Some more on secure social networking - iHazYrCreds

The other day I added my voice to the call to end the perfidious practice of social networking sites requesting your email password.

In the discussion I made an off-hand reference to a fictitious site called iHazYrCreds. Well, it's not fictitious any longer ;-) For better or worse, you can now visit iHazYrCreds.tardate.com to find out more about the common password traps to avoid.

I'd like to see the day when asking for an email password in order to "import contacts" is deemed totally unacceptable (and negligent professional practice).

I would also welcome any moves by the big email providers (google, yahoo etc) to explicitly outlaw such use in their terms of service. I'm no lawyer, but I believe it is debatable whether it is already a violation.

net.gain

..or "how to (try) and make the new economy work like the old one" I recently borrowed John Hagel III and Arther G. Armstrong's Net Gain: Expanding Markets Through Virtual Communitiesfrom a colleague for a quick read. It was published in 1997 by McKinsey & Company, and I must say it kinda shows. The book suffers from a myopic pre-occupation with the dual assumptions that: organisations must race to establish virtual communities: the spoils will go to the fast and the bold the aim is to profit from transactions conducted by the community while also garnering peerless customer loyalty Ah, the golden days of the internet bubble! This is an interesting read if for no other reason than to see how far we have come; how much has been learnt, and how much we have yet to learn.

As I studied the authors' recipe for profitable community-building I found myself challenging the principle that success requires an imposition of control by an organisation: the company studies the market, decides what community should be built, writes a business case for it, and appoints the expert team to design, build, launch, and market the community.

This is an astonishing proposition given the book's initial premise:

The rise of virtual communities .. has set in motion an unprecedented shift in power from vendors of goods and services to the customers who buy them.

"Over my dead body!" I can hear the voices echoing from the boardroom - undoubtedly the prime audience for this book, which I think could reasonably be subtitled "how to (try) and make the new economy work like the old one".

The idea of a "community" that is both external to the organisation while remaining under its control permeates the book, and is perhaps the primary misconception that has taken the past 10 years to rethink and recognise for the oxymoron that it is.

This is closely related to the fundamental yet unspoken assumption of a hard boundary between the corporation and the customer/community. In parts of the book that consider the use of communities within the corporation, the emphasis is very much on within the corporation, or at most, between business partners.

My comments have been a little disparaging, and it is perhaps unfair to find fault in failing to predict the future accurately. It does mean that this book is now little more than a historical curiosity.

However, the book I would be very interested to read is a "10th anniversary rewrite". For my money, I'd say that's Wikinomics: How Mass Collaboration Changes Everything (any other recommendations? I'm keen to hear..)

For now, I think I'll let Geek and Poke have the last word...




Originally posted on It's a Prata Life

'Promote Bad Security Practice' Grand Achievement Awards

As usual, Jeff cuts to the heart of the matter on Coding Horror when calling out Yelp for the astonishingly evil and unconscionable act of asking users to hand over their email passwords.

I am not sure who started this, but it has somehow scarily become accepted practice, especially among the social networking sites. Facebook, LinkedIn, Plaxo ... they all do it, and seem to think that waving some privacy mumbo-jumbo 'but you can trust US!' makes it OK. Some are particularly heinous, like Tagged, which obscure the fact that handing over your email password is optional.


As many have pointed out (see the comments on Jeff's post), this is a lazy solution to a problem that is solvable in ways that do not need to compromise user security.

Facebook, LinkedIn - these guys should know better. And I think have an obligation to do better, especially since it is becoming more and more common for a social networking site to be an individual's first experience on the net. While the old hands may have well-ingrained security awareness thanks to the evangelizing efforts of people like Steve Gibson and Leo Laporte on the Security Now! podcast, we have a whole new generation of users being taught exactly the wrong thing thanks to the misguided and irresponsible acts of the social networking sites that are requesting email passwords to be handed over.

The proliferation of this perfidious practice must be reversed! A good first step is to heap professional scorn on anyone associated with developing such a feature. Shame!

