The rules of the garage from HP

Wednesday 7 January 2009

Hewlett Packard started out in a garage. HP is now going back to their roots, by posting “the rules of the garage”. I like them:

HP Rules of the garage

HP Rules of the garage

Did not know the agile manifesto had a predecessor. Source: Alen Zeichick blog.

Advertisements

How secure is SSL

Friday 2 January 2009

https-logoSecure Socket Layer (SSL) is a security technology allowing web clients and web sites to provide a higher level of security for the communication. The question “How secure is SSL?” is relevant this week;  a group of researchers first proved they can forge SSL certificates based on the MD5 hash algorithm. Academically this is very interesting (it is!) but what are the implications in our daily interactions with websites?

Before we explore this question, for the novice some background on SSL certificates. When you visit a SSL enabled site you can see this through the https: protocol identifier in the address bar of your browser. Https enabled traffic gives two things extra, the exchange of traffic is encrypted and cannot be interpreted by some eavesdropping and the identity of the entity operating the web  server is verified. The web browser verifies the identity by a certificate the web server must send to the web browser as part of the https protocol. The certificate consists of an identity, let say ACME corporation, and signature. The signature is created by a certificate authority (Versign is the most well known) that has issued the certificate to ACME after verifying that ACME exists and the entity requesting and receiving the certificate is indeed ACME corporation. The research quoted above shows it is now possibly to generate a certificate that is valid and accepted by the browser without warning without involvement of an official and recognized authority. So any website can successfully claim to a web browser to be ACME corporation, including malicious websites. Technically there are more hurdles to exploit this attack, you need to route traffic to ACME corporation for example, but this is one hurdle less for the visitor. 

The attack is specific for the MD5 hash function, which is already known to be unsafe to say at best. Verisign immediately stopped issuing certificates with the MD5 hash. For reasons I do not understand Verisign still used MD5 based certificates only for the lower class certificates. Most certificates you and I will encounter already rely on SHA-1, a successor to MD5. Extended validation certificates cannot include the MD5 hash.

I argued before that current browsers do a pretty decent job of alarming users about the validity of the certificate presented. An attack using a forged certificate would disable those alarms. However I think most users ignore alarms for invalid certificates anyway. Enough users at least to make a spoofed site with a false certificate just as likely to generate transactions as one with a for the browser valid but sp0ofed certificate. So tools like this blacklist are pretty useless. Which means you and I must rely on other security countermeasures which include:

  • DNS and IP network security, making sure bits intended for site A arrive at site A and not site B.
  • Spam and phishing filters that prevent access via mailed links, the chances of arriving at a spoofed site by manually typing a link
  • Detecting and shutting down spoofed sites
  • Legislation making the risks greater than the benefits.

To name a few. The safest way to be secure against spoofing attacks is not to use the Internet. If that is not an option use your senses, act accordingly, have faith in other measures and assume bad luck on your part if you get involved with a malicious website. 

To round up, does this discovery make us less secure? My answer is no, in fact it makes us more secure because a discoveries like this advance the field of security and drive new innovations that ultimately do make us more secure and b because it forces companies to stop using algorithms which are known to be insecure.

More background and interesting reader comments on Bruce Schneier’s blog.

Xobni review

Monday 29 December 2008

xobni-logo1Xobni, inbox spelled backwards, is a outlook productivity plugin. It provides search for contacts, emails and statistics around email. I was skeptical at first, having worked with various alternatives in the past. None got me excited. After trying xobni for two weeks I am a convinced and have deinstalled Windows Desktop Search, the last standing survivor.

Some of the praise from me:

  • Xobni provides search that works. A good search interface has been absent in the Outlook e-mail client. I have looked at alternatives, X1, Windows Desktop Search, better but still not seamless. Xobni is fast, provides a great interaction experience, given the small screen estate it takes.
  • Xobni provides context for the mail you are currently displaying, a short summary of the person that sent you the e-mail, including phone number to remind you that sometimes a call is the best way to respond to an email. And a link to the LinkedIn profile, including photo, to make e-mail more personal.
  • Xobni provides statistics, some handy, some just fun to know. Hayo did you know you are the contact I exchanged most e-mail with (Daniel you are second)? I did not either, but now I know.
  • Xobni provides related conversations to your current e-mail, from the same conversation from the same person, files exchanged. Instead of browsing through my well organized folder structure, I find myself using Xobni to look for and  find archived emails.  
  • Xobni is clearly made with passion. For a software program it has a very human tone of voice. 
  • Xobni is a breeze to install. Within 15 minutes it has indexed all your mail (for me > 1Gb) and you can start.

