Browser Security Flaws & Innovation Pace
The most dominant browser on the world wide web has been steadily loosing market share for the last two years or so but make no mistake that Internet Explorer (IE) did not get to its dominant position by accident nor is it a simple matter of switching to another browser all together. For example, in the corporate environment IE is going to feature heavily as some custom enterprise application were written to work with IE specifically and over time these applications have been critical the mission of the organization. Most organizations will keep IE for compatibility and continued use of what should perhaps be labeled legacy code.
There are those who are genuinely indifferent to the particular browser they are using or indeed genuinely prefer Internet Explorer to all other available options. However, no computer user should prefer to run buggy software regardless of the producer of the said software: open source or not. This has increasingly become important after news that Google (and 30 other companies) were attacked by leverage flaws in Internet Explorer. As it stands Internet Explorer remains a laggard regard to advances in web standards: there is not even a slight mention of support for HTML5 (at the time of this writing) while other competing browsers are gradually adding elements of HTML5 as well as CSS3. There is on going competition between the developers of the core components of browsers like Google Chrome and Safari (WebKit) and Firefox (Gecko) in bringing in aspects of this increasingly final HTML standard. While those in the know and would want to side with developments with regard to version 8 of Internet Explorer, please note that IE 8 has added significant support for standards and a host of innovative security targeted innovations that are indeed welcome but in all the competition to provide support for the latest standards support, it seems to be playing catch up. It remains important that IE 8 needs to implement these standards or at least appear to be working on implementing them. Information about IE 9 thus make no specific mention of support for upcoming web standards those they definitely continue to work on some interesting innovations that aim at rethinking the browser experience as a whole.
The focus on security with IE 8 was both important and necessary but it needs to evolve with the rest of the internet and as a dominant browser, it increasingly need to play the role of pushing standardization or at the very least engaging with their user community in pushing the state of their browser and consequently the web as a whole forward. At this point, all signs suggest that the IE team is playing catch up with everyone else while bleeding market share at the same time. Pointing out the security superiority of IE 8 is a lame strategy as at this point they have just managed to fix all the nasty things that was part of previous versions of IE and in some cases even IE 8 is still vulnerable. If you take the number of bugs found in a piece of software (an ineffectual metric), then Firefox can barely stand as one that has less bugs but here is a justifiably logical way of looking at the high bug count in Firefox: they are constantly working on the code and hence introducing new bugs is almost inevitable. As opposed to finding less bugs in a piece of software because developers are only carrying out maintenance on an existing code base. Most importantly, less bugs in a piece of software do not translate to speed and effective elimination of identified threats and vulnerability in the software.
The dynamic of Microsoft’s ecosystem is something that can not be taken lightly as the effort required to engineer and maintain compatibility extends far beyond what Microsoft can truly affect. In recent years, Microsoft has made effort to try to reign in vulnerabilities in its software which have made its platform an easy target for hackers and all manner of online fraud. Perhaps one of the most glaring examples of its lack of focus on engineering and architectural excellence was integrating the browser with the operating system. This was a brilliant business move to destroy Netscape and it worked as well but it also created a rigidity on the Windows platform that their current crops of engineers are trying to address while at the same time held back by the need to ensure that clients of their platform suffer minimal lost that would arise from breaking compatibility. Making IE a core component of Windows was a good way to up end Netscape but it also reduced Microsoft’s ability to effectively fight off later competition from the likes of Google, Mozilla, Opera and others. That integration made any response by Microsoft less original since it needs to worry about compatibility which at this point can present real problems that should not happen when dealing with a mature platform builder and maintainer like Microsoft. Think of the dollars that Microsoft’s platform clients (ISVs etc) would lose as well as anyone who relies on the correct behavior of Microsoft’s Windows & Web technologies?