Oracle Release Timeline with Dipity

Derek Dukes was on net@nite #53 the other week, and it was really interesting to hear him talk about dipity.

Dipity is an experiment in information organisation, with time being the primary dimension currently being explored. Similar in a way to MIT's SMILE widget, which I was investigating a while back for visualizing time-based information.

Dipity shows a great deal of promise, and I like its emphasis on self-discovery and organisation information if directed (rather than everything having to be painstakingly entered). It is certainly a fun way to get lost for a few hours and learn a whole lot of stuff you never set out to study (just go to the home page and start checking out different timelines!)

Ulrich has already worked up a history of Oracle Releases. Not complete, but a fantastic visualisation that would be worth supporting and maintaining!

NB: I'm posting a static image here for now, because the embed code doesn't seem to work in all browsers at the moment.

Adding reCAPTCHA to Oracle SSO - now on sourceforge

Yes, it's time for some house cleaning!

One of my favourite little hacks is how to add reCAPTCHA to Oracle SSO, which I wrote about last year. I've now finally got around to setting it up with its own sourceforge project.

OssoRecaptcha is a demonstration of integrating the CAPTCHA service from recaptcha.org with Oracle Single-Sign-On. It can be used in production OSSO deployments, and also as an example of integrating any 3rd party authentication system with OSSO.

Request header rewrites with Java servlet filters - now on sourceforge

Some time back I posted a sample and discussion of request header rewrites with Java servlet filters, and I now finally got around to setting it up with its own sourceforge project.

RewriteRequestHeaderFilter is a Java servlet filter for request header rewrites according to regex rules specified in the servlet init parameters. It is packaged as a sample application and also jar that can be inserted into any arbitrary site.

Config Files for Windows - an Enhancement

In a previous post, I described a general scheme for managing config files for Windows.

Well, there's a simple enhancement that I've added concerning how to locate the config file for the script in question.

The issue is that if I run a script, you always wanted to look for the config file relative to the script location. This can be easily done using Windows Batch Parameter Expansion. %~dp0 expands to the path of the current script, and %~n0 is the name of the script file. Hence, to name the appropriate config file for a script, we generate the name as follows:

set LOCALCONF=%~dp0conf\%~n0-%COMPUTERNAME%.cmd

Blog Stats

I want a t-shirt just like this for my birthday, except I'd change it to "..than MY blog" and add my url;-).



Originally posted on Prata Life..

Business Networking that Doesn't Suck

I really like Geoffrey Grosenbach's ruby on rails podcast, especially because it's not just about rails (even though Rails is a keen interest of mine).

On the latest issue, I was excited to learn about biznik.com. "Business Networking that Doesn't Suck" as they say.

I immediately subscribed, but was disappointed to find that there's nothing happening in my local area yet (Singapore), at least not within 6000km.


Something that we should change soon, especially given the attention paid to entrepreneurship in Singapore. Take the efforts of SPRING for example, or the investment that the government is making in Interactive Digital Media.

I love the idea of this site, and hope to find some local compatriots up there soon!

Forgotten benefits of moving to the cloud..

Out of sight, out of mind.. no more gadget-purchase grief;-)



Originally posted on Prata Life..

Tu Plang, Unit and the Green Papaya

I've had Regurgitator's Tu-Plang and Unit since when I was working in Sydney around 98/99. These albums are classics. I love their sound, and the lyrics are smart. They still get a regular listen, and that's not going to stop. In a twist, I saw recently on the Food Lover's Guide to Australia that Quan's mother established a Vietnamese restaurant in Brisbane called Green Papaya, and it has great reviews. It was Hanoi-born Lien Yeomans's dream come true - opening her own restaurant. At Brisbane's Green Papaya she cooks dishes from North Vietnam. She says she has her rock star son Quan to thank for her fame (he’s with the band Regurgitator) but we think it’s her recipes, each one linked to a personal story from her incredible life.

So next time I'm in Brisbane...


