Japanese Roots

I don't know how I missed it but I came across Jared Diamond's 1998 Discover article, Japanese Roots, today. Jared's findings are pretty much in line with my understanding of the role Korea played in Japan's history which is that several  mass exodus of Koreans, each wave caused by demise of a Korean kingdom (Buyeo, Gaya, Baekje, Goguryeo, Balhae), migrated to Japan and eventually conquered it. I doubt it was much of a conquering though. Most likely it was just a long population expansion, drowning the natives (Jomons) by sheer numbers, followed by a long fight amongst themselves until everyone got tired enough to choose a king. And Japanese language is probably a cocktail of exiles' languages and dialects, not that of just one like Goguryeo as the author suggested.
This doesn't mean that I think Japanese are Koreans though. That kind of reasoning would make me an African. Their ancestors were Koreans but now they are Japanese. What puzzles me is why Japanese average height is noticeably shorter than that of Korean? Curse of the Ainu?

Effective Documentation

A plate of bacon, lettuce, and tomato is not a BLT sandwich until you stack the parts together. Unfortunately, too many engineers stop short of building the complete sandwich.
For example, Java XML Digital Signature API can't be used unless appropriate security service provider is registered. Otherwise, one gets a NoSuchMechanismException. To register the provider, you have to have the provider's full class name. For default JSR 105 provider, its:


but, to find that out, you'll have to google or search the jar classes or Sun source code looking for an implementation of java.security.Provider. Duh.
Anyway, to register the provider for all of your java apps, add the following line to $JAVA_HOME/lib/security/java.security file:


To register just for selected apps, add following line of code:

XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI")).newInstance());

For Java 6 (aka JDK 1.6), this is done automatically since the API package is bundled.

RESTed and Confused

It's good to see that web application frameworks are getting RESTful URL support but they are going about it in a way that invites unnecessary confusions and conflicts.
For example, Rails' RESTful URLs look like this:

GET /movie/1;edit = edit movie 1

POST /movie = create a movie

PUT /movie/1 = update movie 1

Meanwhile, Struts 2's Restful2ActionMapper maps URLs like this:

GET /movie/1!edit = edit movie 1

POST /movie/1 = update movie 1

PUT /movie/ = create a movie

Convention over configuration is nice but not if everyone is coming up with their own conventions. Can we start by choosing one method separator character and resolve confusions over POST vs PUT? It shouldn't take more than a few hour if all the suspects involved are rustled up one night.

Tags: ,

XBox 360 for Online Banking

Wow. XNA Game Studio Express is finally here. With this free tool, one can write XBox 360 games and have it distributed by Microsoft online. I don't know what kind of non-game software can be developed with XNA Studio for XBox 360 but I think game consoles have the potential to be great application platforms. Since XBox 360 is pretty much locked down and Microsoft has full control over the electronic distribution of software for the console, it's an ideal environment to deploy and run secure home financial applications like online banking. No more worries about keyloggers and reliable email delivery through torrents of spam.
Anyway, that's the direction I would push if I was in charge. Use games and entertainment to grab the lionshare of secure customer-to-business relationships. Easy as pie and locked down tight like Alcatraz.
I think XNA Game Studio Express will have a huge impact on the business world as well as the ongoing game console war. Besides, it's a great excuse to get an XBox 360. I've been negotiating with my son to split 50/50 on the Wii console (to teach him financial responsibility and negotiating tactics, really!) but I think that talk will break down once my son finds out I am getting an XBox 360 for tinkering.
Why couldn't we do this a decade ago? I remember talking with Bruce Zweig eons ago about whether buying the development system for Trip Hawkin's 3DO console made sense or not. It was too expensive then but now free console development is a reality. Time sure flies…

Goodbye Text Spams, Hello Image Spams

Some observations based on examination of spams I've received over the past few weeks:

  1. most of the spams are still text-based.
  2. most of text-based spams are successfully deflected by text-based spam filters.
  3. most of the image spams are getting through.
  4. most of the image spams are coming from foreign countries.
  5. there are only a handful of image-based spamming operations currently active.

#5 is based on the number of image spam style and content. While it's possible that relative small number of variations can be attributed to use of canned image spam generators, I think this is unlikely given that relatively low volume suggests that image-based spamming is still in early-adopter phase.
Because image spams are typically loaded with mundane words and phrases, Bayesian spam filters are ineffective against image spams. Even worse, the combination of image spams and manual spam classification (users clicking on junk/spam buttons) can potentially increase false positives. What we need are spam filters that analyze embedded images and content structure.
Image-based spams need to display mainly textual information and, currently, image spammers are using a single large rendered image of spam text. Image analysis should be able to detect fairly reliably. Of course, this will spark another arms race of sort. Next step up for spammers is to apply image obfuscation techniques as well as break up the spam image into many small ones. After that, they could try to build the textual image out of many layers of seemingly innocent images or build pseudo-images using HTML. While spammers will have a lot of fun coming up with new ways to get past spam image detection schemes, I think they'll have a more difficult time avoiding deviation from typical message structures.
Anyway, it'll take more time and pain before engineers come up with reasonably good image spam filters. So we'll have to either endure or reroute our mail through spam filtering services.

Google Gook

This is too ridiculous. Google chose an online marketing consultant to reveal an unsubstantiated fluff claiming Google fraud rate is less than 2% and we are supposed to just believe them? Their numbers would be more believable if Google offered a decent prize to anyone who can beat their click-fraud protection into submission.
I don't like being pegged as a security expert and I don't mean to boast but, over the past six years, I've helped a client build a state of art fraud detection and risk analysis system that protects millions of people everyday and helped another client build an online payment authentication system that protects millions of transactions everyday. It's fun playing the Cowboy but, if Google offered enough incentives, I want to play the Indian. Heck, forget the prize and just let me keep what I can make from click-fraud.
With thousands of PhD's on their payroll, this should be a safe bet for Google if they felt so sure about those numbers, no?

JDK 1.6

time to relaxPlayed with final version of JDK 1.6 this morning, still hot off the assembly line. Ran all my code and tools through it without not a whiff of trouble. It also seemingly faster, at least Eclipse seemed snappier. Too bad it's not available on Mac yet. Anyway, I liked it enough to deploy it to my server. Yup. This blog is running on JDK 1.6 server VM.
Going through the list of new features, built-in script support API (javax.script) is a nice-to-see although I think BSF met everyone's needs. I couldn't find any script performance related info. I was under the impression that Sun was working to improve scripting language performance on JVM. Oh well. Java2D performance improvements are impressive too but, unless I am mistaken, only Swing apps will benefit and Java is not so hot for GUI apps anyway.
I am also not so hot on Sun bundling Rhino, Derby, and a minimal HTTP server with JDK 1.6. I would rather see Sun expand its Java Update service to download extra third-party libraries as needed and install critical patches automatically.

Tags: ,

Odd Apple Wireless Keyboard Problem

After a midnight siesta (?!?), I opened my laptop from bed and landed in lala-land. To start with, MBP screen looked as if the big display downstairs was still connected. After a hard restart, the screen problem was gone but menus and dialogs would stay up only briefly and keyboard shortcuts were being ignored which means I couldn't even shutdown softly. And after a while, a soft beeping noise started from top right corner of the laptop. Definitely odd.
Upon further investigation, I found that disappearing menu and dialog symptom was limited to the Finder and Firefox. So, with TextMate in the foreground, I was able to trackdown the problem to the Apple wireless keyboard, located one floor directly below my bed. Disabling bluetooth solved the problem but removing the keyboard from bluetooth device list solved the problem (and the alarming noise) as well.
When I came downstairs, the problem went away so I restored the wireless keyboard. I am still scratching my head but I am sure laziness and forgetfulness will solve that soon enough.