One of the good things I have always liked about Windows Vista is that it was an opportunity for Microsoft to fundamentally reconsider its software stack and add as many enhancements and perhaps even innovation as was necessary in the new environment that is increasingly consumer-internet centric. One of the much lamented additions in Windows Vista was user account control (UAC) which I think was a great idea that will get better with later releases of Windows and Windows 7’s UAC implementation is significantly better without sacrificing security. The China-based attack on Google brought out the full implication of this platform reconsideration: all versions of IE suffered the flaw that facilitate the aforementioned attack. Yes, the fact that IE is sandboxed in Windows Vista and Windows 7 does reduce the effectiveness of the exploit in question. The underlying OS platform has been engineered for security but the fact that IE still remains flawed is disturbing to ponder. Many would agree that after soundly defeating Netscape Microsoft neglected Internet Explorer and indeed tried to tie IE improvements to release of Windows. At this point, it is not even clear that IE development and innovation has reached parity with other players in the browser market though its inertia remains a worrying concern even for Microsoft.
To some extend the problem of a sizable market share are also plaguing Mozilla Firefox but their development team seems to looking for ways to improve the browser. The recently released Firefox 3.6 is much faster and contains additional features for both web surfers and web developers. At this point, Firefox maintains a monolithic execution model wherein there is one process for all the browser tabs such that if a single tab hangs, the entire browser is forced to shut down. Google Chrome has support a per-tab process model where the failure of one tab does not cause the entire browser to shut down. Microsoft’s Internet Explorer 8 also runs each tab in its own process and thus far a certain degree of resilience. The Firefox team is working on bringing such changes into Firefox and while implementing the same changes, they also plan to cater for their extensive plugin ecosystem.
The thorny question of install-base inertia also plagues Internet Explorer and more specifically version 6 of that browser. Recent security related events targeting IE 6 has led to widespread calls for users to abandon that obsolete deserve-to-die version of IE. Even Microsoft is asking users to upgrade to the latest version of Internet Explorer though it goes without saying that people who still user IE 6 present a good opportunity for Microsoft to sell Windows 7 to. However, the security implications of using IE 6 remains an important matter to take into account.
Resources
-
Microsoft Internet Explorer 8 Download
-
Mozilla Firefox Download
-
Google Chrome Download
Error 31: A device connected the system is not functioning
For the better part of the weekend, I have been looking for the cause and possible solution to Error 31. I thought the technical department of my service provider would have a solution to the problem well at hand so I deferred to them. However, it turns out they don’t have any sensible solution at hand though I must admit the matter did receive quality attention – Thanks Francis.
It turns out the problem was with my computer and more specifically my Windows Vista OS of all the things that could have been the source of the error. I started scouring the web for possible solutions as well as following leads supplied by Mr. Francis. In all the materials I have read with regard to Error 31, it seemed like the error has something to do with the Remote Access Service (RAS) that runs on Windows Vista.
Current Confguration
OS: Windows Vista SP1
Device: USB 3G HSPDA Modem (E160 – Huawei)
What Worked For me
I uninstalled Virtual PC which until this point have not interfered with the 3G HSPDA connection. More important to note is that I used Revo Uninstaller to remove Virtual PC which means that all traces of it were removed from the registry as well as the hard disk.
Simple Java Persistence API (JPA) Demo: JPA Query
JPA Query Language
I don’t know if this series still qualifies as simple but I thought I add some basic information about queries in JPA. In part II we looked at the EntityManager and more specifically the simple operations that it enables like persist, find, merge, remove and refresh. In addition to these operations, JPA comes with its own query language that allows you to create custom queries over your data set.
JPA abstracts the developer and the application away from the details of how data is represented in the data stores (more likely a rational database) and this abstraction effectively marries the relational and OO paradigms. However one of the corner stones of the relational paradigm is its query capabilities which has so far been unmatched by any software paradigm to date. The query facilities in the OO model are limited in as far as handling a large amount of data. While there are attempts at developing ORDBMS (Object Relational Database Management Systems) data stores, these have never truly caught on in the enterprise and so the bulk of enterprise data remain stored in relational databases. With every other application build on top of a relational database, it becomes important to build query capabilities into abstractions layers such as the JPA.