View Larger Map

Calendar

Day to day, our time is marked by weeks, months and years. We take it for granted that no matter where you are on earth, you always know where you are in time. The calendar is such a routine concept that it takes a book like David Ewing Duncan's excellent and most engaging Calendar to make you stop and think. A 7-day week is completely arbitrary for instance, apparently originating circa 700 BC in Babylon, and probably influenced by the seven known planets (at the time). Months are confusion personified. Inspired by the lunar cycle, one is left with the dilemma of trying to fit the cycles within the solar year. The chart below (produced with the open source lcap program) is probably the easiest way to see how the lunar months drift in relation to the solar year. Some, like the Greek astronomer Metron, attempt to rationalise the relationship with great precision (the 19-year Metronic cycle has 7 years of 13 lunar months followed by 12 years of 12 lunar months. Even that is not completely accurate). To most calendarists however, months scarcely retained a notional relationship to the moon, becoming little more than convenient units of time upon which to hang the names of Gods and Emperors.

NB: the difficulty in tracking the moon also came up in relation to the challenge of measuring longitude. Accurate moon charts would have allowed mariners to determine their position even in the absence of accurate time-keeping devices. Predicting the moon's course in the end proved to be much more challenging than building a clock that could survive a nautical adventure and still keep good time. See Dava Sobel's Longitude.

The idea of the solar year - the complete cycle of the seasons from one solstice to the next - is fundamental to how we conceive the passage of time. But we don't often think about the difference between a sidereal year (time for the earth to complete one complete orbit of the sun), and the tropical year (time from one vernal [spring/March] equinox to the next). Or the fact that the year is so very slightly different if you measure between the June or December solstices or the September equinox. And then consider that the Earth is a huge object hurtling through space and subject to varying gravitational forces and other bumps and jitters.

Once you have boiled all this down, it seems a "day" is about the only fundamental unit of calendar time that makes sense. Everything else is just convention and approximation!

Considering the difficulty of measurement, and the many social, political and religious factors involved in common convention, it is quite extra-ordinary that we even have a universally accepted calendar today.

It is easy to forget just how recent a phenomenon this is, and how long its introduction was in the making.

The Gregorian calendar we use today was officially launched by Pope Gregory in 1582, but it wasn't introduced in Britain until 1752 with many countries not adopting it until the 20th century (for example, Russia in 1918 and Greece in 1924). Many quote Mao Zedong declaration of the People's Republic of China in October 1949, which included a point on the adoption of the Gregorian calendar, as the final triumph for a universal calendar (although many cultures still maintain parallel systems such as the Chinese lunar calendar). But do not forget that the flaws in Julius Ceasar's previous calendar had been know long before - the cause of much consternation at the Council at Nicaea in AD325 over the scheduling of Easter, and the subject of the monk Roger Bacon's most distressed entreaty to Pope Clement in 1266 to:

.. apply excellent remedies in this particular .. If then this glorious work should be performed in your Holiness' time, one of the greatest, best, and finest things ever attempted in the Church of God would be consummated.

All of this is of course the background to an epic tale that finds a thread through all peoples over all time.

Which is really the genius of David Duncan's work. He is a great explainer, and in telling the story of the calendar, he tells the story of much of human civilization. And where other "histories of the world" tend to struggle to fit a narrative thread across time and place, the story of the calendar provides Duncan with a perfect segue. The result is the most enjoyable, understandable and effective history lesson I have ever had.

If you have just the slightest interset in history or how the calendar came about as we know it, I couldn't recommend this book more highly.

Other interesting facts:

• In Britain, New Years Day was celebrated on March 25, the Feast of the Assumption, until it was changed to January 1 in 1752. There are over 30 definitions of New Year listed on wikipedia.


• Until the modern era of atomic clocks, the most accurate measurement of the year was by Abu Allah Mohammed Ibn Jabir al-Battani in AD 882 (22 seconds short). al-Battani's work came from the same period of Arab innovation that produced modern algebra and added "zero" to the nine Indian symbols that eventually became our familiar number system.