There are of course drawbacks, it takes screen estate, but with current wide screen monitors for me hardly a drawback. Besides xobni can be collapsed quickly. And best of all xobni is free, now in beta, but they are committed to providing a free service. You can download xobni from the xobni website.

Not convinced yet, watch the video to see what xobni offers:

Steve Krug on usability

Tuesday 16 December 2008

One my favorite software development books is “Don’t make me think” by Steve Krug. It is a book that everybody even remotely involved in creating applications or websites for users should read. Practical and down to earth advice in how to approach the difficult subject usability. 

Steve gave a presentation  on the Business of Software conference this year. His presentation is now available as a video on blip.tv. A bit dry on tone, but great on content. Besides it nice to hear him speak and explain about some great and not so great examples of web design. If you have never seen eyetracking software at work watch around minute 14:00 and onwards, gives you a feel how people actually look at pages. In fact more scanning than looking.

More information and links on usability in webdesign at the usability first site.

LinkedIn new search platform

Wednesday 3 December 2008

icon-linkedinThe success of the networking site LinkedIn is by a large degree a result of its great interaction design. The network effect does the rest to leverage their investment in interaction design. Interaction design requires many trade-offs and choices. Good interaction design is not something that happens by sitting at your desk. You need to constantly monitor what works for users and what does not and change your interaction experience accordingly.

The LinkedIn web interface has gone through many iterations. The most recent upgrade are the search capabilities. Rather than explaining them here have a look at the Announcing LinkedIn’s New Search Platform post on the official LinkedIn blog. It shows how LinkedIn analyzed user behavior and modified the experience to deliver an even better experience to its end users.

Sun Microsystems and Software

Monday 17 November 2008

sunlogoSun Microsystems recently announced they plan to cut 6000 jobs, about . The financial crisis looks more the excuse than the reason. 

Sun Microsystems is a hardware company in process of becoming a software company. And it looks like the hardware revenues are declining faster than the company can ramp up the software revenues.

Sun and software so far has not been a happy marriage. I worked at Netscape and later iPlanet and during that time I worked intensively with people from Sun. Sun has very smart people in the company, both in the hardware and the software divisions. Mind you, smart people at Sun came up with one of the biggest software innovations of the last 25 years: Java. However the company has been managed up to this point by mostly hardware people and this shows in their management and results of their software portfolio.

The portfolio of Sun software has been handicapped by a strain of mergers and takeovers, most of which Sun have failed to deliver both on keeping the customers, selling the acquired software to new customers and integrating the technology. A short but by no means exhaustive summary:

 

 

Sun is now mostly taking the open source route and having trouble finding revenues out of it. Sun does not have the corporate entries that allowed rival IBM in the 90-ies to ramp up its software license sales of the Websphere product ranges to account for the decline in hardware revenues. At the same time IBM has established itself as a services company, a strategy completely absent with Sun.

Interested in some software company archeology: visit the Mozilla museum.

Conway’s Game of Life

Tuesday 4 November 2008

Ever since the Sun xlock screensaver program at my university I have been fascinated by the visual display of Conway’s Game of Life. The screensaver shows a 2 dimensional grid of Sun logo’s where the pattern evolves in iterations according to a simple rules:

  1. Any live cell with fewer than two live neighbours dies, as if by loneliness.
  2. Any live cell with more than three live neighbours dies, as if by overcrowding.
  3. Any live cell with two or three live neighbours lives, unchanged, to the next generation.
  4. Any dead cell with exactly three live neighbours comes to life.

To get an idea how it works watch this short video:

The starting pattern determines how the cells evolve in each iteration. There are four possibile end states:

  1. a stable static end state
  2. a stable end state where the pattern comes back to the same state after a fixed number of iterations
  3. complete extinction, where no cells are populated
  4. an end state that is unlimited, meaning new cells are generated.
conway_glider1

Glider

Number 3 is the end state for most starting patterns. Very specific start sets are required to arrive at state 1 or 2. An ever growing end state is sort of a mathematical problem and Conway wrongfully assumed that no initial pattern could grow unlimited. Conway offered a $50 prize to the first person who could prove or disprove the conjecture before the end of 1970. Bill Gosper was the lucky guy to be the first to find one and both win the prize and to have the pattern named after him: the Gosper Gun. It is a pattern that after a few periods emits a so called glider (see image to the right).

