Misc. Ramblings

Given all the security problems associated with ActiveX/javascript/etc., I have to wonder about a couple of things (insert disclaimer here). First, isn't there a fiduciary responsibility to disable these technologies? That is, if you are a trustee and responsible for information technology and you choose not to mitigate or eliminate these technologies can't you be held personally responsible for any financial losses the company suffers as a result of your action/inaction? I'm no lawyer but I have to wonder.

Secondly, whether there is a responsibility or not, why would you want to use javascript when there are alternatives that work in all browsers but don't open security holes? For example, I got an invitation from Dell recently asking me to participate in a survey to help them redesign their support web site. OK, I'm willing to spend a few minutes to help improve their support site since I use it once in awhile.

So I fill out the online survey and hit the submit button. But nothing happens. I click on the button several times before I notice the submit button was written using javascript code. Hmmm. Since javascript is a common way to inject viruses/Trojan horses/etc. on to your computer, I've long since disabled it. In fact, most of what Microsoft considers to be features turn out to be security holes so I don't use their outdated browser anymore (see this article from Brian Livingston here on why). As an aside, I decided to complain to Dell about the use of javascript but their comments page also uses a javascript submit button. Sigh.

But even if I didn't use a different browser, why use javascript to submit a form when you could use post or get? Neither post nor get opens the user to any security threats (AFAIK). Nada. None. Zip. What advantage to the user is there to using javascript submit button? Again, nada, none, zip.

So why use it when that is the only javascript on the page? All you are doing is keeping all users who are security conscious from using your site. Is this a good thing? Is there a competitive advantage to barring people from using your site? If so, what advantage is that? Wouldn't a site written to the widest standards have an advantage over those written specifically to Microsoft's standards?

Aloha!

From: Sjon Svenson
Subject: daynote
Date: Tue, 03 Aug 2004 00:33:26 -0700 (PDT)

Script this

One advantage of JavaScript (or VBS or...) is that it runs on the local machine. That means it's fast (users running under-utilised multi-gigahertz boxes while your poor overtaxed server is overheating). If, for example, you make a form and want the user to enter a time and date you can check that on the page. Without browser-wide scripting the whole form has to make a round trip to the server. Without the script the page may be smaller but it has to pass back and forth. So what you gain in bandwidth with smaller code you loose on roundtrips (unless the user makes no errors...). So the gain/loss is not in bandwidth but in execution speed and connection latencies. The difference is negligible unless you hang on with and old PSTN modem to a flakey line.

-- Kind regards,
Sjon Svenson

---

From: Jon Barrett
Subject: Javascript vs. Post/Get
Date: Tue, 3 Aug 2004 08:24:48 -0400

"But even if I didn't use a different browser, why use javascript to submit a form when you could use post or get? Neither post nor get opens the user to any security threats (AFAIK). Nada. None. Zip. What advantage to the user is there to using javascript submit button? Again, nada, none, zip. "

OTOH, many website attacks rely on buffer overflow in POST or GET. Using javascript allows the website owner to perform post-processing and data validation on the local PC rather than on their own server. Thus it provides the site owner with improved security.

Jon

Jon Barrett
Kensington, MD

Aloha!

I thought my post on javascript might get a reaction out of some of my visitors. But I still stand by my statements: Javascript is being used when there are alternatives available. You don't need to use javascript to create a submit button, or a link to the next page, or link to an image. While there may be some advantage to the web site creator to use javascript, the security disadvantages to the user, in my opinion, outweigh the benefits.

Javascript is a security hole waiting to be exploited so why trade safety of the server against the safety of your customers? Why not secure the scripting engine on the server rather than trying to secure thousands of desktop PCs?

Does javascript serve a purpose? Yes. But then, so does ActiveX or .Net or .ASP. Does that mean I have any of these (mostly) client-side technologies enabled on my PC? Nope. I don't have any figures on how many people have secured their desktops but I would think it is a growing number as more and more people realize the security implications of these features. Each one of these security conscious people is a lost customer. Are things so regulated that you can dismiss these customers?

There are those who say we shouldn't throw the baby out with the bath water. That is, over time, these security exploits will be found and written around. Perhaps. You could say if you have server-side Perl or PHP running there are exploits possible but, over time, most have been closed. Which would be true. But these typically exist on the server, not the desktop and the duty to fix it is with the writer of the script, not the user.

Which brings me to my last point. I talked earlier about fiduciary responsibilities. While I am not a lawyer, I would think forcing someone to open themselves to security exploits, in order to use their service, opens the service provider to liability to ensure that doing so does not result in a loss (economic or otherwise). I can see the lawyers salivating at the lawsuits now...[Why do you think many sites have "warranties" that warrant nothing? These warranties are actually disclaimers saying the sites know nothing, see nothing, and do nothing. My reaction to these sites is to TURN THE DAMNED SCRIPTING OFF.].

Deciding what security exploits are important enough to disable client-side scripting is up to you. Only you can decide the costs and the benefits. But I've decided that just because someone wants to use javascript to create a submit button on a form doesn't mean I'm going to open my desktop to the exploit of the week. Enough is enough.

While many people think lawyers protect their own, at least you can go to the Hawai'i State Bar Association and see which ones have been disbarred, suspended, or resigned in lieu of disciplinary action (see the listing here).

But try as I might, I couldn't find anything similar for medical doctors. While some states have public information on their doctors, apparently Hawaii is not one of them.

Moreover, of the approximately 20 occupations that require licensing in Hawai'i, I couldn't find one link to a listing of those that had been disciplined.

I can't see any particular reason why these other professions are apparently protected by the state while their customers are potentially harmed by these people.

