Foreplay with e4Graph

I played a bit with e4Graph early this morning to store some XML documents.  eGraph database files were about 1.5 times larger than the XML files.  Not bad although I suspect there is some room for improvements since XML files compresses well.  The good news is that every elements and attributes in the XML file are stored as nodes and vertices of a graph.  Cool.

The bad news was that it was somewhat slow in converting XML files into a graphs.  But it should be just fine for most client-side applications.  I am going to test node insert, query, and navigation performance later.

P2P NG: Darknets

Robert Kaye, creatively-titled Mayhem & Chaos Coordinator of MusicBrainz, has an interesting article at titled 'Next-Generation File Sharing with Social Networks' in which he talks about social, legal, and technical issues of Darknets, private secure P2P network built around social networks.

He recommends SSH-based protocol with interesting techniques like Port Knocking (as in secret knocks) and media identifiers like Bitzi and MusicBrainz provides.  Port Knocking, in particular, got me chuckling.  The idea, described as a system for stealthy authentication across closed ports, is to use a series of secret pattern of connection attempts to a series of closed and logged ports.  Unless the right pattern is used, the server either refuses connection or act innocent by providing some bogus service.

Robert also analyzed the attack model using RIAA as the bad guys.

  1. Server attack: The central server gets hacked, raided by legal attackers, or otherwise compromised. Since the server operates blindly with respect to what the clients are doing, the server contains no incriminating evidence. The attacker cannot tell a recipe-trading network from a movie-trading network. At worst, the IP addresses of the members can be exposed and those must be pursued with a John Doe lawsuit.
  2. Client attack: A client gets hacked, raided by legal attackers, or otherwise compromised. The compromised client could potentially continue operating and collect the IP addresses of everyone in the network. Incriminating behavior could be observed.
  3. Social client attack: An attacker gets invited to the network and starts participating in the network. Over time, the attacker can collect all of the IP addresses of the members and possibly observe incriminating behavior.

While the article was interesting, Darknets are doomed IMHO because of #3: social client attack.  All RIAA has to do is offer financial incentives to encourage people to infiltrate or betray Darknets.  His defense seems to be that Darknets are protected by being a more difficult or costly target to chase than easier targets like Kazaa.  I disagree because financial incentives are paid out only when results are delivered.

Technorati’s New Look

I love it.  Technorati is updating it's page design and I am watching it as it happens at 2AM.

A note to Dave Sifry: I like the alternate background coloring, Dave.  I also like the conversation thingy except I don't want to click on all the conversations.  Reflect the LOUDNESS of the conversation behind each entry with some visual hint (i.e. icon count, color, size) so I can zero in on the center of the noise.

TypeKey and Corporate Blogging

While TypeKey will be controversial, I think the need for such a service for corporate use of blogs should not be.  Corporate blogs are going to be fairly stringent against inappropriate comments and, without strong comment management capabilities, cost of maintaining corporate blogs will be too high.

A comment management feature I have yet to see anywhere is the ability to transfer comments from one blog to another.  Such feature can be used to move customer complaints lodged at a company's marketing blog to their customer complaint blog.

Speaking of corporate blogging, Corporate Blogger's Dinner will be held this Wednesday in San Francisco.  Be there.  BTW, anyone bringing up political issues will be beaten silly with teriyaki chicken.

Phishing at PayPal

Crooks are hard workers, working even on weekends.  PayPal was the target this Saturday.

Jesus R. Distilling?  Hmm.  This one looks muted and don't even use the PayPal brand power.  The stick is 'attempt of unauthorized penetration'.  More sophisticated attempt could involve actually triggering a real PayPal notification and then weaving into the message exchange with a similar looking From address and appearance.

BTW, the link above goes to:

The crook is trying to take advantage of the URL display bug that Microsoft recently patched.  Obviously, SR SkinCare, a legit site, was penetrated and enslaved into relaying PayPal passwords to some other destination.  I will give them a call on Monday.  Maybe they will give me a free skincare session for delivering the bad news.  Heh.

I think it would be informative to talk to one of the skilled phishers.  If you are such a person and not a clueless newbie, please contact me via e-mail or through blog comments.  Don't worry about me tracking you down because I am more interested in getting the inside stories and how the numbers work.  Besides, If you know what you are doing, you shouldn't have any problem avoiding being traced.


