 |
privacy |
|
|
Welcome to Orcmid's Lair, the playground for family connections, pastimes, and scholarly vocation -- the collected professional and recreational work of Dennis E. Hamilton
Blog Feed Recent Items 
The nfoCentrale Blog Conclave nfoCentrale Associated Sites |
2004-05-29Safe Safety SystemsSafe Safety SystemsACM News Service: Software Safety by the Numbers. IEC Standard 61508 describes how one establishes the safety and security of programmable electronics and the requirements on the development process for "traceability, criticality inspection, and validation." Safety integrity is also considered, including "failsafes to ensure the detection of failures and the system's switchover to a safe state should it be unable to carry out a safety function." While this is directed toward embedded systems of a particular kind, it would seem that there is much lore here that translates into considerations for the vetting of autonomic systems for dependable computing. Jeff Payne's 2004-04-26 Embedded.com article has the intriguing lead, "When it comes to safety, it's not what you do, but how you do it." The well-illustrated article begins with a great anecdotal example and then expands into the risk management procedures and development-process models appropriate for different levels of safety criticality. These seem highly adaptable to an initiative for trustworthy software as well.Digirati Journalism's Human FaceDigirati Journalism's Human FaceACM News Service: Publishing by Design - Time to Make Human Factors a Concern. This blurb invites consideration that "insights into human-computer interaction (HCI) and design can solve many problems that currently limit the usability and appeal of digital mass communication, which is currently influenced by several false assumptions about convergence and traditional media." In particular, there are different interface challenges that come with different (mass) communication platforms, and Human-Computer Interaction (HCI) principles suggest that there's "need for interaction design that satisfies individual users." The idea of context-applicable technologies is suggested as a way of dealing with situation as well as differing access-point constraints on presentation and interaction. Nico Macdonald's 2004-05-20 article in the Online Journalism Review goes more deeply into strongly-held poor assumptions and provides an useful appraisal of the ease-of-use conundrum. The article is the first in a series on HCI and design issues related to online journalism.
Out, Out, Cursed BugOut, Out, Cursed BugACM News Service - Will Code Check Tools Yield Worm-Proof Software?. According to this blurb, the Business Roundtable "blames buggy and vulnerable software code for most of the major cyberattacks and network breaches that have harried American consumers and businesses in recent years." Focus is on defective software-development processes. I don't want to diminish the importance of improved software-development practice, transparency, accountability, and liability for failure to apply recognized best practices. I think those are all great moves. I also think that it won't work if purchasers don't require it, whether it is something like a Good Housekeeping seal or anything else. And there is something more about due diligence that IT organizations and CIOs must have to deal with. Finally, it won't be enough. We must deal with the prospect that the criminal element that is training itself to exploit system vulnerabilities is not going to let up, and that perfectly-working code does not assure a safe and secure business system. We will learn that, whether we want to or not, like it or not. The Robert Lemos 2004-05-26 CNET News article provides an extensive, balanced treatment. The move to demonstrable diligence is important. It is a time that we took seriously the lessons learned in the development of traditional engineering disciplines.Smarter IT Skills in Time EnoughSmarter IT Skills in Time EnoughACM News Service - The Increasing Importance of Process Skills. This blurb is a little scary, to the extent that it points to a dangerous dumbing-down of IT experience: "New technicians today may have the requisite knowledge of technology, but may lack an understanding of how their work affects business operations; they might, for example, patch a critical system during the middle of the business day without realizing the implications of that system crashing." I find that unreal, mostly because I don't see where operations management would allow that -- unless that is part of the inexperience equation. There's a fetching analogy, that "putting such inexperienced and harried workers behind critical systems is like putting someone who has no driving experience or knowledge of driving laws behind the wheel of a Ferrari." George Spafford's 2004-05-26 Datamation article offers more perspective, especially on the need for maturing experience and how we may have outrun our ability to achieve that (along with our divided attention problems). Spafford does list a 5-point approach to moving forward:
E-Learn Me ThisE-Learn Me ThisACM News Service: New E-Learning Tools. I'm half-way through an M.Sc in IT program that is delivered by distance learning. Everything is done on-line via computer-mediated communication (CMC). And I find it very difficult to relate this blurb to anything I recognize as E-Learning. It seems to be about applying learning algorithms to Interactive Tutoring Systems (ITS), and the learning algorithms are about machine learning. I can't tell whether the machine is learning, or the machine is supporting a human learning something, or if these are thought to be the same thing. Chandra Devi's NSTRP e-media report has more words, but my parser hasn't learned to gain more from it than in the original blurb, but for the final statement: "Overall, the [Canadian research Learning Objects Repositories Network (Lornet)] mandate is to make progress on the fundamental research required to support distance education." I might be happier if I understood what the linkage between "machine learning" and "distance education" is meant to be. On the other hand, maybe not.Semantic Web: The Needle or the Haystack?Semantic Web: The Needle or the Haystack?ACM News Service: WWW2004 Semantic Web Roundup. This is an interesting summary of the Semantic Web at a cross-roads. There is a lot riding on the recently-stabilized RDF and OWL specifications. The key: "Both boosters and critics of the Semantic Web effort say applications need to get on the ground soon to determine the future of the technology." I am one who maintains that the Semantic Web is ill-conceived in regard to presumptions about "well-defined meaning" and other naive ideas about ordinary language. I also find the tools to be interesting and potentially useful, just as I take interest in the computational methods and heuristic procedures that are commonly classified as supporting Artificial Intelligence. But I have no metaphysical commitment to AI nor to the Semantic Web as broadly presented (with muted caveats). Paul Ford's 2004-05-26 Roundup for XML.com provides the detailed summary. There is tantalizing mention of many tools, mostly developed in Java, and a suggestion that"For the Semantic Web to succeed on the desktop, it may need to leave Java behind; one promising approach might be to focus energies on .NET/Mono implementations; alternately, developers could consider using Mozilla's XUL, particularly given the fact that Mozilla already stores application data in RDF -- 'triples all the way down.' "I think that is promising, and something to look at for blending into social and collaborative software in support of interoperability and interchange, whether or not the wider sense of Semantic Web is achievable. And the little phish have bigger phish to bite themAnd the little phish have bigger phish to bite themACM News Service: Gone Phishing - Web Scam Takes Dangerous Turn. This blurb points out that phishing is becoming increasingly-aggressive, and the installation of keystroke loggers and similar programs is becoming increasingly stealthy. You need to be a Wall Street Journal subscriber to see the full article. I caught a fraudulent MSN Billing e-mail in my Outlook Express this past week. The message from Billing@Мsn.com was recognized as spam by MSN Hotmail (!) and it was placed in my "Bulk Mail" quarantine. (You will recognize another tip-off if you look at that e-mail address while telling your browser to try different language character sets. That's harder to do in Outlook Express.) I noticed the message when I reviewed the folder for false positives a few days later. I'm not going to describe all of the tip-offs by which the scam was obvious and the e-mail was recognized as fraudulent, but I caution people to avoid anything that suggests they fax credit-card account information to an 800-number. Beside the MSN Hotmail segregation into "Bulk Mail," I also had Norton Antivirus and Outlook Express watching out for dangerous attachments. OE suppressed the HTML attachment that might have gone beyond inviting me to do something stupid manually as the plaintext version of the message did.
I managed to report this incident to MSN, although it was a chore to find a contact point -- I finally gave up searching on-line and used a known contact at Microsoft. As in many aspects of life, it sometimes comes down to knowing someone (or at least knowing their name and, in this case, their blog page).
It is my experience that web sites and web-commerce organizations rarely provide a recognizable way for users and customers to notify the company that there is a security or fraud matter that they need to know about. Microsoft, in providing comprehensive technical security support, has a page for notifying them of a security vulnerability that is discovered about a Microsoft product or service, but MSN doesn't nor do the MSN links provided on the Microsoft vulnerability-notification page.
This experience reminds me of Bruce Schneier's discussion of agendas in Chapter 3 of Beyond Fear. It is clear to me that, while the MSNs, Yahoos, and Googles and eCommerce services of the world are after my eyeballs and clicks, they don't want me to be worrying my pretty little head over security incidents about them. They are not operating from a "security and anti-fraud is a matter of visible vigilence for us and we welcome your shared concern for our mutual, safe participation in the Internet community" stance. So there is not much a Boy Scout can provide as a cyber-civics contribution. I now have more than enough reported incidents to qualify for the merit badge, though.
My benchmark for how to handle fraud and security issues is at amazon.com, which has reasonable transparent operation and is aggressive about learning of imposters and squashing them. Who do you nominate for best-of-breed in welcoming feedback on security and fraud incidents that you notice?I haven't used my MSN account as my e-mail address for several (at least 6) years since spam became a problem. Someone (perhaps many someones) mined the MSN membership list and it drowned out my ordinary use of that address. The spam and klez.h from address books that still have that address keep on coming. I retain the address for Passport and MSN Messenger usage, and it is the name of my back-up dial-up account that, at one time, I could use to roam in Japan and Italy (via the UK). Sometimes, some long-lost-sight-of acquaintance tracks me down by that address. I have no intention of abandoning that account and e-mail, but it is becoming less and less useful as time goes on. I can no longer use its secure SMTP provisions to send mail while I am on another service, using another identity that I want people to remember and reply to. These privacy/security-oriented interventions have been more inconvenient than effective since spammers find a way and I have to play nice in a game that just makes me work too hard.
from:
2004-05-28Ward Cunningham - Revolution in CommunicationWard Cunningham - Revolution in CommunicationWard Cunningham - Is there a revolution coming in the way people communicate?. I could have saved myself some work if I'd read through my newsfeeds in alphabetical order instead of the reverse-order that I usually follow. Here Ward makes many points that I have been grappling with in other material I'm digesting. The Channel 9 folks pulled at least 3 videos out of one Ward Cunningham interview, and here comes a different one. Ward speaks to the blogosphere, wikis, finding eyeballs for your code, and more than that arranging enough time for developers to express what their code is for and the problem it is solving. I am going to have to download this video and play it through one sentence at a time to capture every single gem. He talks about cultivating programmers to capture abstractions well and having a process that values abstraction: "You can have a program ... [that] doesn't say what it needs to do as best as it can and so what we do is make sure that a developer, after he gets the program working, can take the time to make the expression of what it does as clear as possible." Then at the end: "At one point we thought it was easy to explain things, but we deal with ideas that are so complicated in the world that we have to practice saying it to find a way to articulate what matters." He's saying that's something that blogs and wiki support, the communal articulation of what matters. It is a great reminder that the best face-to-face conversations are where people listen intently and promote articulate expression just by listening. So maybe, just maybe, there is something that matters in all of this cyber-socialization.The Edge That BitesThe Edge That BitesSam Ruby: Détente. Spotted by Mark Pilgrim, and noted on Sam's Feed earlier, this entry carries an amazing amount of information about edge cases. (I have one right here - my Blog This! tool doesn't capture the <title> use of "é" in détente, so I have to paste it in from the little character-map tool.) This is a wonderful compilation of interoperability and coherence glitches.Adding Music to Serious ChatAdding Music to Serious ChatFull Circle Associates Online Interaction & Community Blog: Adding Music to Serious Chat. Here's a great idea. I liked the idea so much I followed the link to the harp music. I had to drop my firewall to permit mobile code (because of Flash), and then make it a trusted site so IE 6.0 would allow the ActiveX to run. And I still didn't hear the music, though the applet or whatever said it was on, and my speakers were active. Ah well ... This comes back to the earlier topics about software integration, and also making systems safe and secure. I think it is still a great idea, and I would love it if MSN Radio Plus ran in the Media Player instead of the browser and thereby messing with my browsing attention. This is something more to look at as I explore how to create the necessary affordances in simple social-software components.I'll Have the Blog Special with Extra SauceI'll Have the Blog Special with Extra SauceHow to Save the World: Work-Arounds for Blogging's Limitations. Spotted-onward by Nancy White, this 2004-03-27 entry by Dave Pollard touches on blogging as distraction and then segues into what it would take to make blogging more effective:
Steve Gillmor: Tablet as Information ApplianceSteve Gillmor: Tablet as Information ApplianceGates Paying Attention to RSS. Another Scoble spotting, this 2004-05-25 eWeek article by Steve Gillmor has far more to offer than the usual "what took Bill so long?" and "watch out, here come the Borg!" analyses. Gillmor talks about what it is that Gates gets and expresses from his position as visionary, and how the theme is unerring. I am fascinated by the Tablet PC, and I won't have one until a year from now, securing my longstanding record as a late adopter (I still have two Windows 98 machines in the SOHO operation here, and my Windows XP Pro laptop was built in 1998). And Steve Gillmor confirms my anticipation by pointing out that he won't give up his HP tablet, even though he still uses his Mac PowerBook, but more like a home-base system, in my view. It is interesting how OneNote, full multi-media capture/manipulation/transformation/presentation (including ink), and simplified authoring, collaboration, and syndication figure into the evolving information-appliance nature of tablet configurations. Yummy.Dana Epp: Adopting a least privilege stanceDana Epp: Adopting a Least Privilege StanceDana Epp's ramblings at the Sanctuary : Longhorn: Adopting a least privilege stance for users. Encouraged and spotted by Scoble, this article provides some interesting links and a discussion of the stance one takes to foster secure installation of operating-system distributions. I like the idea of running with least privilege, and I went from Windows 98 to Windows XP Pro to be able to enjoy that kind of safe operation. If I could only make it work simply. Although Dana is talking about technical approaches, I think his comments and the Channel 9 commentary on running/installing as administrator point to something deeper. I want to emphasize the notion of a "stance" and what it takes to institutionalize vigilant, pro-active attention to safety and security. We have a long way to go. I notice for myself that I want the benefits and I don't want to do the work. Based on the alibis I read, I'm not alone in that. A pervasive alteration of development culture and attitudes is required, and backsliding will always be the path of least resistance.Jakob Nielsen: From -30 Past to +30 FutureJakob Nielsen: From -30 Past to +30 FutureThirty years with computers: Builder AU: Web Development: Site Design. Slashdot spotted this compact reflection + prediction article. It is interesting to see Jakob Nielsen's reflections on his first experience with computers in 1974 (a minicomputer followed by a mainframe system), to the personal computing experience of today, followed by an extrapolation to +30 and what he expects to see, if he keeps up his exercise! I can testify that the computer keeps being re-personalized (though the first personal users were definitely of the code wizard ilk), based on my ability to reach back to -46 and my first programs (IBM 704 then IBM 650 -- I was heading in the other direction toward personal use, and I never got very far from that), even when batch submission was the norm. So, with serious attention to diet and fitness, I might check in with Jakob at +30 to review these predictions. I will be happy to have a personal terabyte along with 100 GB of non-volatile RAM on a tablet configuration. Fortunately, I won't have to wait so long for that. Also, I want something that leaves me in custody of my digital materials while also being able to memorialize whatever might be valuable to hand onward to those who follow. We are getting to the time when preserving a domain name and cyber-identity beyond our lifetime becomes a consideration. With regard to Nielsen's particular 2034 predictions, I see this:
Wikis for the Rest of Us?Wikis for the Rest of Us?Socialtext: Something Wiki This Way Comes. This is a great high-level view of the introduction of wikis that riffs off of a BusinessWeek feature. There are suggestions about easy ways to begin using wikis via hosting services created for that purpose. Although my goal in life is to bring all of that onto my own systems and reduce the use of intermediaries, taking the geek prerequisite out of the care and feeding of a wiki is a challenge. This assertion for Socialtext applies to social software generally, especially wikis and blog-wiki integrations: "Socialtext changes the way people work beyond making group communications more productive and effective. But beyond productivity, it changes the way people work by letting them adapt to a changing environment while developing a group memory." Which leaves me with a great theme to explore: Wiki -- Whose Memory Is It?Metadata Coherence, Interchange, AggregationMetadata Coherence, Interchange, AggregationCaveat Lector: Aggregating Metadata. Dorothea looks at metadata, RDF, tagging, and descriptive systems from the context of use and experience in librarianship. This is a powerful perspective, especially with regard to the intense reliance on tacit knowledge and craft work in classification, cataloging, and indexing that arises in the application of information sciences. I say this is a big deal, especially around the illusions that we harbor about the Semantic Web and the other use of artifacts to capture so-called knowledge. My pet claim in this context is to challenge anyone, using the MARC specification alone, to successfully create and interchange bibliographic information. If that is too daunting, find the Dublin Core specification and notice how much you have to make up in