Calendar for December from a French Book of Hours, written around 1470:

Easter table, England, 1073:

Originally posted on Pratalife

Configuration Files - a pattern for windows batch scripts

It's a very common practice in perl and linux/unix shell scripting to use an external configuration file (.conf or .properties), keeping all the script's necessary settings organised tidily in one place. This makes it easier to configure in the first place (because you don't have to hunt through the whole script to find what needs tweaking, or which environment variables need to be set), and also makes maintenance of the script so much easier (because you don't need to reconfigure after installing an updated script).

For some reason though, this practice never seemed to get widely adopted in the Windows batch file world. Either Windows script-kiddies just never learned to think like a sysadmin, or we never expected the DOS shell to be capable enough! Or maybe we never bothered, because surely windows batch files should be extinct by now?

I guess the dominant approaches to configuring batch files on Windows are:

• Command line arguments [painful if you have too many, annoying if they are invariant for your setup, and may entice you to write a wrapper script just to save all the typing]


• Environment variables [can lead to pollution of your environment, but also not usually backed up along with your scripts]


• Good ol' "just edit the batch file and fill in the settings" approach

Well, it is possible to take advantage of the elegance of external configuration files. For some time I've been using a technique that I adapted from what I'd normally do with perl and bash scripts. I'm sure this was invented decades ago, but it surprises me that I haven't yet found a good example or tutorial on the net.

So I thought maybe time to polish up the "pattern" and share it here.

The Pattern

It's pretty simple! The flowchart on the right provides an overview.

To make this work with simple windows batch files, we use a configuration file that it itself a batch file (.bat or .cmd) and it is called from the main script. The configuration file would usually set a range of environment variables

A nice usability touch is that when the script is first executed (i.e. no configuration file present), it will generate a default configuration file, give the user some helpful instructions on how to edit the configuration file, and exit.

This makes your script "safe" for users who are liable to run it just to find out what it does(!).

But it also means that you can maintain the default configuration file structure - with as much built-in documentation as you like - inside the script itself (therefore only one file to maintain).

The Script Template

Here's a script template that includes the configuration file handling (also available for download here). As you can see, not rocket science!

If you have multiple scripts that all need to share a common configuration, you can extract the config file handling as a separate script and include (call) that from all the others. See the scriptTemplate.cmd and config.cmd in this kit of examples.

@echo off
REM $Id$

setlocal

echo Welcome to %0

REM Initialise the config flag [CONFIGSET] and config file [LOCALCONF]
REM You must name the config file .bat or .cmd to ensure Windows can execute it cleanly
set CONFIGSET=NO
set LOCALCONF=%~dp0conf\%~n0-%COMPUTERNAME%.cmd

REM ===============================================================
REM Configuration section
REM ---------------------------------------------------------------
if "%LOCALCONF%"=="" goto config_help
goto config_do


:config_help
echo This is a configuration help script
echo Call from another script with first parameter being the config file name
echo This script will set the variable CONFIGSET
echo CONFIGSET=NO in the case of error or undefined configuration
echo CONFIGSET=YES in the case where configuration has been successfully read
goto config_exit


:config_do
REM handle configuration file
IF EXIST %LOCALCONF% goto config_cont

REM generate default setting file
REM adapt this to you needs. Here are some samples
echo REM configuration file> %LOCALCONF%
echo set JAVA_HOME=C:\bin\jdk1.6.0_03>> %LOCALCONF%
echo set TMPFILE=c:\temp\mytemp.txt>> %LOCALCONF%
echo set SUBJECT=A subject line>> %LOCALCONF%
echo set DBUID=dbusername>> %LOCALCONF%
echo set DBPWD=dbpassword>> %LOCALCONF%

echo #
echo # Local configuration not yet set.
echo # A default configuration file (%LOCALCONF%) has been created.
echo # Review and edit this file, then run this process again.
echo #
goto config_exit


:config_cont
call %LOCALCONF%
set CONFIGSET=YES


:config_exit
if "%CONFIGSET%"=="YES" goto config_ok
echo Configuration is not set
goto exit
:config_ok
REM ---------------------------------------------------------------
REM Configuration section ends
REM ===============================================================


echo The main script starts from here.

echo The following configuration is set:
echo JAVA_HOME=%JAVA_HOME%
echo TMPFILE=%TMPFILE%
echo SUBJECT=%SUBJECT%
echo DBUID=%DBUID%
echo DBPWD=%DBPWD%


:exit
endlocal

Sample Output

Here's an example of running the script above. The first time through, no configuration file is detected, so it creates one and exits.