Date: Wed, 4 Aug 2004 13:11:42 +0100 (BST)
From: Phil Hough
Subject: Scripting

While it's true that scripting is inherently a problem. Both from the security standpoint and the compatibility standpoint I think you're overreacting a little.

While it's pretty straight forward to craft a website that uses only server-side code (heck... I've written a good few), and that site then is inherently more secure (and compatible), at the end of the day it's the users that want more.

From my experience I tend to find that Javascript is essential to add "usability" polish. There are some things you just can't do with server-side scripts, that users want, or in my case demand.

Let's take an example of a form. The customer wants the form to be checked on submission and if the user hasn't filled a certain part out, for the submission to be cancelled.

To do this in Javascript you catch the onsubmit event, popup an alert and return false. a couple of lines of code, and the user is able to quickly modify and resubmit.

To do this sever side. The submission must be made. Any data that passes validation saved, the user then returned to the previous page, with their data in place. You can't do a popup at this point, so you must display the message prominently. And to do this you've added lots and lots of extra code. You've also slowed and made less obvious the whole process.

A brilliant example though is date selection. On the sites I've worked with we've got two date widgets. One a small pop-up window with a current month calendar, click the day and the form field gets filled in with that date. The other is a date field with today's date in, which has an arrow either side. Click to increase or decrease the date.

You simply can't do that anywhere near as well with ASP. At the very least you'd end up keep submitting the page every single click. Not good for the user experience at all.

So I'd suggest that while Javascript isn't essential, it certainly leads to a much nicer user experience, and possibly a less complicated set of code as a result.

ATB.

Phil

Date: Wed, 04 Aug 2004 06:35:08 -1000
From: Dan Seto
To: Phil Hough
Subject: Re: Scripting

While all of that is true, I think the situation you describe is not what I had. Dell was asking for information from me as opposed from me wanting something from them. Hence, if they want my input, they should make it easy and safe for me to do so.

As far as checking the form, I don't particularly care if the survey is complete or not. If I wanted to, I could leave it all blank and it wouldn't make any difference to me. In fact, if they did checking and bounced me back into the survey to answer all the questions I would probably just shutdown the browser and move on.

So, I think the user experience depends on who wants what from whom. Since Dell wanted me to tell them what their business should be, they had better make it easy and safe for me to do so or I won't come out and play. [g]

Date: Wed, 4 Aug 2004 18:16:38 +0100 (BST)
From: Phil Hough
Subject: Re: Scripting

So what we're boiling down to is that the use of such tools is very much dependent on the task which is being carried out. Right tool for the job and all.

And to that, and your example, I don't disagree :)

ATB.

Phil

---

From: John P. Dominik Subject: Javascript, etc.
Date: Tue, 3 Aug 2004 13:28:24 -0500

Well, color me a box in the "here here" column. I've disabled all of that stuff, or required it to ask. I routinely check cookies, and reject those that don't expire until next year - or thirty years from now. Like I'll still be using the same computer/browser that long.

ActiveX and other technologies are cool - the problem is, as with any tool, the more powerful you make it, the more responsible the user needs to be. And a very powerful tool with skript kiddiez around is a bad idea. For a time I managed to secure at least my own work machine by using IE only for internal work, and Netscape for external sites - but that didn't last long.

Oh well. My $0.02 - in Hawai'ian currency. ;-)

---
John Dominik
http://john.clandominik.com/current.html

Aloha!

With the release to manufacturing yesterday (RTF) [update: now delayed again! No word on the release date.] of Microsoft's Service Pack 2 for Windows XP comes this good review of just what the fuss is all about. Of course, most of my 11 irregular readers have already downloaded the various release candidates and already know. But for those drive-by visitors who haven't, take a look. Note that the site has a sidebar that says you can start downloading the gold code today but as of this writing I have found no evidence to support this statement [update: the RTM has been delayed again due to problems identified at the last minute. When the problems are solved, you will be able to download it from the site below].

For those of you who develop or maintain web sites that use ActiveX components you may want to take a look at this Microsoft article on how to modify the site to work with the changes in SP2. You could also check out a site MS created that includes Resources for IT Professionals as it relates to SP2 [This is the site mentioned in the review above that says you can download the gold code today. This site used to have links to the various release candidates but as of this writing, does not have a link to the gold code. However, from what I understand, when the problems mentioned above are resolved, the site will have a link to the code].

By the way, there is also a SP1 for Office 2003 (Office update site here). It includes the regular bug fixes and security patches but also what is being described as substantial changes to Infopath and OneNote. I don't have either installed so I can't say but if you do, you may want to check it out.

Aloha!

There are a couple of point releases to Mozilla's Firefox browser and Thunderbird email programs. Both updates apparently address security concerns. Be aware that the first release of the Firefox update has/had an install bug (I guess depending on which direction you are facing, it says it's installing .2 when it's actually .3 and if you check the Add/Remove programs from Control Panel it will identify it as .3, unless of course, you actually get the .2 release, which will then say .2. If you really want to be sure which version you are getting you can follow this FTP link here). By the time you hit their site they will probably/hopefully have fixed it.

At the height that the lonely plane was flying at, the weather was extremely cold but clear. So clear that the intense morning sun glinting off of the windows as the plane made its final turn towards its destination would have temporarily blinded anyone seeing the reflection. Still, the aircraft successfully aligned with the city far below as the bomb bay doors trundled open exposing the lone bomb tucked within.

At the appointed place and time, the bomb was released and quickly picked up speed as it fell towards its target. When it reached its designed altitude above the city a perfectly shaped spherical charge exploded compressing the radioactive material within causing it to reach critical mass. In that instant, at 8:15, on the morning of August 6, 1945, a burning flash of light filled the sky as the Japanese city of Hiroshima was engulfed in a pressure wave never before experienced by any city on this planet.