The default query language in relational paradigm is the Structured Query Language or simply SQL. SQL has a number of standards defined which every vendor of a relational database implements in slightly different manner thus making it a tricky language to adopt as the basis of an abstraction layer like the JPA that is expected to work across multiple relational database products without resulting to expensive and complex workarounds.
The Java Persistence API Query Language (JPA QL) is the result of attempts to abstract the query facilities of a relational paradigm. It borrows from the EJB QL but also fix the weaknesses that have plagued EJB QL. The specifics of what was borrowed from EJB QL and what was fixed are beyond the scope of this post. JPA provides the ability to retrieve JPA mapped entities, sorting them as well as filtering them. If you are familiar with SQL, then you have some degree of familiarity with JPA QL as it is syntax is closely modeled on SQL’s syntax.
Specifying a Query
There are three main ways of specifying JPA queries:
- createQuery Method of the EntityManager: with this option you compose the query at run time and execute it there and then. The most immediate aspect of this approach to creating queries is that your queries are not checked/parced at deployment time which means that obvious errors are only discovered when the code is executed.
- Named Queries: Named queries are defined along with the corresponding entity beans. Several named queries can be defined for each entity thus enabling filtering and sorting using various properties of the entity. Unlike with runtime queries, these queries are parsed at deployment time which means that any errors are discovered before code is executed that depends on your named queries.
- Native Queries: this gives you the ability to define queries using SQL instead of EJB QL. You can create Native Named Queries as well.
Querying
Retrieving data
The most common query operation is the select operation which returns all or a subset of records in the database. With JPA QL, the select operation returns mapped collection of zero or more mapped entities. The operation can also return properties of a mapped entity. A simple select query looks as follows.
SELECT h FROM Hotel h
SELECT h.name FROM Hotel h
Notice how you select from the entity and not from a table as you would in SQL but the syntax of the query is not different from what you would write using SQL. The query returns zero or many Hotel entities from the database. The Hotel entity was defined in the first installment of this demo series. The second query in the above sample selects a property of the hotel entity.
Lazy vs Eager Loading: FETCH JOIN
When you design your entity classes with associations and relationships, loading and accessing these relationships at run time becomes important. For example, a hotel has rooms and you can decide if you want the rooms associated with each hotel to be loaded when the hotel entity is retrieved (eager loading) or when you explicitly access (lazy loading) the associated rooms. During the definition of the association between entities you can declare whether you can lazy or eager loading but JQL also allows you to load the objects in an association.
SELECT h FROM Hotel h JOIN FETCH h.rooms
With the above query, all the hotel objects returned will have their associated rooms loaded as well. This gives you eager loading without specifying it in the relationship between the Hotel and Room entities.
Filtering & Sorting
It is not always the aim of any data retrieval operation to return every last record in a database; some times we are interested in only a few of those records that meet a particular criteria for the purpose of our operations at hand. Within the context of the simple app setup for this series, we may just be interested in hotels that are in a particular town. The name of the town in question would form our filtering criteria. The sample below gives a JPA QL query that would enable us to retrieve a collection of Hotel entities that with a particular town property.
//Filtering
SELECT h FROM Hotel h WHERE h.name = “Nairobi”
//Sorting
SELECT h FROM Hotel h ORDER BY h.name
//Filter and Sort
SELECT h FROM Hotel h WHERE h.name = “Nairobi” ORDER BY h.name
Once again notice the similarity to an SQL statement that would return rows that meet the provided sort and filtering parameters. So far these are just simple queries that don’t show much of JPA QL capabilities but a necessary step in appreciating how JPA QL queries are written.
Of greater importance is showing how these queries can possibly be composed within the context of Java code.