At that point, the user could edit the configuration file if necessary.

Subsequent runs pick up the settings in the configuration file.

D:\MyDocs>scriptWithConfigTemplate.cmd
#
# Local configuration not yet set.
# A default configuration file (scriptWithConfigTemplate-conf.bat) has been created.
# Review and edit this file, then run this process again.
#
Configuration is not set

D:\MyDocs>scriptWithConfigTemplate.cmd
The main script starts from here.
The following configuration is set:
JAVA_HOME=C:\bin\jdk1.6.0_03
TMPFILE=c:\temp\mytemp.txt
SUBJECT=A subject line
DBUID=dbusername
DBPWD=dbpassword

D:\MyDocs>

Complex ACL filters with OVD

Access Control Rules are a very important aspect to get right when setting up Oracle Virtual Directory. But at the same time, I guess they are probably the most complex configuration option, especially if you haven't had some hard core LDAP experience before.

In Using OVD Filtered Directories for LDAP Authentication, I talked about using ACLs to restrict access to certain parts of a directory: each Access Control Rule has a filter setting, which is an LDAP filter that specifies which directory entries the rule applies to.

However I also discovered that using complex (multiple term) Access Control Rule filters is a great way to kill the OVD server process.

NB:it bombs with a java.lang.NullPointerException, and it is necessary to go and manually remove the offending filter from the $OVD_HOME/conf/acls.os_xml file on the server before it will startup again.

Say, for example, you wanted to grant access to entries for the ITGroup and HR departments. In RFC 4515 LDAP search filter terms, we can write this simply as:

(|(departmentNumber=ITGroup)(departmentNumber=HR))

But as mentioned, this will kill your OVD server (OVD 10.1.4.0.1 build 06.07.19).

There is a simple work-around though, by reverting to simple set theory and write multiple rules. In other words, granting (|(departmentNumber=ITGroup)(departmentNumber=HR)) is equivalent to two rules applied in sequence:

• Grant: (departmentNumber=ITGroup)
• Grant: (departmentNumber=HR)

Innovation and Two Book Recommendations

There's a great quote in Chad Fowler's My Job Went to India which I just posted a quick review of: In business, ideas are dime a dozen. It's the blood, sweat, tears and money you pour into a product that make it really worth something. I'd extend that and link it to a later part of the book that focuses on Execution. To be successful, raw ability will get you only so far. The final stretch is populated by closers - people who finish things. As Theodore Levitt said: Creativity is thinking up new things. Innovation is doing new things. In other words, the key is doing. One of my pet subjects;-) I can come up with a million creative ideas, but without follow-through, its all just a bit of mental fun. An excellent companion read is Scott Berkun's The Myths of Innovation. Get them both on your bookshelf! The sooner, the better.

My Job Went to India (and all I got was this lousy book)

The title may be provocative, and immediately engender some strong reactions, but having just read My Job Went to Indiaby Chad Fowler, I'd strongly recommend you get past the emotions and read this book now! It is actually a very sensitive and insightful treatment of career pressures of the modern age, and how to respond positively. Although primarily targetted at a those working in the software industry, the book is a great career coach for any white-collar information worker. The book contains 52 very well-written pieces of advice, all introduced with some fascinating personal introspection. Get it on your bookshelf! The sooner, the better.

A380 - how to spend €billions and still get simple things wrong

lancerlord@tomorrow.sg picks up on a Telegraph article asking "why are there still ashtrays in the Airbus A380?"

Good question, but not the only example of seemingly stupid "missed opportunities" to innovate in the A380.