The pressure wave at ground zero moved at almost a 1,000 miles per hour. Even after it had traveled a mile away it was still moving at almost 200 miles per hour. What wasn't destroyed by the pressure wave was burned by the heat. At ground zero, the temperature rose to 7,000F. Stone melted and sand became glass. Within hours, gamma and neutron radiation killed those who survived the pressure and the heat.

Let us remember what happened that day, the lives that were ended, and pray that we never have to see such a flash of light again.

Have a Great Weekend Everyone - Aloha!

So, the IT professional version of Windows XP SP2 is finally out (see the page here). Microsoft says this version is for installing to multiple computers and that if you only have one PC to update you should wait for it to hit the Windows Update site (around August 25th according to the rumors) since there will be a more compact version available then.

Note that the network version of the download is over 266MBs!270MBs. That's right, over TwoHundredSixtySixMegaBytesTwo_Hundred_Seventy_MBs. Even with our VeryFatPipe at work it took a little over three minutes to download this file. Those with slower connections should really think about waiting until it's available through the Windows Update. You Have Been Warned.

Late Update

Installing SP2 took almost 20 minutes on my Dell 2.6GHz Pentium 4. At about the 15 minute mark things look like nothing much is happening but eventually it completed. Once you reboot and Windows comes up you _MUST_ choose either to enable the firewall now or enable it later (choose one of the radio buttons "Help protect my PC..." or "Not right now.").

Once Windows finished booting I noticed the Novell Netware login script failed to execute. Thus, none of my Novell network resources (shared drives and email via Lotus Notes) were available. Major Bother. I could live without the shared drives but I cannot get by without our internal email.

So I went to Microsoft to search in the Knowledge Base for anything but was not successful. From there I went over to the Novell site and searched. Eureka! I found a new Netware Client 4.9SP2. This is a 20MB download but was not a problem for our network. After installing and rebooting all is well. It would be nice if MS would acknowledge that Netware has a problem with SP2 (assuming here it hasn't).

In any case, I've also found that the MS firewall has failed to enable. Perhaps it's because I already have ZoneAlarm installed and running but I don't know for sure. All I know is I've tried enabling the MS firewall three times and each time I get no error message but I also don't see it enabled. I guess I'll have to check into this further but since I already have a firewall installed this is not a high priority.

Aloha!

ABC News is reporting an American Bar Association survey that found, among other things:

1. Three in four people would prefer that their cases be decided by juries instead of judges.

2. About half believe jurors are treated well by courts.

3. Nearly 60 percent look forward to jury service.

While this is great, if true, I wonder why it's so hard to get people to show up for jury selection? The article goes on to name a few of the problems like the cost and shabby conditions but I think they leave out the most important problems: 1. Waiting for hours at a time before getting chosen and more importantly; 2. Waiting for hours at a time only to be told to go home.

I say the second problem is more important because no one want to waste hours waiting around only to be told they're not needed. I have seen studies that indicate people who actually serve have a much higher opinion of the process. From that I draw the conclusion that once you see what the process is and what it's for, you come away with a deep appreciation of how important it is to serve as a juror.

On the other, waiting around and then going home is just a waste of time. Hence, the problem, as I see it, is to call only as many jurors as needed for a trial and to keep lawyers from sending people home without reason.

I mentioned in an earlier post how the silly season had begun. I warned that lies, damned lies, and statistics would go flying about and that the first casualty of this war of words would be the truth. So you should not be surprised by certain Republican partisans who are trying to shoot holes in the military service of presidential candidate John Kerry. I won't repeat their lies but I wouldn't be surprised if they try to say Kerry never served in Vietnam. That it was all a Left Wing conspiracy and the the photos were faked using the movie sound stage next door to the one used to fake the moon landing.

It is a sorry state of affairs in which this is the level of the debate. To me, the bottom line is did either Senator Kerry or President Bush serve in Vietnam? If Kerry did and Bush didn't then lets leave it at that and move on to more important issues like how to pay for the war in Afghanistan/Iraq.

This sordid story reminds me of the Nixon years in which he recruited a team of supporters who, under direction of the President, burglarized offices, illegally tapped phones, spread lies about his opponent, and did just about anything they could to win the election. What is it about some misguided Republicans that they become so virulent and believe the ends justify any means?

In other political news, some right leaning pundits are predicting a landslide victory for Bush in November. As I've said before, the only way that will happen is if there is a terrorist attack just before the elections. Otherwise, our nation is so evenly divided that whoever wins will do so by a very small margin. In fact, it is entirely possible that we could have a replay of the last election in which the person who wins the popular vote loses to the person who wins the Electoral College. In fact, one recent poll I heard of says President Bush is presently ahead in Electoral College votes but behind in the popular vote.

Whoever wins in November will have to figure out how to unite a very divided country.

Aloha!

I had an update to my post on Microsoft Windows XP SP2 yesterday so take a look if you didn't see it. As a follow-up to that I've now installed the update on three PCs. The first, as noted earlier was my Dell OptiPlex 260 at work. I followed that with my Dell Inspiron 1150 laptop, and then my main PC at home (which is a whitebox PC). All installed successfully except for the last one.

My main PC at home has an Intel 815-based motherboard, Intel Pentium III 933MHz CPU, Plextor CD burner, Maxtor hard drive, and 512MB of Kingston RAM. When I tried to install SP2, the install stopped at the point of installing MovieMaker 2 (don't ask me why it installs that since I don't use nor want it but you have little or no control over what gets installed). I let it sit there for two hours just in case it would start up again but no joy. So I ended up doing a hardware reset.

