afongen

Quick links:

• Eric Meyer argues cogently for gay marriage, addressing criticisms of his earlier lament. From there, links to interesting things like The Economist’s take on the matter. I love the first line from that essay: “SO AT last it is official: George Bush is in favour of unequal rights, big-government intrusiveness and federal power rather than devolution to the states.” I do not understand how it is that those who advocate smaller, less intrusive federal government fail to see that George Bush’s policies are often antithetical to that objective.
• The Homosexual Agenda. Well, now we know.
• How to Respond to Conservatives.
• Paul Krugman in the New York Times: There is no Social Security Crisis. (via)
• Some colleagues have started using Password Safe, a secure database for passwords. I tried it a while back, but because it’s Windows-only it turned out to be far less useful to me than a PGP-encrypted file. Still, worth noting.
• The Committee to Save Merry Christmas, boycotting Macy’s and Federated department stores because they don’t post signs saying “Merry Christmas.” What a fucking ridiculous waste of time.
• Accessibility: On a shoestring.
• Accessible & usable forms.
• Common symbols, with numeric and symbolic HTML character entities, for when you can’t quite remember how to encode an em dash (—), curly quotes (“ and ”) or euro (€).
• John Lim’s list of tools for building Rich Internet Applications.
• Jon Udell looks at streaming with Quicktime and Helix. I’d never even heard of the Darwin Streaming Server.
• I keep having to dig up this link to I put it here: Douglas Bowman’s presentation, Pushing Your Limits.
• Java web framework comparison.
• Session Replication in Tomcat 5 Clusters.
• Peter Merholz, Organization in the Way: How Decentralization Hobbles the User Experience:
  

  What we have seen is that small, multidisciplinary teams create the best products.

  These teams eschew departmental hand-offs and reviews. Instead, product managers, marketers, designers, engineers, and user advocates work closely on a single project. In order to succeed, it’s essential that, in this collaborative mold, the different parties are no longer bound to their departments’ distinct measures of success, but share a common goal.

  UCD can’t work as a silo department — it must be a company-wide approach. Instead of hiring UCD specialists, develop multidisciplinary teams in which every member is familiar with UCD principles.

• PureJPEG, a Win32 command line utility for filtering out unnecessary drek from JPEGs and reducing file size.

With all the hullaballoo about Firefox, you may have missed that Thunderbird 1.0 has also been released. I haven’t tried Thunderbird for a long time, might just give it another go.

OK, this is just too damn cool: “Scientists said on Monday they have come up with a cell phone cover that will grow into a sunflower when thrown away.”

Materials company Pvaxx Research & Development, at the request of U.S.-based mobile phone maker Motorola (MOT.N), has come up with a polymer that looks like any other plastic, but which degrades into soil when discarded.

Researchers at the University of Warwick in Britain then helped to develop a phone cover that contains a sunflower seed, which will feed on the nitrates that are formed when the polyvinylalcohol polymer cover turns to waste.

We took Owen to the Jackson Street Roundhouse on Saturday, a cool little railroad museum not far from downtown Saint Paul. Funny how after years of living in Saint Paul, I had no idea that it existed. Not that I would have been terribly interested before I had a kid to take there. They have a number of restored / preserved railroad cars on display, an impressive Lego rail village, a number of wooden train sets set up, caboose rides … lots of fun. Last Saturday and next they’ve got some Christmas activities, which is what drew us there. Owen’s really into trains, so he was in heaven.

Tip: the caboose ride is cool, but if it’s busy enough for them to add a passenger car, ride in that. You can’t see much from the caboose unless you’re lucky enough to snag a spot in the upper level.

The Vulcans stopped by while we were there, spreading the warmth and handing out buttons & coloring books. I believe that next Saturday the Winter Carnival royalty will be there around noon.

While there, we passed Santa a couple times. He beckoned to Owen, who by now knows who Santa is but wasn’t willing to just rush up to him. After a while, he warmed up to the idea and sat on Santa’s lap while Kiara took a picture. I think how we’re handling the Santa thing is just deal with it matter-of-factly, sharing stories and songs, taking advantage of the happy merging of fantasy and reality that kids at this age are blessed with. We’ll see how far that takes us. :)

We don’t see many movies in the theater anymore, but we’re sure as hell going to see House of Flying Daggers. Zhang Ziyi? Andy Lau? Takeshi Kaneshiro? (we named our cat after him) Directed by Zhang Yimou, who brought us Hero?

Wow. I don’t think we have a choice in the matter.

On a related Hong Kong film note, the original Infernal Affairs is at the Oak Street Cinema this week. Not that you’re likely to care unless you live here.

Kiara and I are sitting on the couch, drinking tea. Every now and then I hold a small bag in her direction.

“Jelly Baby?”

