Saturday, August 27, 2005

Mambo and the problems of Open Source

Recently, trouble's been brewing in project Mambo.
Mambo source was originally developed by a company named Miro which chose to license the source under GPL, but retained copyright.
Conflcit arose over who controls the future of the project, the volunteer developers or the copyright owners.
An excellent outlines the developers' POV, and the developers website is OpenSourceMatters.

From the company's POV, however, I would think GPL-ing the source led to undesirable consequences. In short, once the source was GPLed, they lost all control over the future of the project - since the developers can (and did) fork the source, and continue development in the new fork.

While many hail this as a victory to the Open Source movemenet, which proved its supremecy over the corporation who developed the code, I am not so sure. This proves to be an incentive against corporations Open-Sourcing projects and cooperating with the OSS movement. OSS 'purists' would prefer it be that way, but as corporations do add value to projects, the OSS has lost many potential allies.

Tags: opensource mambo

Friday, August 26, 2005

Windows Communication Foundation ("Indigo") channels explained

I'm writing a serie of blog posts explaining the WCF channel architecture and extensibility point. The first in the serie is posted, others soon to come.

Monday, August 15, 2005

PMP Certification

I recently acquired the PMP certification, and wanted to share some insights.

What is PMP certification?
The PMP (Project Management Professional) is the leading project management certification, issued by the PMI (project management institute)

Why did I choose to get PMP certified?
In the software industry, project management skills are an intrinsic part of the roles of individual developers, leads, development managers, and of course project/program managers. While I am not currently looking for a project manager role, as the classical project manager seems too far removed from technology, I think the skills would be useful. And I might change my mind...
.. and, of course, the PMP designation looks good on my resume.

How was the test?
Hard. It's a hard test, the questions are misleading, and a 4 hours a test is a looong test.
I scored overall 86%. It seems traditional to share the sections breakdown, so here goes:
Initiating: 88%
Planning: 91%
Executing: 90%
Controlling: 84%
Closing: 79% [makes sense, I ran out of time before my final review of 'closing']
Professional responsibility: 86%

How did you study?
I used the Rita book, the Kim book, Achieve PMP success, the examcram2 book, the PMBOK (from which I learned very little, the style was too dry for my taste) and additional online resources - especially useful was the table of the 39 precesses, their inputs, tools, and outputs.
I spent half my time taking tests, and half reading textbooks or my notes. I estimate I put in 40-50 hours over 2 months - there seemed to be too much information for cramming.

Tags: PMP certificattion

Friday, August 05, 2005

Cisco, Mike Lynn, and my door

Recently, there was much discussion (also see here ) about Mike Lynn's presentation exposing a a Cisco vulnerability.
Details are a bit fuzzy. It seems the patch was already made by Cisco.
In some ways, exposing security issues is beneficial for the industry, which would otherwise ignore them and never fix them - an industry needs watchdogs to force it to fix product defects, and the car industry is an excellent example. And of course, it is very human to want to (and have the right to) discuss your achievements - and for a security researcher, finding a security vulnerability is a major achievement.
However, I refuse to glorify such actions. If a neighbor noticed my house door is open, and updated a bulletin board in the middle of the town ("houses with unlocked doors can be found at...."), I would be unhappy; and I don't think I'll be loaning him the lown mower again.

I think there should be a way for security researchers to get the fame (and improved job opportunity, and better pay, and everything an achievement usually entails) they deserve for finding security issues; and security researchers should show more responsibility on their part.
It boils down to processes and money. If a security researcher spends (on average) months and very sophisticated skill set finding a security issue, and he'll inform the company and make no big deal about it, he's been cheated out of any rewards for his efforts - and both the community and the company got security testing and review for free.
That's an untenable situation; as long as researchers have an incentive to disclose security holes, they will; but I can't quite see that sueing researchers would create the right kind of incentive.
What would I like to see? a substential monetary reward & public recognition program for security researchers who find issues, complemented by a much longer wait time on disclosing the details of any security issue.

Wednesday, July 27, 2005

Searching Blogs - compared

I found this link on Mary Hodder's blog, which I found here. It's interesting to note that no major search engine (Google, Msn Search, or Yahoo) currently supports real-time or near-real-time searches of blogs.

Thursday, July 21, 2005

Intel on multi-core processing

this article found on Intel website outlines their view on multi-core processors.