order to create the content of an element with, say, tag <dc:creator> in XML. In Aggregating Metadata, Dorothea looks at how noisy the process becomes once we actually want to interchange and share metadata material. With aggregation and repurposing of the material, all manner of little slip-ups become breakdowns. Dorothea raises an issue that I puzzle over too: Is it actually a good thing for processors of metadata coded in digital interchange to be forgiving? I am undertaking some work (under the nfoWare category) where I intend to be rigorous about what is accepted or not. Dorothea's perspective and experience is something that I want to refer to and keep in mind as I look at the digital forensics application of information-processing tools as well.2004-05-27Versioning Is HardVersioning Is HardDare Obasanjo aka Carnage4Life - Versioning is Hard. "One of the hardest problems in software development is how to version software and data formats. One of the biggest problems for Windows for years has been DLL Hell which is a versioning problem. One of the big issues I have to deal with at work is how to deal with versioning issues when adding or removing functionality from classes." Amen. Versioning is very nasty, and Dare proposes to provide a paper on the topic. Meanwhile, as part of an exercise that I am doing with anderbill, the problem of versioning Java classes and interfaces just reared its ugly head. This is something I wanted to demonstrate before, and now I must do at least enough to have a running development of versions of a (single) abstraction work properly.2004-05-26Where Do Integration Agreements Live?Where Do Integration Agreements Live?PRAXIS101: Interfaces, systems, engineering, and API's. Anderbill and I have been pondering where meaning arises for interfaces. He has found a relevant systems engineering account in terms of the building failure at Charles deGaulle airport. Keep in mind that this speculation precedes the thorough analysis that will be undertaken to reach a conclusive understanding of the failure and its root causes. Just the same, the discussion of the airport failure is a great reminder that integration points introduce opportunities for misunderstanding. This inspired anderbill to recall an example of two teams understanding the use of a TIFF image-property code differently, leading to an incoherent result between image-capture software and image-presentation software. This fits with many discussions of metadata coding and also of the general viability of the Semantic Web. Meanwhile, anderbill and I have taken our exploration of the syntax, semantics, and "what is coded where" out of sight until we have the crude initial exploration out of the way. We are already having fun discovering our misunderstanding of each other with regard to the chosen example and a provocative comment from anderbill.Autonomy and Service-Oriented ArchitectureAutonomy and Service-Oriented ArchitectureAdding policy to integration. Phil Wainewright's 2004-05-26 Loosely Coupled blog comments on SOA management software as a means to deal with exceptions and also enforcement of business policies. The article does not address autonomic behavior directly; it promotes discussion of how deviations can be treated from a system-management cockpit. The lead is compelling: "SOA management software can put your business operations on cruise control, but don't fall asleep at the wheel." The key section with relevance to management of autonomic operation is at the end, on Unexpected Errors. The preceding section there, on concerns about breaching of layers of abstraction is also relevant. The key overlapping concern is expressed this way, at the end of the article: "When [enterprises] automate process integration, it removes manual steps where people would previously have been on hand to spot policy breaches. So unless policy enforcement is automated at the same time as the process itself, much of the benefit of automating the integration is lost. Effective policy enforcement is essential to productive services integration, and customers are going to expect SOA management vendors to fulfil that need." I don't know if SOA management will do the job, but it would seem that SOA and component models may be a good place to come to grips with failure modes and policy breaches. I also remain concerned about interoperability and integration in the enterprise.2004-05-25What's It All About? Objects, Languages, and MeaningWhat's It All About? Objects, Languages, and MeaningWard Cunningham - Do you get religious about programming languages?. This Channel 9 video interview with Ward Cunningham (the third so far) includes some fascinating observations about objects as little language machines. I think this provides something useful about the nature of protocols too. What I want people to notice is at the end where Ward talks about a stock trading application and how they learned about a discrepancy in the use of the same technical term by different communities when they set out to automate some of the procedures. Listen for the observation about finding the