Query q = em.createQuery(“SELECT h FORM Hotel h ORDER BY h.name”);
List<Hotel> results = q.getResultList();
A further example of using queries to filter
Query q = em.createQuery(“SELECT h FROM Hotel h WHERE h.name = :hotelName”);
q.setParameter(“hotelName”, hotelName);
List<Hotel> results = q.getResultList();
Something that may be a bit tricky for first time users of JPA is composing queries using the LIKE operator to filter
Query q = em.createQuery(“SELECT h FROM Hotel WHERE h.name LIKE :name”);
StringBuilder sb = new StringBuilder();
sb.append(“%”);
sb.append(name);
sb.append(“%”);
q.setParameter(“name”, sb.toString());
List<Hotel> results = em.getResultList();
Assume for a moment that you want a list of all hotels with a particular number of rooms (say more than 20 rooms for example) … here is how you go about formulating such a query:
Query q = em.createQuery(“SELECT h FROM Hotel h WHERE size(h.rooms) > 20 ORDER BY h.name”);
List<Hotel> results = q.getResultList();
This concludes this look at JPA QL. This is not a complete examination of the power of JPA QL but a glimpse at what is possible.
Rising Functional Programming
The expected shift of computer processing to even greater degree of parallelism has sparked interested in new ways of developing software that will take full advantage of the horizontal increase in processing power. The key area that has received the bulk of attention is programming languages and tools. In a many-core world (as opposed to what is now called multi-core), shared state becomes very tricky so most of the mainstream programming languages would be difficult to use in producing software. While almost all the mainstream imperative languages do have a library to enable the development of code capable of parallelism, most of these methods are not baked into the language and sometimes the initial design of the language itself gets in the way. In the design of most of the mainstream imperative programming languages, immutable data type are rare or sometimes completely non-existent all together.
Increased interest in functional programming languages have given rise to new languages that serve as an adequate bridge between the existing imperative programming mindset and the much needed shift to a world of parallelism. Functional programming is certainly not new as many of the techniques have been implemented in languages like Scheme, Haskel, Erlang amongst others. However, these languages and the ideas that they implement have largely remained in academic circles until recently when the software industry has taken a more proactive role to transfer the knowledge of academia to the industry. Programming languages like F# and Scala borrow heavily from the aforementioned pioneers of functional programming.
The newest in this growing list of new programming languages is Google’s Noop. The following is a description of Noop from the project’s web site:
… new language experiment that attempts to blend the best lessons of languages old and new, while syntactically encouraging what we believe to be good coding practices and discouraging the worst offenses. Noop is initially targeted to run on the Java Virtual Machine.
The basic assumptions in the design and development of Noop are certainly interesting. Integrating testing into the programming language can greatly improve code quality and making the language truly object oriented will improve its readability. I have found functional programming languages to have a pleasantly concise syntax that effortlessly achieves what would have required a ton of boilerplate code in supposedly OO languages like Java or C# which include primitive data types.
Who Owns Your Computer Anyway?
On the face of it, that is a rather silly question since within it lies the answer. Software is an important component of your computing experience – without it, you would not have a computer in the first place. However, having installed countless pieces of software of varying licenses, I have come to wonder what an End User License Agreement (EULA) really means.
It is a legal document as far as I can tell so the wisdom of putting it in front of a lay person to indicate (with a handy little button) acceptance or refusal seems rather illogical. I have done my best to try to go through some of these license but the legalese is just too convoluted to make any immediate sense. In a perfect would, you would retain a lawyer who would then break it down accordingly and explain to you what the license means and does not mean. The practicality of matching down to your lawyer every time you want to install a piece of software seems rather counter productive at the very least.
These licenses are an integral feature of proprietary software in that there is a real chance that you may be breaking the law if you don’t abide by the stipulations contained therein. As they like saying, I am not a lawyer but I would expect that for anything to hold in the court of law (more so the act of entering an agreement), the parties should understand what their respective obligations are. Without a lawyer present any chance of making sense of an EULA for a lay person is slim at best.
