Menagerie

Differences and Similarities

I woke up this afternoon after 14 hours of sleep, crash of a pleasant kind, with this question:

Is it better to see differences ahead of similarities?

I tend to see differences first and then examine the similarities, often times over a long period of time, forming a spiral of thoughts, leaving a sense of same but different, just as I see people's lives and markets moving in spiral columns. If I see the similarities first, then I would not be moving at all and form a straight line just as a piece of rock would make a straight line in time. Hogwash? Maybe, maybe not.

Are blogs just diaries or web pages? Is social software just hype covered groupware? I think the answers depends on whether one sees differences before similarities.

Financial Services

Yesterday, I had a nice talk with Scott Loftessness and Russ Jones, of Glenbrook Partners, about how weblog and syndicated data technologies will change the landscape of financial services in the near future. It was one of those productive talks that helped clarify our visions. Maybe it was the stress of the clarity that caused me to sleep too much, like when I get a new pair of glasses and see everything near and far in sharp focus.

Sharing Pictures and Toons with One-liners

Every picture tells a story. False. Every picture tells different stories to different people. Why not let them share what they heard?

Imagine a blog where a post is just a picture or toon with nothing else but a form that looks like the comment entry form. Readers of such a blog either looks at the picture and writes the story the picture tells them or copy a picture with a story they like to their own blog to share with others.

We got blogosphere equivalent of daily cartoons. Little mind snacks. If this doesn't blow your mind, you have my condolence.

Friendship Circle in German

Here is a post about Friendship Circle in German with a another diagram.

Wouldn't it be nice to have these sort of visual people organizer for e-mail clients and other tools?

BTW, I really get a kick out of seeing references to my post in foreign languages.

Phishmark and PhishGuard

My Secuire UI post will have to be postponed until Monday. Meanwhile, I got a name for the idea: Phishmark. I am also planning to write a small downloadable client that implements a simplified version of the idea. Since I am in the naming mood, I named it PhishGuard. I'll probably throw other related ideas into that as well over time because phishmarking doesn't cover all the bases. Until then, so long and thanks for all the phish.

Funnyside of Open Source

I read this really funny sequence of comments to Hani's recent post about a spat between Bob Lee, who contributed some AOP code to the JBoss 4.0 effort, and Marc Fleury, fearless leader of JBoss.

Marc Fleury

Hani, perhaps you could name your sources… CDN? Cameron? chiara? carlos V who seems to have a thing for my wife? cedric? rickard? the list goes on when you are as popular as we are and talk the way I do…

Anonymous1

Hey Carlos, since when do you have a thing for Mrs. Fleury? Marc doesn't seem to mind – that's the real spirit of open source: LGPL your wife.

Marc Fleury

jon tirsen: are you pissed off because I called IoC "gay"? I am sorry if you took that personally, that was just my view on the technology.

So once and for all
I WILL HUNT YOU ALL DOWN FOR TRYING TO PROFIT FROM THE INTERNET. THE INTERNET BELONGS TO JBOSS AND ME ME ME AND ANY OF YOU TRYING TO USE IT AND PAY JBOSS ZERO DOLLARS WILL PAY IN BLOOD SWEAT TOIL AND TEARS!!!!

And as a night cap for all you bad boys out there. I heard from a friend of a friend of friend (who might be as reliable as hani's source) who mentioned JBoss to Alfred Chuang from BEA and I quote "he flipped a switch, he said JBoss was a crazy company that had STOLEN THEIR CODE (!!!!!!!) but that he couldn't sue us because he was afraid for his life". Now THAT is pretty crazy.

Anonymous2

LGPL mrs Fleury? wow I'll have a piece of that!

But knowing Dr Marc he wouldn't go for that license. He would go for the GPL. The GPL would require you give your wife back in return.

Let's even not get started on the BSD license, with the BSD you can take the wife and run.

1456\

Actually GPL would require that you released any progeny back to the community. That's just wrong in so many ways.

Bob Lee

Can we pull the sticks out of our asses and stop taking ourselves so seriously?