appropriate abstraction (such that days are not about hours and minutes).Threats, Risks, and TrustThreat, Risks, and TrustJon's Radio: Threat Modeling. Jon Udell has a nice sampling of the ideas of threat modeling and the new possibilities of computer-assisted support for creating, populating, and maintaining threat analyses using such models. Michael Howard: Threat Modeling tool now available. This is the lead that Jon Udell followed. Michael Howard shows where to download the tool and Udell illustrates its application. I notice that threat modeling is not independent of risk management, and has some of the same imperatives with regard to maintenance of a current analysis and risk identification. When something changes, it is very important to rebuild the assessment and also update the model. Anderbill and I toy with the notion of "trust points." This is about seeing all the places in a system where there is an occasion of trust. This work on threat modeling has me wonder what the relationship to trust modeling might be, though I can also see trust models as being at a different level. My own exercises, mostly in thought problems, have trust points be at very deep points in terms of detail. I don't have a clear picture of the relationship, if any, between trust and threat vulnerability. I am missing something. This may be a place to dig deeper (and also in the existing terminology addressed to such matters).Listening to the GangListening to the GangIT Conversations: The Gillmor Gang - May 21, 2004. This is an audio feed with Steve Gillmor, Doc Searls, Jon Udell, Dana Gardner, and guest Mary Jo Foley. I wanted to hear some of these voices, and Scoble provided the link. I like that Scoble links to a great variety of viewpoints and, even though he may have rebuttals to offer (e.g., about Mary Jo's previous prediction of the waning support for the Tablet PC), all perspectives are acknowledged. I'm using this lead to observe how those voices work together on the air. Dana Gardner provides a nice review of the RSS mention by Gates and how that may fit into the concern for attention and finding a range from e-mail (very intrusive) to web sites (very passive). There is also an opportunity for profiled aggregation based on user's behavior, which is not picked-up on much. Lots of discussion of how this is strategic or not. It is agreed that Gates' speach is raising the level of attention. Jon Udell sees a fundamental shift and an amazing experiment in transparency at Microsoft. Jon sees the video of Ward Cunningham and what is happening in MS Development as remarkable. There is speculated to be a tug-of-war in Microsoft and, while the panel can't assess it, it is noticed that this experiment is something that no Microsoft competitors are doing. (Tim Bray, at Sun, may be the champion there, but we have seen nothing like Channel9 at this point.) Foley sees the MS blogs as great sources. Death of the Tablet PC: Foley sees re-evaluation of how they are coming at the tablet market. The slate model was the focus originally, now it is looking at a blended function. It looks like Bill Gates still uses yellow legal pads, and not Tablet PCs. Questions about Apple in the home/personal and Microsoft needing a business solution to feed itself. I think that there is still confusion between the Tablet PC as a particular kind of configuration and how the support for Tablet functions are incorporated in Windows distributions. The tablet as a differentiation from laptop may disappear either way. BEA is opening up via open-source and wants to attract eyes to their Java run time and their application server. Doc Searles sees this as the progression of making peace with open-source, then getting strategic, then becoming aggressive with it. The BEA move is seen as one of dueling frameworks, and this duel is being fought on open-source territory. It is pointed out that only Microsoft has not found an open-source strategy yet (although it seems to me that the open-source is evil direction is being softened). Discussion moved to the anti-spam and identification proposals with authentication of e-mail. Jon Udell sees the cryptographic approach as a potential opportunity. Gillmor sees PKI as just beyond the coherent level of understanding of 90% of users. The Yahoo proposal allows for individual identities to be handled. Google is noticed as a candidate for that (though I don't think so). It is noticed that DNS is extensible, but the extension mechanism is not what these identity proposals are using. There's an object lesson about extensibility in general and how successful practical extensions often work off of informal and ad hoc approaches, not the one that is designed-in. There is a missing trusted, neutral third-party to operate the necessary registry.. Google is mentioned as a candidate for that (though I don't think so). Jon sees two distinct questions around identity. One has to do with authentication. And to find out something about a party, there is a different avenue.
|
|
|
You are navigating Orcmid's Lair. |
template
created 2002-10-28-07:25 -0800 (pst)
by orcmid |