The PC rebooted Windows and came up with an error message saying the system was in an unstable state (no sh*t, Keemo Sahbee) and to remove SP2. So I went into Control Panel, Add/Remove Programs, and started the process to remove SP2. Note that you may get a couple of dire warnings saying removing SP2 will cause everything, including the NTKernel to stop working. Ignore the warnings and continue on. Once SP2 was removed and the system rebooted I tried installing SP2 again. This time it worked. I don't why it got hung up the first time but all seems well now.

Having now seen what gets installed I'm sorry to say I'm underwhelmed. I downloaded over 270MBs for what? I don't use Internet Explorer so it doesn't matter to me if it's allegedly a little safer to use. I don't use MovieMaker. I already have a firewall (ZoneAlarm at work and Sygate at home on the laptop). I don't use Outlook or Outlook Express so I don't care if it's less of a security hole than before. I dunno. Maybe recompiling everything with most buffer overruns cleared out is worth it. Assuming here that they got all of them (which time will tell).

Anyway, if you support PCs for a living, I assume you have already downloaded this and are evaluating the impact it will have on operations. If you are JoeAverage with a dialup connection, I would wait until Windows Update has the smaller 90MB update available (rumored to be around August 25th).

According to the road map, Mozilla Firefox version 1.0 Release Candidate 1 is supposed to be released soon (like today). Since the Moozes haven't been able to reach many if any of their goals on time, I would take the time line as a guide and start checking soon for the RC1.

Date: Wed, 11 Aug 2004 12:11:49 -0600
From: John Doucette
Subject: Novell client 4.9sp2

Hi Dan

I did not need to upgrade Novell clients when I installed WinXP SP2 but decided to try 4.9sp2 just for fun. I find so far that connecting to mapped drives to a Novell 4.11 server is now faster. Other than that I see no difference and the change log did not look like it would do anything for me.

I should note that fast access to Novell drive from XP is a known issue I see a lot. I have tried other Novell client versions to find initial access speed good then it goes away. I am hoping 4.9sp2 will be a winner and so far after 18 hours of use is still going strong which I think for me is a record.

John

Aloha!

There's an old joke about if you don't know where you're going that's where you'll be. So I am depressed this morning. Why? Because we are being drowned in a rising tide of mediocrity disguised as brilliant writing. When I read stuff like this and see that this is considered "brilliant" I can only stop and wonder at it all.

I dunno. The writer says he can't say what peace should look like and that I can't either because it's impossible to do so. I disagree. It is a bit arrogant to tell me what I can or can't imagine. In fact, people can imagine what peace looks like and it's usually called an exit strategy. I would go further and say every conflict ends based on an exit strategy. Sometimes the strategy is wise, sometimes it isn't. What events result from the strategy sometimes turn out well (see post-war Japan) and sometimes it doesn't. But there is always an exit strategy.

To me, what it boils down to is goals and objectives. Yes, how you reach those goals may change (i.e., the plan), based on unforeseen exigent circumstances. But the goals and objectives remain the same.

Let me give you an example, many students go to college but never finish. Part of the problem is they can't stay focused on the goal. That is, each day brings a new challenge and while focused on the changing circumstances, they loose sight of where they wanted to go in the fist place. In the end, many just drift through life not accomplishing much of anything.

While I don't think it is a major part of his essay, and I don't necessarily disagree with his conclusions, I think he is missing the mark on this point.

In addition, and I hesitate to even bring this point up and because the level of debate will probably spiral down from there, but he also seems to miss the mark when he makes an ad hominem attack on those who would be so bold as to disagree with his assertion. This is a big mistake because it weakens his essay. In my opinion, a brilliant essay (and I'm not saying anything I write is brilliant) stays focused and uses arguments based on reason, not emotion.

This one was just too good to pass up. If you live in Thailand, Malaysia, or Singapore, Microsoft has an operating system for you. It's called Windows "Starter Edition" and costs about $36 (I assume this is a US equivalent). However, the edition reportedly will allow only three applications to run at once (assuming you have the hardware to run more than one application at a time).

The crippled edition, due out in October, is apparently Microsoft's response to inroads made by the Linux operating system. Unfortunately for MS, Linux is widely available for free (so are stolen copies of Windows in Asia - ed.) so even at $36, Windows will be more expensive than Linux.

While I think a lower price is a good idea, getting an even more crippled operating system, in my opinion, is not the answer. The answer is to sell Windows XP Pro for no more than $50, which is what it's worth. When Longhorn comes out, they could raise the price to $75. But otherwise, Windows just isn't worth the two or three hundred dollars they charge now.

See the story from TheRegister here.

Aloha!

What if Ludwig was alive today and decided to do a variation on the theme of Stairway to Heaven? If you're interested, click on the link and find out (note that some of the MP3 files on the site are about 300K).

As you may remember, I'm in the process of building a PC for SWMBO. So far I have the Intel 2.8E CPU (Prescott), Intel 865GBF-L motherboard, Sony 700A Dual Layer DVD burner, Antec 380TruePower supply, 1GB of Kingston RAM, Windows XP Pro (OEM version), and Windows Office 2003 (student version). I still have to get a hard drive (probably a Seagate SATA), and a case.

In looking for a case I found that Intel has thermal specifications for its processors that have been translated into a case guideline called Thermally Advantaged Chassis (there is a version 1.0 and 1.1). You can read what Intel has to say about it here and a little more here. The second link includes cases Intel has tested and says will keep the CPU temperature at or below the 38°C (~100°F) maximum of the specification.

While I am sure other cases can also keep the temp below 38°C, you may want to consider picking your case from one of the companies on the Intel approved list (and perhaps replace their power supply with one from Antec). Or not. It's up to you. YMMV.

The problem I'm having is finding someone locally who sells any of the tested cases. If I try to mail order one of these I end up having to pay almost as much for the shipping (and in one case more) than the case itself! Oh well, just another example of the price of paradise.

