Striking HP Off My List

Now these CNET articles on HP are really creeping me out:

HP began tracking the phone records of CNET News.com reporter Dawn Kawamoto on Jan. 17, Kawamoto said she was told on Tuesday. That was about a week after a January strategy meeting for directors and executives, but six days before News.com published its Jan. 23 story about the meeting.

News.com reporter Tom Krazit also was told by investigators that his personal phone records were accessed on Jan. 20, the same day he called HP spokesman Robert Sherbin for comment about the board meeting.

<

p dir=”ltr”>I am not into ragging on and on about a topic. When something creeps me out, I deal with it and move on. Short of turning myself into an activist, I am going to just exercise my rights as a consumer/investor: refusing to buy. So I am just going to strike HP off my shopping list and not invest in HP stock regardless of how cheap it looks until the word 'HP' no longer disgusts me.

I am now done with this topic for at least a year.

Goodbye RSAS

It's funny how a stock symbol can disappear just like that. I knew the EMC acquisition was happening sometime this month but I've been busy so I didn't know it happened over the weekend. I checked the market as usual this morning and noticed RSAS was gone. Poof. Not a trace.

So long RSAS. You've been good to me.

NOFOLLOW NOSAFE GET

I hereby propose that all anchor tags marked with

rel='nofollow nosafe'

are links which may take non-idempotent actions (i.e. delete) when followed. The intention is to give tools like Google Web Accelerator enough hints for them to steer clear of such links. I really wish the anchor tag ('a') had the 'method' attribute like the 'form' tag does but I don't have time to wait til W3C remodels hell and I am not going to waste my time with idiotic and cumbersome workaround solutions so this will have to do.

As to why both, nofollow is already known and nosafe is more appropriate.

If you are going to do the same, link to this post.

Update:

Based on feedback, I've renamed unsafe REL to nosafe because 'unsafe' is a common word.

I need to explain what I am trying to accomplish with nosafe REL proposal. I am not expecting everyone to put the proposal into practice because a) I am not crazy, and b) I think that only a small number of web sites needs to use nosafe to make it sensible for developers to make their software nosafe-aware.

If I was writing a GWA-like tool, I would want to reduce abrasive surface area as much as possible. It would be irresponsible of me to not take advantage of hints like nosafe REL, even if only a small number of websites used it.

Slowing Down Attackers

While on the subject of sanitizing input, I've noticed that most developers stop at defending against cross-site scripting and SQL injection. While some ill-formed inputs are unintentional, many are clearly intentional attacks designed to explore and penetrate.

IMHO, origins of suspected attacks should be marked and degree of certainy used to slow down responses or return responses designed to confuse the attackers. Just one hour IP-specific probation of slow or no service will change the attack economics enough to make your site less attractive to attackers.

Going further, information should be shared in real time and accumulated over time to force the responsibility of defense as close to the attackers as possible. If each attack incident reported stains the source IP, ISPs will take more steps to prevent their entire IP range from being painted hostile, perhaps by subscribing to incident reports involving their IP range and mapping them to accounts. Anonymous proxies and Wi-Fi hotspots will also be forced to do the same if they want to avoid being effectively shutdown.

HTMLInputFilter: HTML Input Sanitizer for Java

Joseph O'Connell announces HTMLInputFilter, a HTML input sanitizer for Java based on Cal Anderson's lib_filter for PHP (article). Joseph is looking for more people to test his open source library.

Writing and maintaining sanitizer for complex input data values like HTML is an error prone neverending task that should be should be shared, but where are the open source java libraries for this? Googling turns up only warnings and advices. Also, although simple input data values can be easily sanitized with regular expression, it's easy for inexperienced developers to make silly mistakes and I think it is a waste for everyone to handroll everytime given that small number of input data types will handle majority of use cases.

I wonder why there isn't a Jakarta project for this…

Update:

HTMLInputFilter is throwing in unexpected errors which is why it needs more testers:

java.lang.IndexOutOfBoundsException: No group 5

 at java.util.regex.Matcher.group(Matcher.java:463)

 at java.util.regex.Matcher.appendReplacement(Matcher.java:730)

 at com.josephoconnell.html.HTMLInputFilter.validateEntities(HTMLInputFilter.java:470)

 at com.josephoconnell.html.HTMLInputFilter.filter(HTMLInputFilter.java:198)

 at com.docuverse.daily.filter.HTMLInputFilterAdapter.filter(HTMLInputFilterAdapter.java:22)

Don't have time to track down the cause. Also, HTMLInputFilter assumes compiled patterns are cached internally. I remember a bug report long time ago but not sure if this has been implemented or not and, if so, in which version.