Jon Tirsen

And by all means keep calling IoC "gay" I certainly don't mind. It's trendy to be "gay".

Looks like open source communities take their openness seriously. I have heard many hilarious spats like this before but never out in the open like this.

p dir=”ltr”>Thanks to the guys for the ROFL. I needed the exercise.

Breakthroughs

Amazing. Two important technological breakthroughs in one day, one from Intel, and another from Korea. I like the one from Korea because it means I won't have to worry about going bald anymore.

Visual Illusions

This post is a follow up to the Visual Spoofing post in which I demonstrated a serious visual vulnerability of browsers and alluded to a deeper problem.

Most of the readers who saw the demo thought of it as a hole in the browser code. Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock. But there also a hole in our brain, one that people like Diego Doval zeroed in on right away.

You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels. There are no such thing as windows or buttons. Instead, there are pixel patterns we call windows or buttons. It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.

From this perspective, a browser window is a rectangular array of pixels under full control of someone else, full control meaning any pattern of pixels can be displayed including those 'sacred' patterns we sees as 'windows' or 'buttons'. The illusion of depth, used commonly to enforce the concept of overlapping windows, can also be duplicated.

Even if one can't hide the real toolbar and statusbar, clever visual illusions will trick sufficient number of people to make the approach lucrative for crooks. If you think you can't be fooled, you should visit a magician near you.

The bottom line is that the when you open a browser window, you are also opening a window of vulnerability, a window through which bad guys can trick you into exposing critical secrets such as passwords. Now expand that scary thought to include software you willingly installed onto your system and you will find yourself hesitating the next time you reach for the power button.

As I mentioned before, I will be discussion a solution to this problem in a post titled 'Secure UI'. The solution won't close the window, but I believe it shrinks the window size down to, hopefully, an acceptable level.

Don Park’s Fireside/Beachside Chats

Franklin D. Roosevelt made radio addresses by a fireplace called Fireside Chats which I always admired about. I have been to a few Blogger's Dinners and Geek Dinners but never felt satisfied coming back home because, while I met many people, depth of the conversations weren't deep enough. I could chat online with practically anyone on earth, but such virtual exchanges are not as immersive as face to face conversations.

So I am thinking about having a fireside chat once a month with a handful of guests. I don't have a location picked out yet, but it should be a cozy location somewhere on the Penninsula, maybe a backroom of a bar or restaurant. There was a nice little bar just off highway 92 at top of the mountain range I visited long time ago which would be perfect, but I am not sure if it is still there.

During the summer, it can be held during the day at a beach (Half Moon Bay?) on weekends with cold beer. What do you guys think?

Visual Spoofing

While Microsoft recently patched a URL-based spoofing vulnerability, a whole new class of spoofing exists for browsers: Visual Spoofing. I have not yet seen any evidence of this type of spoofing actually being done, but I was able to create a demo in less than an hour.

Here is the demo of visual spoofing for IE6 I put together. Note that the vulnerability is not unique to IE.

The problem with visual spoofing is that it is difficult to fix with a simple patch. Yes there are ways to fix the problem partially, but I don't see a way to remove the problem completely because hackers can still create a page with images of overlapping windows to distract the clueless user who tend to keep many windows open.

Update:

While thinking about tigers this afternoon, I stumbled onto an idea that could minimize the vulnerability, including the 'deeper problem', down to an acceptable level. Why was I thinking of tigers? I have no idea. Anyhow, I'll post about it in the next day or two (look for a post titled 'Secure UI') after I explain the 'deeper problem'.

Boy, I feel better already.

XML Library Benchmark and NSIS 2.0

According to latest XMLBench results, LibXML2 is the clear winner. Hopefully, StAX parsers will be included in the benchmark soon.

Final version of Nullsoft Scriptable Install System 2.0 is out.

Year of Firefox

I predict that Firefox browser marketshare will be near 20% by end of year 2004. It's that good and getting better.

Don Park's Weekly Habit

Well, sorta weekly.

Month: February 2004