• Bill Breen in Fast Company: The 6 Myths Of Creativity.
• Leslie Michael Orchard: Next generation web apps using REST, XML, XSLT, and XmlHTTPRequest. The same sort of thing that I’m starting to play with, although I haven’t brought XSLT into the mix yet.
• Integrating Macromedia Flex with Java, a good introduction to Flex.
• Laszlo, open source Rich Internet Applications.
• How to Create a REST Protocol. Another introductory article. More on this later.
• Project Looking Glass: Its Architecture and a Sneak Preview of the API.
• Optimizing JavaScript for Execution Speed.
• Optimizing JavaScript for Download Speed.
• Chris Shiflett: PHP Testing using mod_perl and Apache-Test. How very, very cool.
• That reminds me: Chris’s PHP Security Workbook (PDF), the most comprehensive guide to PHP security that I know of. Also see his talk on PHP Session Security.
• Macromedia Flash Video.
• Plugging the RSS Usability Hole. It’s been sitting in my “make note of this” pile for too long.
• Interface Laundry. “Show respect to the elements that really matter by eliminating the ones that don’t.”
• Oracle’s PHP pages, with articles by people you might recognize. Did you know that Oracle’s application server ships with PHP? With backing like this, I think there’s real hope for using PHP in conjuction with Java.
• Delicious Library. Finally, a reason to buy an iSight.

“Minnesota State Colleges and Universities chancellor named to higher education post”.

Is the chancellor of the state higher education system not by definition in a higher education post? What’s he been doing all this time?

The press release explains that the chancellor “has been elected by his colleagues in the Midwest United States as Chair of the Midwestern Higher Education Compact.” Oh, okay. I get it. Sigh. Why not a headline like “MNSCU Chancellor Named Chair of Midwestern Higher Education Compact”? Is there some rule in PR that you shouldn’t write headlines that say what you mean?

Nevertheless, cool. I think the Chancellor’s been doing a good job of getting involved in things like this. Since part of his role is to raise the profile of the MNSCU system, it’s not only good for his personal, professional reputation, it means he’s doing his job well. Hopefully you know me well enough to know that I’m not sucking up, people. I don’t do that.

One of the problems in writing secure software is that security is too infrequently considered as part of the requirements or design phase, while of course it needs to be planned throughout the software development process. I have never worked on a project in which there were clearly documented security requirements. Security ends up being part of the process, but only because I’m a bit of a freak about these things. The danger is, of course, just what you always hear: that security is considered so late in the process that it entails a re-architecting and missed deadlines. If deadlines cannot slip and security is an afterthought … well, the problem with that should be obvious.

Off the top of my head, a few ways that identifying security requirements can help:

• Identify vulnerabilities in standard security mechanisms (e.g. an authorized user can still do Bad Things).
• With clear requirements, developers can implement consistent, centralized approaches to security. If developers just have to make their best guess as to what it means to be secure, you’ll end up with 1) widely varied practices because everyone’s off doing their own thing, and 2) inconsistent quality because, frankly, some developers don’t know how to think through security issues. Even if they do, they may be too close to the code to consider its assumptions objectively.
• Staff development: as mentioned, too many developers are ignorant of secure programming techniques and possible attack vectors. Addressing security early may force the issue.
• Raise awareness of security concerns among users / customers.
• Ensure that requirements for a given project are consistent with policies, requirements, implementations already in use.
• Notice how I slid the dreadful word “policy” in there? I believe that security design and implementation should flow from — or at least be traceable to — up-to-date security policy that sets a clear and reasonable direction. By identifying where requirements may be out of sync with policy, we can ensure that policy remain current and meaningful (assuming that policy is flexible and responsive :-).
• And of course, assure that security is addressed throughout development.

Lately I’ve been knocking around the idea of misuse cases as a way to elicit security requirements. I was introduced to the concept by a series of articles by Gunnar Peterson outlining a secure development process (PDF: parts one, two, three). You may already be familiar with use cases, a technique for identifying and describing functional requirements of a system, what the software should do. Misuse cases describe what a system should not do. For each feature or use case, a development team explores how that feature could be deliberately abused or misused, and from these explorations develop misuse cases and security requirements.

Here’s a basic use case diagram; a misuse case is identified with inverted colors:

In this basic diagram, I started with a use case, “Add Comment.” An obvious (and frustrating) abuse of the system is comment spam. This prompted the creation of two new use cases, “Moderate Comments” and “Run IP Blacklist,” to prevent the Add Comment Spam misuse case. Already, just by identifying potential misuses of a system, we’ve built out the requirements to make the system more sound.

Granted, this is neither the best example of a use case nor of a security concern that I could have come up with, but you get the idea.

The heart of a use case is not the diagram, but the textual description. Guttern Sindre and Andreas L. Opdahl, among the first to formally describe misuse cases, suggest a template (PDF) adapted from popular use case formats. It’s worth reviewing.

Here’s the problem, though: I am wary of creating excessive documentation and worry that misuse cases could be taken too far without improving security. Of course, any documentation can be carried to an extreme and prevent actual development getting done. If a project calls for use cases, then I think that misuse cases can help identify security requirements early in the development process and keep them there throughout. I think I’ll hang onto the idea.

The 2004 Perl Advent Calendar is available, starting with the DateTime module. I am often bothered with how difficult it can still be to work with dates and times. DateTime makes it more than tolerable.

I just stumbled again into Apocalypse 12, dealing with objects in Perl 6. I’ve stayed away from recent apocalypses because they require understanding everything that’s come before and I don’t have the time to invest in digesting them — especially as I don’t do much Perl programming right now. I’m still tempted to read Perl 6 and Parrot Essentials but reluctantly put that off, too. Someday…

In the meantime, I content myself with the bite-sized snippets of Perl goodness at the Perl Advent Calendar. What a way to celebrate the season!