't that brilliant? Surely deserves a named place in the CSS Color Palette if I were the judge!

And subtle digs that flit by if you are not paying attention.
"You know what that is? It's one of those men-are-from-venus, women-are-from-mars things"
"I have not heard this phrase but I understand immediately what you are saying."
"It's one of those American books where once you've heard the title you don't even need to read it," Randy says.
Oh so true.
"Then I won't."

Originally posted on It's a Prata Life.

Saturday, March 15, 2008 - cool & effective "media" sharing

..I hesitate to say "file sharing" because it gets funkier than that. Record somthing on your phone, mail to your drop, and it shows up as an enclosure on an rss feed = instant podcast!

The basics are solid - dead simple file sharing. First heard about this on net@nite; definitely worth checking out.

If - for some reason I can't think of right now - you wanted to send me a file, you can now drop it on my widget: simple private sharing

Using OVD Filtered Directories for LDAP Authentication

Oracle Virtual Directory (OVD) is one of the little-known or understood hero products in the Oracle suite of technology offerings [I put OEM Grid Control in the same class].

In this post I'm going to share a few thoughts on OVD, and present a few approaches for using OVD to present a restricted view of information from another directory, and how that can be used to limit access to applications that use an LDAP authentication mechanism.

When I was first learning about OVD back in early 2007, after the Oracle acquisition, it immediately grabbed my attention. Simple, easy to use, but so powerful - a swiss army knife for anyone working in the directory management space. Maybe that is the wrong analogy, because the greatness in OVD is that it doesn't try to boil the ocean - it just does one thing, but does it really well.

Simply put, it allows you to combine directory-related information from disparate sources (LDAP, AD, database etc) and present an LDAP-compliant view in real-time. And the virtual bit is real (if that makes any sense) - OVD doesn't store anything, unlike a meta-directory; it just passes through the directory requests according to the rules you setup.

The virtual nature makes OVD ideal in large enterprise situations, where control of directories may be distributed. Another group may have a directory that contains some information you want to use as part of your "directory view", but are not going to cede any ownership or agree to any changes anytime soon, like adding some new attributes. Wheel in OVD!

Likewise, affiliated companies may want to share directory information, but not handover control. And if the business relationship comes to and end, the directory owners want to know that they can turn off access in a moment, without needing worry about cached or replicated data left on the other side of the corporate divide. OVD to the rescue!

Case in Point: you need a subset of an existing directory

The inspiration for this post is a small challenge I was involved with recently. The company was deploying a new web application - just happened to be Oracle WebCenter Wiki, but the same applies to any application that supports LDAP authentication.

The only directory available contained a mix of users - some who should be able to access the wiki, and some who shouldn't. Configuring the wiki authentication mechanism at the directory is simple - but it is an all or nothing proposition. And of course, we couldn't go change anything the directory itself.

Sounded like a job for OVD!

Here's the basic setup - OVD is deployed between our application and the main directory, like a proxy server. We want to OVD to effectively "filter" requests from the application.

Configuration of OVD is done using the OVD Manager client, which connects to the administration port of the OVD server.

Approach #1: DN Matching

If you can define the distinction between included/excluded entries in terms of an entry's DN, then a very simple solution is to use the "DN Matching" property of the source adapter. This is fund in the Routing configuration.

Say for example, we only wanted our OVD directory to include entries that are in the ou=ITGroup or ou=Management containers. In this case, we would set the DN Matching property with a regular expression that will match on the DN string:

Approach #2: ACL Restrictions

In practice, the DN may not provide enough information to distinguish items to include and exclude, and it is necessary to discriminate on the basis of an attribute, such as "departmentName". In this case, access control in the OVD engine may be configured to restrict the directory view based on a suitable filter.
Filter: departmentName=ITGroup

It is important to note with this approach that ACLs can be applied to all LDAP operations, except bind.

As a result, the directory view we have created with OVD appears to only contain the filtered subset of information: we cannot browse, serach, get or modify anything else. However, if you present a fully-qualified DN and associated password, it will authenticate and bind any entry that exists in the source database.

On spec, that seems to blow the whole approach out of the water. That's what I was thinking too, until Mark Wilcox helpfully nudged me along with a neat insight...

If our requirement is to use OVD to restrict the set of users that can authenticate via an application, we only need to consider the application authentication mechanism. In most cases, the process is similar to the one illustrated below. The user enters an id or username, which is used by the application to lookup the user's DN, which is then used to bind along with the user-supplied password. If the application can't find the DN in the first place, then no bind is possible.

Of course, the acknowledged security "exposure" in this case is that a user can bypass the application and directly bind via OVD if they know their DN. However this is probably a false risk, because the user would have always had a similar capability with the source directory itself (assuming that the source directory and OVD are equally accessible to the user over the network).

Bottom line? Using ACLs to restrict the search effectively controls the set of users that the application can authenticate.

In Practice: Oracle WebCenter Wiki

Oracle WebCenter Wiki is thye example application, but you can think of it as any old J2EE application packaged as an EAR that supports Java SSO. By default it will use JAZN XML file-based storage for user accounts.

When deployed in OC4J, the security provider used for the Wiki application can be easily changed via the Enterprise Manager web interface.

Switching to OVD as the authentication source is a simple matter of selecting the Oracle Security Provider for 3rd Party LDAP Server and configuring it with some simple directory details:

Almost done. There are two assumptions that I think the wiki makes about the directory. Just need to make sure these are setup:
  • wiki users must be members of the group called "users"
  • administrators are members of the group called "oc4j-administrators"

Now you are done. The wiki authentication is being performed against the limited set of users visible through OVD.