Have a Great Weekend, Everyone - Aloha!

Many people come to Hawai'i for the scenery. For those on the Big Island of Hawai'i, that scenery keeps getting bigger all the time. But not everyone comes just for the amazing views, the Honolulu Advertiser has an article on scientists from the U.S. Geological Survey's Hawaiian Volcano Observatory that have been studying volcanos and the movement of molten rock for years.

They do important, perhaps someday life saving, work. Take a look at their site for live web cams of the source of the lava, Pu'u 'O'o, Kilauea vent. During the day, there isn't much to see, but I am told at night, you can see light from the glowing molten lava.

Note that the photo below was taken at a location down slope from Kilauea where the lava eventually enters the sea:

Aloha!

Microsoft has created a page listing programs that "may behave differently" after you install Windows XP Service Pack 2. I assume this is a euphemism for everything from blowing Windows into a blue screen to corrupting data. The list includes, among about 200 others: Pagemaker, Photoshop Elements, Extra!, Autocad 2004, Citrix ICA Client, ArcServe, WordPerfect Office 11, Cute FTP 5, Quicken Deluxe 2001, Office XP, Outlook 2000/2002/2003 and ZoneAlarm 5.0.590.

In addition, MS has a list of programs that are blocked by their firewall.

Browser, I don't need no stinkeen' browser. I'm no expert on firewalls but it seems our Information Technology office is having problems with our firewall this morning. Anything through port 80 is being blocked but everything else is flowing. So I can do email, telnet, and ftp but no web access.

So, I can telnet to my account at pair.com and use Lynx to surf the net. Having done that, there isn't a whole lot interesting going on right now so I'll leave you with this that I found under a mossy rock:

A Tale of the Shire

Long ago, in the days when all disks flopped in the breeze and the writing of words was on a star, the Blue Giant dug for the people the Pea Sea. But he needed a creature who could sail the waters, and would need for support but few rams.

So the Gateskeeper, who was said to be both micro and soft, fashioned a Dosfish, who was small and spry, and could swim the narrow sixteen-bit channel. But the Dosfish was not bright, and could be taught few new tricks. His alphabet had no A's, B's, or Q's, but a mere 640 K's, and the size of his file cabinet was limited by his own fat.

At first the people loved the Dosfish, for he was the only one who could swim the Pea Sea. But the people soon grew tired of commanding his line, and complained that he could be neither dragged nor dropped. "Forsooth," they cried. "the Dosfish can only do one job at a time, and of names, he knows only eight and three." And many of them left the Pea Sea for good, and went off in search of the Magic Apple.

Although many went, far more stayed, because admittance to the Pea Sea was cheap. So the Gateskeeper studied the Magic Apple, and rested awhile in the Parc of Xer-Ox, and he made a Window that could ride on the Dosfish and do its thinking for it. But the Window was slow, and it would break when the Dosfish got confused. So most people contented themselves with the Dosfish.

Now it came to pass that the Blue Giant came upon the Gateskeeper, and spoke thus: "Come, let us make of ourselves something greater than the Dosfish." The Blue Giant seemed like a humbug, so they called the new creature OZ II.

Now Oz II was smarter than the Dosfish, as most things are. It could drag and drop, and could keep files without becoming fat. But the people cared for it not. So the Blue Giant and the Gateskeeper promised another OZ II, to be called Oz II Too, that could swim the fast new 32-bit wide Pea Sea.

Then lo, a strange miracle occurred. Although the Window that rode on the Dosfish was slow, it was pretty, and the third Window was the prettiest of all. And the people began to like the third Window, and to use it. So the Gateskeeper turned to the Blue Giant and said, "Fie on thee, for I need thee not. Keep thy OZ II Too, and I shall make of my Window an Entity that will not need the Dosfish, and will swim in the 32-bit Pea Sea."

Years passed, and the workshops of the Gateskeeper and the Blue Giant were overrun by insects. And the people went on using their Dosfish with a Window; even though the Dosfish would from time to time become confused and die, it could always be revived with three fingers.

Then there came a day when the Blue Giant let forth his OZ II Too onto the world. The Oz II Too was indeed mighty, and awesome, and required a great ram, and the world was changed not a whit. For the people said, "It is indeed great, but we see little application for it." And they were doubtful, because the Blue Giant had met with the Magic Apple, and together they were fashioning a Taligent, and the Taligent was made of objects, and was most pink.

Now the Gateskeeper had grown ambitious, and as he had been ambitious before he grew, he was now more ambitious still. So he protected his Window Entity with great security, and made its net work both in serving and with peers. And the Entity would swim, not only in the Pea Sea, but in the Oceans of Great Risk. "Yea," the Gateskeeper declared, "though my entity will require a greater ram than Oz II Too, it will be more powerful than a world of Eunuchs."

And so the Gateskeeper prepared to unleash his Entity to the world, in all but two cities. For he promised that a greater Window, a greater Entity, and even a greater Dosfish would appear one day in Chicago and Cairo, and it too would be built of objects.

Now the Eunuchs who lived in the Oceans of Great Risk, and who scorned the Pea Sea, began to look upon their world with fear. For the Pea Sea had grown, and great ships were sailing in it, the Entity was about to invade their oceans, and it was rumored that files would be named in letters greater than eight. And the Eunuchs looked upon the Pea Sea, and many of them thought to immigrate.

Within the Oceans of Great Risk were many Sun Worshippers, and they wanted to excel, and make their words perfect, and do their jobs as easy as one-two-three. And what's more, many of them no longer wanted to pay for the Risk. So the Sun Lord went to the Pea Sea, and got himself eighty-sixed.