Once you have installed the software (after appropriately agreeing to the terms of the EULA), do you have ownership of the software that is currently installed on your computer? With a proprietary piece of code, you don’t own it of course hence the EULA is likely to explain that you are not suppose to revise engineer it or temper with it in any way. However, the EULA is likely also to stipulate the if you lose your precious data as a result of using the program in question, the producer of the software is not responsible. Such a situation makes you want to know why exactly you are paying for the software in the first place; for all intends and purposes it may not work as advertised and you have no legal recourse for any such harm that may have result from your use of the software.
And there are software manufacturers whose programs behave more like Trojan horses. You install a single piece of software from a company and the next time you are updating or perhaps even better the software you installed has an auto update feature which periodically checks for updates. Here is the problem, the update would also (in addition to suggesting the new release) install additional, unrelated software on to your machine. In a sense the original program acts like a gateway for the software manufacturer to invite even more software onto your hard disk.
This constant need to out do each other in order to gain the end user’s favor does essentially look remarkably like what a virus writer would do. I recently had to update the Windows Live suite produced by Microsoft and somewhere along the way, I checked a box that would allow me to change the home page and default search engine on my browser which in this case I assume (Since Windows Live is a Microsoft product) would apply to and only affect Internet Explorer. The default search engine for address bar search on my Firefox installation is Bing … no, I didn’t want Bing and there is no simple way of going about undoing settings change. In yet another trespass, I have a .NET plug-in for Firefox installed while in the process of installing something completely unrelated.
With increase competition and jockeying for dominance, major industry players are hacking each other to bits. Google’s decision to integrate their Chrome browser into Internet Explorer using a plug-in seems like a good move on the surface and understandably so but then again there are far greater implication of control and ownership with such a move. As Mozilla points out, it confuses the boundaries between where Internet Explorer is and where things happen because of Chrome’s extension. It is easy to get excited at the thought of Google putting its engineering prowess to work and bringing cutting edge technologies to the most dominant browser in the market but it has far greater implications than just new technologies. The very introduction of new technologies suggests that bugs will be discovered so keeping the boundaries between software components is good as this enables proactive management.
The Windows operating system has a number of utilities that have come up to address weaknesses in the manner in which the operating system runs and manages itself and the programs that has been installed on it. Recently, I had the misfortune of a failed installation – the installation process of a program stopped prematurely and this meant that the program’s uninstaller was not installed. This became a problem that could not easily be fixed using Windows Control panel because I was not able to remove the program. I attempt to reinstall the program in effort to get the uninstaller in place but I was not able to reinstall since the said program has been supposed successfully installed. Just deleting the program would be the most logical thing to do but traces of the software would still remain in the registry and hence lead to a slower system in the long run. This particular situation illustrates a very common problem with most software running on Windows: it is much easier to get a program installed than it is to get it removed/uninstalled properly. There are countless pieces of software that leave their skeletal remains on the hard disk and Windows Registry. Such sloppiness shows a disregard to respect the ownership of the computer hardware on which the software runs – including the operating system.
In closing, users will want and should get the latest and the greatest software available on the market but software producers need to allow users to kick them out of their hard disks and do so with finality and assurance that there are no skeletons left on the hard disk or the registry. Even more importantly, stop with the production of Trojan horses. The fact that I downloaded and use iTunes does not mean that I either desire or want the latest and great version of Safari.
Would you not prefer to have the tools to remain in control of your computer?
The Open Source Movement
In modern times any discussion of open source is bound to stir up the most heated exchange of words, views, opinions and perhaps even insults. Yet what becomes obvious upon a closer examination of the debate is that the people debating the subject either take a narrow view of open source or perhaps just defend a smaller section of it. Increasingly, the debate surrounding open source and closed source is best understood and left as a choice that should be exercised in the presence of circumstance.