There  are many free programs allowing you to inspect and play with Conway’s game of life. For example:

Browsers and secure sites

Monday 3 November 2008

On the web SSL certificates are the common way to verify the owner of the identity of https based website. Compared to older generations the new generation of browsers have a far better support for the display of the amount of trust (or lack thereof) you should place in the owner of the site you are visiting.

Chrome uses a yellow address bar to indicate a valid SSL enabled site:

Firefox does in my opinion an even better job by adding a green logo at the start of the address bar:

IE uses only an yellow icon of a key lock to confirm a secure connection with a SSL enabled site.

Above that IE uses colors to indicate how secure a connection is:

 

  • White: The certificate has normal validation. This means that communication between your browser and the website is encrypted. The certification authority makes no assertion about the business practices of the website. Sample: https://www.verisign.com.
  • Green: The certificate uses extended validation. This means that communication between your browser and website is encrypted and that the certification authority has confirmed the website is owned or operated by a business that is legally organized under the jurisdiction shown in the certificate and on the Security Status bar. The certification authority makes no assertion about the business practices of the website
  • Yellow: The authenticity of the certificate or certification authority that issued it cannot be verified. This might indicate a problem with the certification authority’s website.
  • Red: The certificate is out of date, invalid, or has an error. For more information, see “About Certificate Errors” in Related Topics.

 

Note that for the colors to work you need the IE Phishing filter turned on, which requires you to send anonymous information to Microsoft while browsing. Mine was off by default. If you turn it on you will see while browsing an extended validated site:

Be aware the when it comes to security a valid SSL certificate only indicates how much you should trust the identity. It does not tell you anything about the amount of trust you should put in the intentions of the site. It would be perfectly possible to fund a company i steal your money Inc, get a valid certificate on http://www.istealyourmoney.com get a green bar and walk away with you money if you trust me your money on that site.

Some more reflections on the validity of the greenness in the browser address bar in will firefox have a green bar.

Email marketing and encoding

Friday 31 October 2008

Yesterday I on my gmail account a commercial e-mail with the following subject line:

What a great way to get my attention. As a someone interested in encodings that is, I doubt whether this will make a good impression on the general audience.

This and many other commercial e-mail senders have troubles getting encoding right. It is simple but yet not easy to do. I have written before about encoding and Joel Spolsky has a great article about it. Encoding e-mails is even harder than webpages and most other documents because e-mail delivery is only secure for 7 bit characters and an email is a combination of an envelope (you do not see), the header (you see parts of) and the contents. Each part has it’s own rules for encoding. Having only 7bit channels, means you can only send 128 different characters. Characters with higher numbers such as é, ø and ü -used in most European countries- must therefor be encoded.

Going back to the above subject line and the appearance of =?Windows-1252?Q? in the subject line, clearly indicates something went wrong using the Windows-1252 encoding. Subject lines are part of an email header which must be encoded using the so called MIME encoded-word syntax (described in RFC2047). The format of this encoding is “=?charset?encoding?encoded text?=“. Where encoding can be either B for base64 or Q for quoted printable and the encoded text is written using the specified encoding.

On a first look there seems to be nothing wrong with the subject line “=?windows-1252?Q?Kerst_of_Oudjaar_buitenshuis_vieren?_Onze_tips_voor_de_feestdagen.?=”. Closer look reveals that the question mark in the subject line itself is the problem. Since it is used as a marker for the encoding it should be encoded itself as =3F in quoted printable. Most likely the developer of the library used to compose and encode the email overlooked this part of the RFC2047 specification.

Searching text

Wednesday 29 October 2008
Search is becoming the ubiquotous way of fnding information. Thanks to google people are now customized to typing a few keywords in a single search field. And they want relevant answers. Providing those answers is not as easy as it seems at a first look.
 
Searching text is difficult because you need computers to do something which is hard to do for humans: understanding written text. In order to provide relevant answers you need linguistic analysis far beyond simple keywords. If a text contains the word Amsterdam it makes a huge difference if the text is actually about Amsterdam or if Amsterdam happens to be the location of one of the office of a company that is described. Good search software can do just that.
 
Most search software provide organic results, an indexer or crawler loads all documents in a search database. Based on the queries entered the search database displays the results that best match the query. Intelligent search systems need to know that some things may mean different things. And modify results so that each of the different meanings is displayed in the first results, instead of showing 500 links about the first meaning if that one is most popular.
 
Companies that use search on their site may want to consider guiding the search in some way. Instead of depending on organic results for common queries -like a product number- you want to choose the first results – a product or support page for example. If you need this behavior include it in your selection criteria, not all solutions provide this functionality.
 
Software and hardware solutions for implementing text search: