Resend

I had a mail server relay problem which dropped incoming mail last weekend, yesterday, and part of today. At first, I thought it was my network provider's POP3 server, but it turned out to be a problem with Docuverse.com mail server. I think I fixed the problem so, if you sent me emails and haven't heard back from me or got a bounce, please resend.

PHPEclipse

PHPEclipse is an Eclipse plugin that turns Eclipse into a PHP IDE. I don't usually do PHP work, but a close friend of mine asked me to review his company's PHP-based website so I had to review a massive body of PHP code within only a few hours I could spare.

While any text editor can be used to write PHP code, mere text editors are not enough when you don't have much time to cover a lot of code. So installed PHPEclipse and found it to be really nice. It checks syntax and helps you trace and navigate call hierarchies easily. I haven't tried its debugging capabilities, but I was delighted enough with just the capabilities I used to recommend it to PHP developers.

BTW, I am not a PHP developer and I don't build websites for small businesses. It's not that that is not a respectable business. It's just that I don't like doing what millions of others developers can with adequate competence. Yes, I am a prima donna of sort.

Eeeks! My Third Year!

I didn't realize today was my second blog anniversary until I got up in the afternoon and read Dave's posts. Big thanks to Dave and Jeff for noticing.

I was getting a little annoyed with myself in the past few weeks because both quality and quantity of my posts have suffered lately. Maybe it was the anniversary things.

Phishing behind Google

I just received a phishing email purporting to be from PayPal. No surprise there since I get many of them everyday, but I looked closer at this one because it looked very professionally done. I looked at the raw message and found this odd link:

This particular phisher is bouncing off Google to hide itself from domain name-based phishing detectors and scanners. Clever. Clicking on the link will open a browser to Google's URL search CGI which will automatically redirect the browser to the phishing site at IP address 209.152.181.10. This trick will bypass phishing detectors that examines only the domain name part of a URL to see if it looks suspicious.

So the lesson here for security developers is to look at all the parameters and to keep track of oh-so-helpful redirectors like Google. Also, website developers should keep in mind that helpful service is helpful to all, including the bad guys, and they might become an unwitting partner in crime. For lawyers, it's a new source of ~~income~~ concern.

Open Source Inspectors

Open source is not inherently more secure than closed source. If you have doubts about the preceding statement, Dare Obasanjo's The Myth of Open Source Security series of articles is a good place to start.

Two main problems I see from my perspective with open source security are that a) there are no compelling incentives for open source developers to examine the code, and b) they have to examine everything. Even if all the developers are coerced into doing so, not everyone will do a good job and everyone is not the same as everything.

On the other hand, blackhats have compelling incentives to look at the code and they only need to look at a fraction of the code developers have to look at since they only need to find one vulnerability to hit paydirt.

While I agree with Dare on most points, I think his suggested solution of adopting software quality enhancing techniques and practices is unimplementable for most open source projects. As software developers and managers, we tend to focus too much on how we doing things and what we use to get things done, meaning skills, techniques, and tools we use every day. The open source movement is not about those things. It's not about how or what but who, people doing things together.

Quality of open source software cannot be improved by asking people to wear straight jackets and drawing lines on the floor telling people where to go next. Instead, we need to see the entire open source community as a global ecology and find subtle ways to change the ~~antfarm~~ environment so that the ~~ants~~ people will naturally respond in the direction that improves the quality of goods they produce.

One such solution is the introduction of open source inspectors backed by inspector rating and reward systems. An open source inspector is a software engineer whose responsibility is to inspect the quality of software. Unlike developers who tend to stay with a small stable of projects for extended periods of time, inspectors are gypsies who move from projects to projects.

Each inspector examines code for quality and security. Result of an inspection is a report and a rating assertion signed by the inspector. Rating assertions by an inspector ultimately affects the proficiency rating of the inspector. Each bug or vulnerability discovered in the code they inspected lowers their proficiency rating.

Achieving and maintaining high proficiency rating is the ~~lure~~ reward motivating inspectors to dedicate a substantial portion of their time to inspect open source projects of their choosing pro bono. If they are any good, they will find plenty of paying customers.

In summary, I am advocating the use of social engineering over software engineering to enhance open source security. Designing, developing, debugging, and deploying social forces is the ultimate engineering profession IMHO. The only problem with such a profession is that lifecycles of such 'wares' literally means lifecycles.

Crappy Headset Business

More bad shopping experiences. Recently, I bought Plantronics MX10, an phone amplifier that connects to computer for multimedia works and VOIP, along with a Telex H-51 headset. Actually, I got the Hello Direct Virtuoso before that but returned it in favor of MX10.

When I received it, I realized that MX10 requires headsets with a special type of connector called Quick-Disconnect (QD). Note that Quick-Disconnect headsets are two to 9 times more expensive than normal computer headsets. After a bit of grumbling, I ordered a Symphony headset from Headsets.com because it was cheaper than Plantronics headsets of comparable quality.