I had to replace the URL hack above with an image because the text version was triggering some anti-virus software.  How are we suppose to discuss phishing with overly sensitive anti-virus hounding us?

WTL 7.1

Wow.  Did you know WTL 7.1 was released back in December?  Sheesh.  I been hobbling along with a version of WTL 7.0 I hacked to get it working under VS.NET 2003 and I didn't know about WTL 7.1 until now.  It has a nice set of bug fixes, VS.NET 2003 compatibility, and works under CE too.  Nice!  Microsoft should either put more resources behind WTL or make it public domain so WTL developers like me can keep updating it.

FYI, WTL is an extension of ATL, a set of C++ templates for writing lean and mean Win32 software.

Candle Vigils in Korea

Korean citizens have been holding candle vigils since March 12th but it just keeps getting bigger.  Checkout these amazing pictures from OhmyNews.

Candle vigils like this were held at 43 locations
around the country on 20th

They were well organized too.
Look at the lines and blocks of people.

Wow.  That's a lot of candles.

Breaking Up the Medical Practice

Last Thursday, my son fell off his bike and hurt his left arm so I spent the afternoon at the hospital.  My past experiences with doctors and hospitals is 90% frustration and it was no different this time.  I think the medical practice can be overhauled to let trained professionals other than doctors handle mundane medical treatments which should result in:

  • more affordable health care
  • reduce health insurance costs
  • higher quality of service
  • less waiting
  • less forms
  • create more jobs
  • improve local economy

The main idea is to encourage specialization and leverage technology to allow clusters of medical service 'stores' to spring up.  You can go to an X-ray shop to get an X-ray without making appointments as if it was a photo shop.  Next door is the X-ray diagnose service which uses remote pool of specialist doctors to assist in difficult cases.  To get a splinter or a cast, go to the bone shop where someone who is truely skilled in splinters and casts will provide you with better service than average nurses and doctors.  Nearby is a store specializing in medical supplies.  Another store could sell books and videos that help people treat minor injuries themselves.

As to the issue of liability, stores are individually owned so they can be closed down for malpractice without threatening rest of the 'medical mall'.

Maybe I am dreaming, but I think this is possible.  If not, some of ther solution must be found because I just don't see the medical system changing for the better in the future without a drastic change like the one I am proposing.


Six Apart is planning to introduce an authentication service called TypeKey to control comment spamming.  Not much detail hasn't been released yet, but I think such a service will be good for the blogosphere as long as it is done right.  A typical cause of failure for such schemes is unnecessary tight security.

Security is a relative word after all and I don't think security requirements for blogging is stringent enough to call for draconian measures that will surely discourage commenting.  Also, I feel that some room should be made for misbehaviors.

One such scheme is to separate the comments into two groups: good comments and unknown comments.  Unknown comments are displayed away from good comments and are decayed over time to avoid pileups.

When a comment is posted, the comment server checks to see if the commenter has a 'blogger-cookie' and whether it was given 'welcome' status by the blog.  If so, then the comment is considered good.  If the cookie is missing or is not granted 'welcome' status, then the comment is unknown.  'Welcome' status is granted by the blog owner while shifting through the unknown comments.  'Welcome' status can be revoked with a single click or via checkboxes.

Unfortunately, I think Six Apart's plan is more ambitious which could spell trouble ahead for Six Apart and MT users.  I hope they make the right decisions.


TypeKey seemed to have caused a firestorm of posts, mostly negative or skeptical.  Scott Loftesness, a mother lode of rich knowledge and experiences on consumer authentication, has a more positive opinion.  My experience with authentication is limited to design and implementation, but I also think privacy issue is overblown, particularly since search engines can find my comments anyway.  Yes, it take some effort to collect them all, but one doesn't need to read them all to form an opinion about me.

Here is a pseudo-code version of an alternate decentralized solution which I amusingly named TypoKey:

on comment submit:
   if has typokey cookie
      if typokey is valid and approved
         comment is good
         comment is unknown
      set typokey cookie
      comment is unknown

As I mentioned above, good comments differ from unknown comments in that they are displayed at more convenient location and persists longer.  If the commenter does not wish to use typokey, then they can choose not to by disabling cookie or by not checking 'check-me' checkbox although their comments will be classified as unknown.

Checking check-me checkbox?  Heehee.