I totally agree with first 'take-away':
"For software executives, the first priority is to make sure your applications effectively take advantage of parallel proccessing capabilities of the multicore processors"
and mostly agree with the second:
"For enterprise IT management, multicore capabilities present major opportunities to lower the cost of computing through server consolidation"

Intel predicts that by the end of '06, expected run rate of dual-core CPUs on the desktop would exceed 70%, and hit 85% on servers.

Those suggestions are compatible with my suggestions in my MSDN Magazine article on hyperthreading, only more so - while hyperthreading has shown a modest performance boost, multi-core shows a greater persformance boost. This strengthens the position that future software performance boosts will depend on being able to write scalable multi-threaded applications.

Wednesday, July 20, 2005

Microsoft Certification upcoming changes

According to this article and other sources, the current Microsoft certifications, such as MCSD, MCSE, an MCDBA, will be retired (or at least no longer offered) around September.

They will be replaced with 3 levels of certification:
Tier 1: Microsoft Certified Technology Specialist
Tier 2: Microsoft Certified IT Professional & Professional Developer
Recertification will be required to maintain status at this level.
Tier 3: Microsoft Certified Architect
A board-level certification that requires recertification.

Additional blog post on the subject is on here.

As I post, the Microsoft certification page does not specify that any certifications are being discontinued, so the official story is not available.

Monday, July 18, 2005

SHA-1 break paper available

Recently, a paper by Xiaoyun Wang et al describes how collusions can be found on the common hashing technique SHA-1.
"In this paper, we present new collusion search attack on SHA-1".

This cryptographic volnurability has some far reaching implications as to the security of encryption systems.
For example, since digital signatures normally signs the hash of a document, an attacker might be able to forge a signature on a Word .DOC file - by taking a legitimate document D and modifying it (by adding spaces, changing file format, etc) to have a hash signature of another document.

As most cryptographic issues, there may or may not be an immediate issue, and solutions will have to be provided by cryptographic libraries providers. But it is a fascinating read - assumptions we made out-of-hand just years ago keep getting proven wrong. There's a lesson in it somewhere, if only I could find it.
Tags: software cryptography

Thursday, July 14, 2005

Wardriving illegal?

this CNN.com article discusses how a man was charged with stealing Wi-Fi signal. AFAIK, this is the first time anyone is prosecuted for that. But totally insecure Wi-Fi networks are still a big percentage of home WiFi networks - even tho' securing them (to some degree, at least - even by specifying acceptable MAC addresses) is nearly trivial.

Monday, July 11, 2005

Indigo patents not a barrier to interoperability

This article states:
Microsoft said its willingness to file patents on its planned Indigo Web-services technology will not affect the software’s ability to interoperate with other vendors’ software.
Interesting read, but not that much meat in the article.

Sunday, July 10, 2005

WikiWiki

By now, most everyone know about wikipedia, but if you ever wondered what the word wiki means?
Hawaiian for informal or quick, the internal bus in the Honolulu airport Honolulu is called the WikiWiki:
WikiWiki

Tags: wiki

AMD vs Intel

Mary Jo Foley writes on the AMD vs Intel antitrust case.
Great read, although I don't always agree with Mary's perspective on the industry.

Wednesday, July 06, 2005

Privacy: Data for sale in Russia

as discussed on Schneier 's blog, information such as "database of vehicles registered in the Moscow region" is available for easy sale. I tis just too easy to steal and sell PII these days.

Thursday, June 30, 2005

Does SOA exist?

I really liked Clemens Vasters' post on why SOA (Service Oriented Arhcitecture) doesn't exist: Another way to look at it is: there isn't anything new in SOA that isn't part of good architecture anyhow.

What is Metadata?

The best explanation of metadata I've seen so far is in Rebecca Dias's blog: She explained how SWF (Single, White, Female) is more clear in context:
<marriedStatus> single </marriedStatus>

.

Saturday, June 25, 2005

Searching Within Blogs?

So simple: Use technorati. Just add your search term after http://www.technorati.com/search . Yes, I know, they have a user interface, but who has the time to click on 'submit' nowadays? for example
http://www.technorati.com/search/yaniv%20pessach

why use technorati? well, blogs update fast. Google updates slow. Why read last months' news?

Thursday, June 23, 2005

First post!

This is the brand new bLog of Yaniv Pessach

Not promising to update it often, but I just might...

// Yaniv