When I got the Symphony headset, I hooked it all up but couldn't hear the dial tone. Hmm. I tested the headset by hooking it up directly to my phone. There wasn't any problem with the headset. I tried everything, even talking to Plantronics' very nice clueless tech person. Only conclusion I could make was that MX10 was defective. So off it went back to Amazon.

Today, the replacement MX10 arrived. I hooked it all up again but same symtoms. I switched to a different phone and was rewarded with very distant dial tone. Amplifier that weakens signal? I called Headsets.com tech support this time and got the disgusting insider news:

Headsets and phone amplifiers from different manufacturers are not compatible with each other although they all use Quick-Disconnect connectors.

Huh? That means Plantronics amplifiers like MX10 works only with Plantronics headsets and Symphony headsets will work only with Symphony amplifiers. The fact that they use same connector form factor is just meaningless.

Totally disgusted, I packed up everything except the Telex H-51 and scheduled a UPS pickup tommorrow. Since I ordered a telephony enabled modem with my new computer, I am gonna use that instead of fancy but insane phone equipment. I don't know why I haven't thought of this before. After all, I have written a sophisticated telephony app for a client nearly ten years ago. Maybe I'll even write a telephony app that will put these crappy companies out of business.

One Great Fcuking Beach

I guess others liked Dave's post about his dawn walk along Florida's one great fcuking beach, one thousand miles long stretch of sand. I thought about sending Dave a thank you note for that post, but work got to me.

Hey, Dave. Don't fix that typo. I lvoe it like that. ;-) Oh yeah. Thanks for that great post, man. It made me want to drive to Half Moon Bay in the morning, but my lazy butt open the chute just in time.

Dell Madness

Dell is driving me nuts.

I ordered Dell's 8400 desktop a week ago and it's schedule to be shipped on 27th of this month. I didn't want to spend that much so I got a moderate CPU (3.2GHz P4), so so storage (250G), non-gamer's video card (ATI X300SE), and 2G of speedy memory. X300SE was intended to be just a placeholder for a better graphics card later. Audio card? Whatever came with the motherboard.

Just now I checked the price and found that I could get faster CPU (3.4GHz), moderate gamer's graphics card (ATI X800 SE), and top of the line audio card (Audigy2?) for the same price! I have bought countless computers before and I have learned to live with price drops. But seeing such drastic price drops even before the box ships is too much to bear.

So I cancelled the order and came over to my blog to vent some frustration. At this rate, I'll keep on cancelling my orders until there is a severe component shortage. If there are more people like me, I think companies like Dell will have to offer price adjustements at the time of shipment. Heck, it's not the money. It's the ol' feeling of getting shafted loyally in real time.

Update:

I went ahead with the new order and got free 2nd shipping as well which means it will arrive about the same time as my previous order would have arrived. Nice.

I am starting to understand a little more of how my wife feels when she hounds local mall clerks into making up differences whenever there is a sale. I couldn't believe it when I first heard of it. She buys something for X and, if store lowers the price to Y sometime later, then she somehow talk them into coughing up X-Y. What I don't understand is why US economy doesn't collapse with shoppers like her around.

Update 2:

Aha! I found the culprit behind the sudden price drop. Intel cut the price of its CPUs by as much as 35% on August 23rd. Since Dell had a fairly large number of customers waiting to receive 8400 desktops, I think many of them will cancel their orders to take advantage of the price drop.

Getting a rise out of Reiser4

Last time I looked at ReiserFS was, I think, at least couple of years ago. It was a nice file system but I didn't find any use for it. Two years later, Reiser4 is released and I still can't find a good use for it, but it sure has some intriguing one liner feature list that would any geek a bit of excitement:

Reiser4 is the fastest filesystem, and here are the benchmarks.
Reiser4 is an atomic filesystem, which means that your filesystem operations either entirely occur, or they entirely don't, and they don't corrupt due to half occuring. We do this without significant performance losses, because we invented algorithms to do it without copying the data twice.
Reiser4 uses dancing trees, which obsolete the balanced tree algorithms used in databases (see farther down). This makes Reiser4 more space efficient than other filesystems because we squish small files together rather than wasting space due to block alignment like they do. It also means that Reiser4 scales better than any other filesystem. Do you want a million files in a directory, and want to create them fast? No problem.
Reiser4 is based on plugins, which means that it will attract many outside contributors, and you'll be able to upgrade to their innovations without reformatting your disk. If you like to code, you'll really like plugins….
Reiser4 is architected for military grade security. You'll find it is easy to audit the code, and that assertions guard the entrance to every function.

Dancing trees? I gotta look into that algorithm sometimes. I wonder if variations of the algorithms will be called Disco or Samba? ;-) Hmm. One of the testimonials is LivingXML which is a native XML engine built-on top of Reiser. That's nice except LivingXML seems to be, well, dead. Oh, well.

Perl vs. Java RegEx

Tim Bray compares Perl and Java regular expression performance with the result of Java performing twice as fast as Perl when output performance is factored out. Fantastic. I knew Java regular expression library was fast but I didn't know it was this fast. Even more encouraging, there are even faster third party regular expression libraries for Java. I wonder if .NET 2.0 makes up for the lackluster RegEx performance in .NET 1.1.