And taking the next step was He of the NextStep, who had given up building his boxes of black. And he proclaimed loudly that he could help anyone make wondrous soft wares, then admitted meekly that only those who know him could use those wares, and he was made of objects, and required the biggest ram of all.

And the people looked out upon the Pea Sea, and they were sore amazed. And sore confused. And sore sore. And that is why, to this day, Ozes, Entities, and Eunuchs battle on the shores of the Pea Sea.

Aloha!

Sometimes, you don't know how good you have it until you are about to loose it.

ThePhoneCompany is always an easy institution to trash. I mean, for most folks, the phone company you have is not by choice. Rather, it's a regulated monopoly and the one you get is based on where you live. And for the most part, it's the least evil way of doing it (I could go into the economics of it but that's a post for another day).

But you know, for the most part, I've had excellent service from our phone company - Verizon Hawaii. Especially if you compare it to our CableProvider - TimeWarner Oceanic.

For example, you may remember my experiments in the past running dual Internet access via DSL from Verizon and cable modem from TimeWarner. The cable modem would loose its connection on a daily basis (and usually more than once a day) while the DSL would just keep working.

When I call TimeWarner service I would wait on hold for more than 30 minutes at a time only to be told a technician couldn't possibly come out to check things earlier than two weeks later. When they finally did arrive, of course, everything would be working.

On the other hand, in the last two years or so that I've had DSL, I've only had two outages. When I called (at around 10:00 am) I got a person on the second ring and he arranged for a technician to arrive that afternoon (he came around 2:30pm). The problem turned out to be a wiring issue across the street caused by some construction going on. Things were fixed by 3:30pm.

The second was over this past weekend and involved one of their routers, which they fixed about six hours later.

I even found out recently that Verizon is rolling out fiber to the door. Once that is completed, you can choose 15Mbps or 30Mbps. That's right, 15Mbps or 30Mpbs to your house. Unfortunately, Verizon Hawaii is being bought by another company, the Carlyle Group (see the story here). So my guess is fiber to the house won't happen for us.

I hope, should the sale go through, the Carlyle group will invest money into upgrading the systems, including fiber to the house. But given its business plan, I don't think that's going to happen (taking on 1.5 billion in debt, then promising not to increase rates for 10 years. Yeah right. Wanna' buy some beach front property on the Big Island?). My guess is (insert disclaimer here), even what we have now will deteriorate. But what can you do? It's ThePhoneCompany.

Aloha!

Tomorrow is a state holiday commemorating Hawai'i statehood. While this not considered a GoodThing by all people, I think the majority would not want to be citizens of any other nation (other than perhaps the Nation of Hawaii).

In addition, I need to do some house cleaning so I'm taking Monday off. So, no post for tomorrow and maybe Monday (although I may get around to doing one so feel to drop by to check).

Aloha!

I'm currently working on using an Adobe Acrobat form as a front end to a Microsoft Access database. The form is used to request vacation or sick leave time off. The database would keep track of the used time and calculate how much time is left at the end of the year.

To try to automate the process, I'm using the Acrobat plugin that enables Acrobat JavaScript (AcroJS). AcroJS allows me to use SQL commands that access the database.

This means I get to learn AcroJS and SQL. Joy and rapture. Not. But I guess it keeps me off the streets and out of trouble. [g]

I've talked before about this site here that has panorama views of all kinds of places. From the Moon to Easter Island they have 360° panoramas (Note that you need the QuickTimeTVR plugin and a compatible browser to view the images.).

I recently went back to the site to take a look around and found this panorama here of the statute of King Kamehameha that is in front of the building called Ali'iolani Hale. By turning in the opposite direction, you can also see across the street the only royal palace on US soil - 'Iolani Palace.

Ali'iolani Hale, was built in the 1870s to serve as residence for then King Kamehameha V. Tragically, the king died before moving in. Having no children, the Kamehameha dynasty came to a heart breaking end with his death in 1872.

Approximately 20 years later, in 1893, on the very steps of Ali'iolani Hale where I now work, American interests, with force of arms illegally overthrew the remaining monarchy and established one of their own as President of Hawai'i.

Sometimes, as I walk the halls that Hawaiian kings and queens have trod, I am filled with sadness over what once was, but will probably never be again.

Aloha!

As Microsoft rolls out Service Pack 2 for Windows XP, there are now several ways to get the update. The first, as noted on these pages earlier, is to download the full 272MB file here. The second is for MSDN subscribers where you can download the 474MB ISO image for installing from CD (it includes utilities described as useful for corporate environments). A third way to install SP2 is to download this 1.6MB express installer that will then download only the files you need (which may or may not be less than 272MB). Of course, the fourth way to get SP2 will be to wait for Windows updates (automatic or otherwise) to go live on August 25th for Windows XP Pro users (XP Home should have gone live already). You choose which way is best for you.

Aloha!

TheForce.net published a rumor that employees at Industrial Light and Magic recently had to sign a non-disclosure agreement regarding episodes 7, 8 and 9 of the Star Wars saga.

As many of you know, George Lucas originally sketched out his space-based opera in three groups of three. The first two sets of three have been completed (or soon to be when episode 3 is released next year). But Lucas has been quoted as saying he would not do the last trilogy.

Who knows if the rumor is true and even if so, does that mean Lucas plans to do that last three?

"Why, of course, the people don't want war. Why would some poor slob on a farm want to risk his life in a war when the best that he can get out of it is to come back to his farm in one piece. Naturally, the common people don't want war; neither in Russia nor in England nor in America, nor for that matter in Germany. That is understood. But, after all, it is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy or a fascist dictatorship or a Parliament or a Communist dictatorship."