What gets lost in the middle of the flame war is the fact that open source is first and foremost a movement that is largely community driven and that espouses the sharing of effort thus requiring that the products of the movement be accessible to all members of the community. Note that such view of open source does not automatically suggest a particular preference and sole domination of IT professionals of varying skills and interests. The nature of the movement and participation in it can accommodate both individuals and large corporations alike.
The very nature of the movement does not require that organizations denounce any other ideologies that they may have so that they can leverage what the open source movement has to offer. Companies like Yahoo, Google and others are heavy users of open source but the largely open and free services that they offer are as proprietary as Microsoft’s Windows and Office Suites. As an example of Google’s proprietary holdings, the company issued a cease and desist order against a participant in the open source community build around Android.
Increased use of open source products to create services also makes the movement much more formidable compared to other competing ideologies – more specifically perhaps ideologies that may come into conflict with particular aspects of open source such as code sharing.
Any mention of the champions of closed source or proprietary software development would bring out Microsoft on top of the list but as a matter of fact Microsoft is no stranger to open source though it is certainly more openly opportunistic and no doubt looks out for its own survival as a money making venture. However over the years, Microsoft has demonstrated exceptional ability to emulate the advantages that naturally occur in the open source movement because of its participatory nature and community approach to software development. Windows 7 has been tested much more widely with Microsoft’s development team actively encouraging feedback so as to continue to make adjustments and improvements. Windows 7 is the most visible example of how Microsoft has managed to create a buzz around a release much earlier on than has been the norm. With most Microsoft products, CTPs (Community Technology Previews) have become much more common in recent years than earlier on.
The need to release software as open source is more often than note a strategic move that is aimed at commoditizing a market. I am not aware of any companies that create a unique or market leading product and choose to release it as open source. Open sourcing usually targets product that do not have market share as yet and/or whose creators are not able to product the support necessary to bring it to any appreciable level of dominance in the market. Once again this practice is used by companies that both espouse closed-source software development as well as those that rely heavily on open source.
Commercial open source is where the business should be and the money making opportunities will and should arise. One of the main feature of closed-source software is that the barrier to entry is usually high such that simple human ingenuity may not be enough to come up with something unique and different. With such barrier to entry open source becomes a fundamentally attractive option for governments whose aim and objectives will and should include the cultivation and development of a software development industry within their respective borders.
Some of the best know companies in the world at the moment had their start from universities and schools. Yes, Microsoft does offer access to their source code for academic research but how possible is it to come up with products and/or services that build on your knowledge, understanding and modification of Microsoft provided access to the said source code? This is perhaps one of the reasons why any of the more recent start ups tend to built their infrastructure on open source tools and platforms. Microsoft is certainly aware of this and have had a number of initiatives that are targeted at students to encourage them to build their businesses on Microsoft technologies and tools but such efforts will be limited by how well Microsoft can tap into and harness a sense of community and adventurous exploration of their platforms with the possible benefit of making it to the big leagues as has been proven by the current darlings of social networking that have been started at campus dorm rooms using available and accessible open source tools and platforms.
While Microsoft’s and other proprietary companies’ efforts to encourage students to look at their platform and build on it does offer the semblance of openness, they remain both myopic and deeply miss guided. Take an example of any third world country and pose this question: how likely is it for a country to have a Windows Kernel expert? It is not at all impossible but how practical is it to cultivate such level of expertise? How much effort would it take to nurture and grow a Linux/BSD kernel expert in any third world country? Given the nature of source control and management at a proprietary company compared with the source control in the open source movement, it would be obvious that an open source product is much more likely to spawn a lower level expert on the inner workings of any particular product or service.
In conclusion open source encompasses a lot more than just sharing code and the associated license that dictate how sharing happens. It is, at its core, a movement that can accommodate both corporations and individuals who can identify with the spirit of the movement and hence become members. As a movement there are various roles that require different skills hence everyone with a talent can contribute to the well being of the movement. Open source does provide the best opportunity for governments (third world countries to be exact) to cultivate a vibrant ICT industry within their jurisdiction.