Caveat: selecting the Oracle Security Provider for 3rd Party LDAP Server causes the site to revert to basic authentication (i.e. popup a username/password dialog instead of using a web form). Not a big deal, but you will find the "logout" feature in the wiki now fails because it assumes form-based custom authentication. So once you have people lured into your wiki, they are trapped! ;-)

Wrapping Up

I've covered two techniques for restricting the set of information published via OVD: DN Mapping, and ACL Filters.

There are other approaches that I've not covered here. For one, Java or Python plug-ins (a.k.a. mappings) can achieve the same result, as well as more complex behaviours of course.

These techniques allow OVD to be used to restrict overall access control for applications that use LDAP authentication mechanisms.

Once again, hat-tip to Mark Wilcox for his help when I thought I'd hit a wall while researching this topic!

Sunday, March 09, 2008

Desktop Keyboards Stuck in Design Limbo

Keyboards are terrific examples of how bad design can get stuck in a rut, unable to overcome inertia. Everyone says qwerty is a bad idea, yet I couldn't imagine using anything else now since it's use is so ingrained.

But another aspect of keyboard design that has me really grumpy is the whole numeric keypad appendage on desktop keyboards. It is a holdover from the days when users were "data entry clerks". But we are stuck with it (Microsoft only have two keyboard models without it, while ALL Logitech models are saddled with this cancer Postscript: Dean Chu corrected me here; Logitech's diNovo models don't have the numeric keyboard).

This started to really annoy me of late, because I've been switching between a laptop during the day, and a desktop at night.

Working with a desktop keyboard again was feeling really strange and difficult, but after some reflection I realised the problem. My right-hand is used to shifting all the time between jkl; and the mouse. On the laptop, this is a subtle and effortless gesture. On the desktop, its like playing table tennis.

The fact that virtually all laptop designs eschew the separate numeric keypad should be proof that it is evolutionary dead wood.

So this is my grumpy call for all keyboard manufacturers to wake up their snoozing product managers/designers and actually innovate for once. Fix this ergonomic nightmare! At least give us some choice ... integrate it with function keys like laptops; use separate USB numeric keypads; even consider sticking it on the left-hand side of the keyboard.

And for all those poor souls who really are still data entry clerks, I'm sure there will be no-brand outfits from China knocking out standard 102-key designs for years to come.

Is it just me? Did I get up on the wrong side of the bed today, or do others feel this way too?

Postscript 9-Feb-2009 ... hat tip to mqt for linking Trevor Blackwell's solution: just chop it off! If you gotta take a bandsaw to a product to make it fit-for-use, then something's wrong, right?!!

Saturday, March 08, 2008

Appcelerator - bringing down the wall between RIA and SOA?

I wonder if the Appcelerator guys have finally cracked the RIA and SOA dichotomy? I first came across them on Coté's RIA Weekly #008 RedMonk Radio podcast.

I've presented my views before on what I see as the three megatrends in IT:
  • Web 2.0 - or more generally, RIA
  • SOA
  • Grid - although today I'd probably update this to be "Cloud Computing"

But the distinction between RIA and SOA has always felt forced; unrelated working metaphors, owing more to the historical segregation of the communities addressing each than strict architectural principles.

While industry lines have been drawn very clearly around these two domains (take OpenSOA v. OpenAJAX for example), there have been many attempts to nibble away at the distinction. AJAX toolkits like SAJAX and SWATO strive to make calling back-end resources more convenient. And frameworks like ADF approach the problem from the other end, by "hiding" AJAX rendering in their server-side, SOA-aware paradigm.

So what has Appcelerator got to do with this?

From what I understand so far, the key is that they have unified the event/messaging model both within the browser and the "SOA-sphere", and done so in a very elegant way. There are three parts to their solution:
  • Web Expression Language
  • RIA Widget Framework
  • RIA Message Broker

All components in an Appcelerator application communicate via simple lightweight messages using the RIA Message Broker. On the server-side, Appcelerator provides a set of SOA Integration Points that enable service creation in Java, PHP, Ruby, .NET, Python and Perl.

On the client, the Web Expression Language message-enables HTML elements. The RIA Widget Framework is a Javascript-based API that enables you to create new widgets and wraps existing third-party widgets like scriptaculous.

The end result is a very clean, lightweight and seemless development approach. HTML attributes define behaviour: what messages to send, and what to do when a message is received. And the real magic: when you send a message, you do not know or care if it handled by another HTML element on the same page, or a SOAP Web Service somewhere out on the net.

Here's how straight-forward it gets. An example of an input button messaging a calendar widget to show itself..
<html xmlns="" xmlns:app="">
<app:calendar title="Pick a Date" on="l:show.calendar then execute" inputId="mydate">
<input type="text" id="mydate" value="click me" on="focus then l:show.calendar"/>

Or an input button sending a message...
<input type="button" value="submit" on="click then r:login.request"/>

.. that is handled by a Java service:
import org.appcelerator.annotation.Service;
import org.appcelerator.messaging.Message;

public class LoginService
@Service(request = "login.request", response = "login.response")
protected void processLogin (Message request, Message response)
// get request data
String username = request.getData().getString("username");
String password = request.getData().getString("password");

User user = userDAO.login(username,password);

// format response
if (user != null)

Appcelerator looks like one to definitely watch closely and investigate further..

Proven Enhancement

Never has Rails Trac been more entertaining than this. The change history is just too funny;-)