One of the first I noticed was the new positioning of the inflight entertainment controller in the seat back. At first it seems perfect, since it avoids the accidental activation which is a real problem when the controller is built into the armrest (which is the case in most other cabin fitouts I've seen).

But then consider the way it is oriented - mounted on the side. This results in a classic failure to "get the mappings right" (one of Norman's design rules in "The Psychology of Everyday Things"). If you use the controller without removing it from its holder (which turns out to be a very handy usage), then you need to transpose the controls 90°. Up means right, down means left etc. Ironically, when the controller is mounted in the armrest, the horizontal layout tends to "get the mappings right" if you use it in-situ because of the way the hand is positioned.


It could have been so perfect if the controller designers were collaborating with the seat designers, with a clear focus on usability. The controller could be mounted vertically, or redesigned for a side-side layout.

As it is, a missed opportunity to produce the very best design. And a very, very minor usability problem is one of my lasting impressions of my first A380 flight, overshadowing all the billions of euros invested in the plane.

What else? Well, I'm surprised they persist in using the special 2-prong audio jack. I'm sure there's some weird logic about discouraging passengers from nicking the headsets (even though policing headset issue and collection still seems to rate as one of the cabin staffs' most important duties!)

But as I look around the cabin more and more people are using their own earphones. The ones that aren't probably forget to bring the special adapter. For planes like the A380 starting their service life in the 21st century, I'd expect it would be the norm for most air travellers to be carry a headset of some description, and it would make sense for cabin designers to take advantage of the fact and use standard audio sockets, and provide headsets "by exception". Win-win: passengers get to use their own familiar headsets without needing an adapter, and cabin crew get to save time for more important things.

See, I can get cranky about the smallest details;-)

Expect users to be just as critical, nitpicking and cranky about the software we give them! And rightly so... it doesn't really matter how much time and money has been invested if you don't get the simple things right.

Earthcore & Infected

Scott Sigler has the book launch of Infected coming up on 1-Apr. No joke, you can pre-order on Amazon already. ..a cinematic, relentlessly paced novel that mixes and matches genres, combining horror, technothriller, and suspense.. Sigler's been one of the stars of the free podcast-audiobook scene, and its great to see him on the mainstream bookshelves. In fact, you can still get Infected as a podcast download here at podiobooks. Sigler reads his own works, and he's got the voice for it too. See the Infected promo page at podiobooks for more info. Earthcore was the first Sigler novel I came across, also highly recommended. I found it some time ago, before I started blogging about books actually, which is why you are only seeing a post about it now. I listened to Earthcore as a podcast available here at podiobooks. In fact I think it was my very first podiobook download, and got me hooked on the whole podiobooks idea (from which I've since discovered other great authors like Terry Fallis and Nathan Lowell). These authors are all making podcast versions of their works freely available. It is a fantastic way to discover new authors and enjoy their books in audio. They deserve our support if you like what they do. Podiobooks takes donations directly. And for authors like Sigler we can buy their books in print too! Infected: at Amazon Infected: at podiobooks Earthcore: at Amazon Earthcore: at podiobooks

Originally posted on It's a Prata Life

Got a License to Operate Your Brain?

Geoffrey Grosenbach took a diversion on the Ruby on Rails podcast recently, with a fascinating two-part interview with John Medina (part 1, part 2). Medina is a very engaging speaker, with some controversial but well researched ideas on how the brain works, and why so many of our social conventions in school and the workplace actually conspire against optimal brain performance. I gather its a discussion of many of the ideas from his book Brain Rules. Well worth a listen.

Clear Timezones and jQuery

Choon Keat recently posted a great little web tool to help simple scheduling across timezones.

Makes it really easy to have a quick look at how times line-up around the world. For example, I've saved this link to see Vancouver (my sister), Melbourne/Sydney (most of the rest of the family) and Singapore (me) all in one go.

It's done in pure Javascript, and is a good example of jQuery in action if you care to look;-)

See also: timeanddate.com for encyclopaedic coverage of everything related to times and dates.