Responsibility to Bring Attention

AP:

LEESBURG, Fla. – Two weeks after telling police that her son had been snatched from his crib, Melinda Duckett found herself reeling in an interview with TV's famously prosecutorial Nancy Grace. Before it was over, Grace was pounding her desk and loudly demanding to know: "Where were you? Why aren't you telling us where you were that day?"

A day after the taping, Duckett, 21, shot herself to death, deepening the mystery of what happened to the boy.

Janine Iamunno, a spokeswoman for Grace, said in an e-mail that Duckett's death was "an extremely sad development," but that the program would continue covering the case.

"We feel a responsibility to bring attention to this case in the hopes of helping find Trenton Duckett, who remains missing," Iamunno said.

<

p dir=”ltr”>Is this what drives some bloggers?

If the pen is mightier than the sword, verbal attack hurts more than a beat down.

The way I see it, this downside of free speech can only grow as technology empowers our voices to be heard anywhere anytime. Language barriers has an upside in this sense.

Update:

Irrelevant coincidence: Melinda Duckett was born in Korea and adopted by Ducketts when she was 4 months old. I didn't know this until I just read it in a korean newspaper.

Another ‘Oh Shit’ Moment in Cryptography

I no longer actively track ongoings in the crypto-land but I ran into this bad boy when I visited Kim's blog for the Open Specification Promise news (superb news btw).

The vulnerability involves two parts: sloppy code (OpenSSL and possibly others) and weak certs issued by some CAs. Fixed code should detect forged signatures. Updating the certs should make it impractical to forge digital signatures to look as if they were signed by those certs.

If you use OpenSSL (very likely if you write cross-platform software that uses cryptography), read it. If you another libary to validate digital signature, check with library developers to see if you need to update. If you are a non-tech, lookout for updates of software you use (i.e. Firefox which maybe affected).

Needless to say, this is pretty bad.

JK 1.2.18 Specified Module Could Not Be Found

This post is intended to be googled, not read. So just ignore if you are a subscriber.

If you are reading this because you are having problems with JK 1.2.18:

You have to define rewrite_rule_file registry entry and create an empty file to make up for a bug in JK 1.2.18.

<

p dir=”ltr”>If you are reading this because of a mysterious 'The specified module could not be found' message:

  • delete isapi_redirect.properties if you have one around.
  • keep messing around til it works.

I don't know what the heck is going on in the Apache Tomcat team but Tomcat connectors project is in a rather chaotic (well, that's the polite way to put it) state so, unless you feel like paying New Atlanta's ridiculous fees for ServletExec, just dance and jiggle til it works. In my case, everything started working mysteriously after cycling through multiple versions of isapi_redirect.dll. I would have complained in earnest if it didn't feel like kick Open Source Santa between the legs.

Fragments: Journalists and Activists

On Destructive Attentions:

Opinions and demands is what separates journalists and activists.

An opinion is a statement of position.

A demand is a statement of intention to pursue until specific requirements are met.

An outcry is a syndication of demand.

A journalist reports unbiased news and opinions to inform others.

An activist uses biased selection, edition, and repetition of news and opinions to sway others.

<

p dir=”ltr”>Update:

A good example of journalism: Suspicions and Spies in Silicon Valley

After reading above article, I think Dunn didn't know about pretexting and HP lawyers misinformed her. Investigators will likely get prosecuted for identity theft. HP will be fined various government agencies and face civil lawsuits but I don't think Dunn will be charged any crime. Given time, Dunn will either resign or be forced to resign.

It's interesting that Dunn focused on details and Perkins focused on strategies, outlining a common stereotypical difference between men and women.

Destructive Attention

Most bloggers, A-list or not, typically fires and forgets. Scoble is an exception and I am concerned that he might be going overboard with HP textmarking incident. If Ms. Dunn did something illegal and is now lying about it, someone is already investigating. If she is just incompetent, since when is it a moral crime to be stupid chairperson? Isn't that HP and its shareholder's business?

This brings up an interesting question though: at what point is it overdunn? If it is when Dunn resigns (frankly, I think everyone who told her not to resign should go), then are bloggers activists or journalists? What prevents us from abusing our attention-based power? When is it not an abuse to publically single out a person to be fired?

While I value transparency and feedback, I think there is a line that we should not be crossing, a line that separates opinions from demands. In the near future, instant feedback will be the norm in the business world. In such a world, the line I mentioned will be increasingly important.