"There is one difference," I pointed out. "In a democracy the people have some say in the matter through their elected representatives, and in the United States only Congress can declare wars."

"Oh, that is all well and good, but, voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same way in any country."

Reich-Marshall Hermann Göring in G. M. Gilbert's Nuremberg Diary. New York: Farrar, Straus and Company, 1947 (pp. 278-279) as quoted in Snopes.com.

Aloha!

Sometimes people can forget what their goals are or confuse the goals with the means to the goals. In the case of network security, it may manifest itself in people tending towards either security or usability. But I would say each is an objective towards a goal, but not the goal itself.

If neither is the goal, just what is? The goal, in my opinion, is to facilitate the operations of the business or government entity so that, in the case of business, it makes money and in the case of a government entity, the policies of the decision makers are carried out.

Notice that I am in no way saying the network should be configured solely to make it easier for IT people to maintain nor solely to make it easy users to access. In the first case, no one would have access and the data would remain in a pristine, if useless state. In the second, everyone would have access and the data might be suspect and therefore also useless.

In order to reach their respective goals, security must be balanced with usability. But this balance is based on criteria such as, but surely not limited to, how secure the data must be (based on context) and how computer savvy are the users.

Data that someone would want to access, without the proper authority to do so may need a higher level of security than something that is not valuable to anyone other than those already authorized to use it. For example, salary levels are considered highly proprietary information by businesses. On the other hand, public officials have their salaries, many times, set in statute and therefore are open to anyone. How much government spends and what its revenues are is also public information. Hence, the context of what is being stored may make a difference on the level, if any, of security.

Likewise, if people authorized to access salary data are not able to, due to security, because it is overly cumbersome then they can't help, for example, the business make money.

Now, you would think all of this is obvious and why am I wasting these electrons telling you this. Well, there is a saying that the customer is always right and perhaps there will come a day in which the competing values of network security and usability will not longer be a problem. But as many businesses learn, not all customers are right for their business. I mean, in a service business like, for example, computer customer support, a minority of your customers create a majority of your work. In most cases, a business model like this is workable because everyone pays for the service but only a minority actually use it. So a business can still make money under this model.

But get enough of the wrong kind of people, either as users or people wanting to inappropriately access your data and it is possible that the experience of providing support is higher than the money coming in.

In my case, I know of two people in our office that between them, generate more service calls than the rest of us combined. Why? Partly it's because network security is not as transparent as some would believe and partly it's because these users don't understand the concept of a computer, much less a network of computers.

One solution would be to open the network to anyone. In our office that might not be so bad of an idea. Being a court house, this building has pretty good physical security. I'm not going to list what this includes but suffice it to say no one gets in without being noticed. Further, the resources available are not so much different from what is available on our public facing Internet servers. So heretical as it may sound, a case could be made to eliminate network passwords or at least standardize on one password that gives access to all required data (as opposed to having one to login, one to get email, one each to access the mainframes and minis, etc.).

But you may work at a place where data positively must be kept only for those authorized. If so, you have to balance that with making it accessible to everyone that is authorized. To do that, you may have to spend money and get retinal or fingerprint scanners. This costs money, but so may losing proprietary information to a competitor.

The bottom line is to remember what your goal is and not to confuse it with the means to the goal.

My wallpaper for the week comes courtesy of Doc Searls and is a series of sunset shots taken near his home in Santa Barbara, California. Good stuff, even if you can see the air you breathe ;}

Somehow, I find it poetic justice that the company that sued JibJab, the site that used Woody Guthrie's "This Land Is Your Land" in a satirical Flash animation, may not have the copyright after all. During research on the song, JibJab defense lawyers found that Ludlow Music was not the copyright holder and that, in fact, the song was in the public domain and had been so for some time.

Ludlow Music quickly dropped its suit but is still maintaining that it has the copyright. No word yet on when a Veterans for Truth, Justice, and Ludlow Music RIAA/DRM site will emerge from the slime.

Aloha!

Ukulele is just not one of those musical instruments that many people want to hear or play. I mean, when was the last time you saw an air ukulele contest? Or saw Eddie Van Halen burning the strings out of one with his fingers? Rather, you are more likely to see Bob Hope and Bing Crosby crooning with a uke than you are The Who. It's just considered to be too light weight for serious musicians.

But one man, by the name of Jake Shimabukuro is getting some good press (as is the instrument itself here) during his Summer tour across the US and Asia. Shimabukuro, who is from Hawai'i, has been putting on his dynamic shows for awhile now and if you've never seen someone who can play, really play, the ukulele, then go see him.

I say go see him for two reasons. The first is because I can't find samples of his music at the usual places so you can't otherwise hear his music. The second is because when you see him play live you see the energy that Shimabukuro exerts while using every last ounce of expression that the instrument can produce.

As always, his music isn't for everyone. But if you ever get a chance, spend a few minutes listening and see if you don't agree that there is no one better out there right now.

The first known SP2/IE vulnerability was reported and verified last week Friday (five days before SP2 for XP Pro went live on Windows Update). Clicking on a web page image with a hidden program downloads an executable to your startup folder. Hence, the next time you reboot the program executes and your box would be 0wn3d by 133t h4x0rs.

I had a link to Doc Searls site regarding a series of photos he took of the sunset near his home in California. I guess he noticed the link and he offered to make available the original 5MB versions of the images to anyone (the link back to here) interested. As soon as I can get them, I'll use them as wallpapers for my desktop.

As an aside, to show how classy Doc is, he didn't say anything about the three grammatical errors (now fixed!) that I had in the short post linking to his site. I guess it's just one more reason why he gets millions of visitors and I get eleven... ;=}

In any case, thanks Doc!

Have a Great Weekend, Everyone - Aloha!

Speaking of dates, I've decided to switch to ISO-8601 compliant notation. I think there is too much chance for mis-communications when using numbers to represent dates. For example, in the US, 05/12/04 represents May 12, 2004. But in most other countries, it would mean 5 December 2004. Under ISO-8601, I think both are wrong as it should be read as 4 December 2005.

This means when I use numbers (as opposed to spelling out the month which, as I understand it, ISO-8601 is silent on since there is no ambiguity when you spell out the month) to designate a date, it will be in the general form of YYYY-MM-DD. In addition, time will be expressed using the 24-hour clock with the offset to Universal Coordinated Time displayed after the local time. For example, 23:30-10:00 would be displayed instead of 11:30 p.m. Hawaiian Standard Time.

Since I very rarely, on this blog, type out dates using only numbers, there shouldn't be much of a change. On the other hand, I do refer to the time, from time to time. But I assume most people will understand what time it is.

As an interesting sidebar, those wacky ISO people apparently created two different designations for midnight. From what I understand, you can say 2004-08-31T24:00-10:00 or you can say 2004-09-01T00:00-10:00. Don't ask me why because it seems to create an ambiguity, something I thought they were trying to get rid of (in addition, no digital clock I know reads 24:00 at midnight). In any case, I'll just say midnight rather than use numbers.

Aloha!

It is probably still subject to change (as was the last...sigh) but the Mozilla Firefox browser road map says 1.0PR is due out today. 1.0PR will be followed by 2.0PR and then RC-1, 2, and so forth until 1.0 Gold comes out (scheduled for October 11th).

As noted, the schedule has already slipped at least once and will probably slip again but all we can do is watch as they move closer to going gold.

Hurricane Charlie in Florida cost: billions. Tree trunk through your house wall cost: thousands. FEMA check to make you whole again: $1.69. Priceless.

This article proves once again that stupidity knows no political party. The US Federal Emergency Management Agency sent a check to a Florida man who pleaded for help after hurricane Charlie roared through his state. FEMA sent him a check for $1.69 which, in Florida, gets you less than a gallon of gas.

To be fair, the man has insurance so at least some of the damage will be covered, but after the shock of seeing your house shredded it can leave less than a satisfying taste in your mouth to get such a check. In fact, his reaction of shock and then falling apart and crying is not unexpected. Except, I guess, by federal bureaucrats.

If you think this kind of stuff is only from the Feds, think about this one. Another man in Florida didn't have house insurance, but he tried calling local contractors because he needed to fix his roof before further damage occurred due to the rain getting into the house. But since all the local contractors were busy gouging people with insurance, he couldn't get any help. So he called a contractor friend living in another county to help.

Out of the goodness of his heart, the friend shut down his shop for a week and came to help fix the roof. But within days, two county sheriffs and two state business regulators were threatening the friend with a third-degree felony for helping (at no charge) his friend.

Now, Republicans love to trumpet how the are business friendly. And the last time I looked, Florida is run by Republicans (as is the Federal Government), so how are these two stories examples of being business friendly or even Conservative Compassion? Or for that matter, being voter friendly? Heck, how are these examples of just being friendly, period?

Speaking of writers, I see that Dave Barry is writing trash his deep insights on the Republican National Convention in New York city. A short snippet on the process the RNC used on deciding to meet in probably the second most liberal East coast city:

We considered such factors as hotel space, meeting facilities, transportation and the financial incentives offered by the city. Then we smoked crack.

Oh, the most liberal city on the East coast? Maybe here.

Aloha!

I see that Steven Den Beste is saying he has stopped writing essays for his site (at least for now). He lays out his reasons which, in large part, as I understand it, is based on being worn down by people who would email him with unwelcome comments.

If this is the case, the world is a lesser place because of it. That's not to say I agreed with everything he had to say nor the way he said it (not that I'm in a position to judge). But at least he laid out his thoughts in a rational manner paving a road through the wilderness that is the Internet.

I can only imagine the time and effort he must have put into his long essays as I find it sometimes difficult just to do the short links and occasional short essay I do (even taking the weekend and most holidays off as I do).

In any case, it's his life and if doing what he was doing wasn't rewarding to him, he has every right to go off and do something that is. But I get the feeling, to extend the metaphor quoted on his site: painters gotta paint, singers gotta sing, and writers gotta write. I figure he'll turn up somewhere, somehow.

WinAmp has issued a security update to their popular music player. If you are using versions 3, 5, or 5 Pro, go read the article from WinAmp here and then update your player here.

I'm not qualified to say whether the fix is really a fix since it appears the exploit can still be executed, although it would require your explicit permission but it still makes sense to get the update. The bottom line is security must include the user and this is, I think, a good example of that.

Tired of UberGeeks kicking sand in your face when they whip out their twin Xeon processor PC? Well, just wait until you see the envy when you slide this Orion 96 node box from under your desk. That's right, 96 processors, 150 gigaflops sustained (300 peak), 192GB of RAM (192 gigabytes of RAM?!?!?), and up to 9.6 terabytes of disk storage. All in a box that's not much larger than your run-of-the-mill server tower (Okay, maybe a little larger than your standard full tower case. The point is it's in a case that you can plug into any wall outlet, flip one switch to turn it on and doesn't require a team of workers to keep it running).

It runs the Linux 2.6 kernel (you didn't think this would be running Windows XP Home now did you?) and includes the "standard parallel programming libraries, including MPI, PVM and SGE." [I think I got the links right but I'm not into cluster programming so I could be wrong on some of them.]

If the thought of selling your house to afford one of these ("priced at less than $100,000") is beyond what you want to do you can instead get the 12-node version ("priced at less than $10,000) that sits on your desktop. Note that neither is currently available for purchase although both are slated for release Real Soon Now.