Shahzad Bhatti Welcome to my ramblings and rants!

Despite a few law suits filed by IT companies such as EA, most companies expect IT (and non-IT) staff to work more than 40-hours per week. As payroll laws exempt IT folks from overtime, it is very hard to do anything about it. There are still effects of the dot bomb and most of the jobs have not returned or have gone to offshore. All this has given companies free reign to treat their IT employees however they want. I have seen companies where despite the fact that people are working 70-80 hours a week, when they asked for raise they were told, “You should be thankful for having a job.” There are plenty of companies who think the only way they can compete with offshore is to match sweatshop environment of offshoring and put their employees with 14 hours a day with 6-7 days a week.

Blue collar jobs have been moved to offshore with a little uproar, and offshoring of white collar jobs in IT have received not much fret publically either. Clearly, common folks are losers and multinational companies are winners in this deal. The only slight consolation in all this is that may be third world countries can use this to help boost their living standards and undo brain drain that has been effecting them.

Nevertheless, IT professionals are paying for this and will continually pay. It resulted in not only loss of jobs, but the overall working environment in most organizations has become pretty bad with long hours and a little pay. Many consulting companies are resorting to sweatshop mentality of offshore companies because they think that is the only way they can compete. Smart engineers are betting on innovative technologies that can boost their productivities such as Lisp, Ruby or Smalltalk and using agile methodologies that focus on test-driven incremental delivery and meets customer’s expectations. But that only give you so much headstart because offshore companies will catchup. It’s true that most offshore work is grunt work than innovative, but that will change also. The only advantage companies can have is to hire real good people who are 100x times more productive and that may give them some breathing room. Many studies show that onsite person is at least twice as productive as offshore. However, in most companies decisions are made by suits, who think they cannot miss offshore train and trend will continue in that direction.

Tunnel Visioning Syndrome
In my fifteen years of career, I have come across more than one companies,
that has severe tunnel vision syndrome. Basically, the project starts
modestly with sizable requirements and a few moderately experienced
developers, but as the project grows the only area of focus for the project
remains keep delivering the features. Both business people and developers
are keen on making next release and applying code and fix methodology.
Clearly, the business folks having used to the initial velocity of the
project don’t want to wait and the project size has grown beyond developers’
capabilities.

I consider this a tunnel vision syndrome, when folks are only focusing on
short term deliverables. Though, focused attention is good technique to
deliver one thing instead of juggling too many things. However, you need
peripheral vision to understand surrounding activities and be prepared for
related issues. I like the comparison with gardening where you keep triming
it and maintaining the overal beauty of the garden. But the team is too
busy with features to focus on any kind of minor refactoring or architecture
level refactoring. One thing that contributes is lack of an architect in
the team.

Of course, the heart of the issue lies with using code and fix methodology,
that slows down the fluidity of the deliverables and the team continue
try to meet customer’s expectations. Meanwhile, the code becomes rotten,
the architecture (if there was one) becomes unwiedly. Though, people
start realizing the pain, but they still don’t slow down or try to change
their behavior. The management is clueless and keep harping on deliverables
and developers have buried their heads down in implementing some features.
All this results in big QA cycle that takes weeks to manually test features
and results in hundreds of bugs that come back to developers (code and fix).

The quesiton is how to get out of this if no one is willing to address
the hard core issues or take responsibilites. Obviously one way is to
walk out of this situation, but having been run into these situations
a few times before, I am not sure my next place will be any better.

[Note: these companies have not been small or non-tech related, but
each had more than $100M revenue and 500+ IT staff]

Anemic Domain Model
I read an interesting post from my friend Ed at http://jroller.com/trackback/ewentworth/Weblog/is_the_anemic_domain_model. He responded to MF’s post on anemic domain model. I don’t think this is really about anemic domain model, instead it’s about separation of concerns. You can have objects with behavior that really belongs to those objects. However, some OO bigots stress on “Tell and don’t Ask” based behavior, which means instead of getters tell the object to what to do. This means that I can tell the object to save, print, etc. I think this is taking OO a bit too far. I wonder these people ever maintained a large enterprise system. In real system, separation of concerns or modularization means ease of maintenance and extensibility. I would not want to put persistence, printing or any other external capabilities to my domain objects, instead define them as a service.

As long as using business objects in service interfaces as opposed to DTO, I find that it does lead to simple services. However, in many cases business objects are not simple, instead they have very deep relationships with other objects. So if you need to send these objects in disconnected mode then you have to realize these objects along with dependent objects. This is just additional overhead and cause data-coupling. I like to design services using top down design and based on explicit contract. I want the interface and all objects that it is using or returning explicit. So, I actually prefer DTOs in these cases, because I know exactly what data the service needs and don’t introduce unnecessary data coupling.

SOA/ESB
Enterprises from financial institutions to manufacturers are continuing to adopt technology with the same goals in mind.to make operations more efficient, take advantage of opportunities quickly, and make better decisions than their competitors. But while all of them can purchase the same systems and software, the real advantage comes from being able to apply these tools in innovative and productive ways. Creating an application infrastructure that pays dramatic dividends for the enterprise requires skills in determining how to architect applications that make effective use of core services.

The latest in a line of application infrastructures produced by industry analysts and strategic consultants is the service-oriented architecture(SOA). To many, it sounds like a collection of randomly assembled industry buzzwords. But the concept itself is straightforward. An SOA, at its heart, is a collection of services. A service is a software component that is well-defined, both from the standpoint of software and business function, and doesn’t depend on the context or state of any application that calls it.

These services are typically implemented as Web services, accessible by applications through the Simple Object Access Protocol (SOAP), an XML form transmitted over HTTP. The advantage of using Web standards in an SOA is that the services can more easily adapt to different applications. Nothing in particular has to be done programmatically to the service, except to enable it to receive requests and transfer results using SOAP. So, in many cases, Web services are straightforward for an enterprise to build, and existing software can even be adapted to create new Web services.

How does an SOA give an enterprise a competitive advantage, and enable it to respond rapidly to business opportunities? Simply, it enables an enterprise to define the essential services it requires to serve its core business needs efficiently, and to adapt rapidly to changing business conditions. Once these core services are implemented, any application can call upon them to access and analyze data, build new business models, or provide data or features that make that application immediately pay back its investment.

This means that SOA is both a technical and a business strategy. It’s a business strategy in that services deliver core value to the business. The services that comprise the SOA must be designed with an intimate understanding of the business, in order to determine what capabilities can be used across multiple applications. And they must be general enough to support multiple applications with different purposes, yet specific enough to provide real value to individual applications.

From a technology point of view, the challenge is in the architecture of the enterprise Web services. Because an SOA is fundamentally a flow and a relationship of service interfaces, designing the interfaces and their relationships requires an exceptional knowledge of Web technologies, business processes, and the technology platform underlying the services and the applications that employ them. The architect must understand not only how Web services are constructed, but how they are used by both existing applications and applications planned for the future.

1. Managing for Security
2. Mapping Security to SOA
3. Getting the Big Picture on Security
4. Special Report on SOA
5. Hidden SOA Challenges
6. Designing a Better SOA
7. Explore the Dark Side of SOAs
8. Establish a Service-Oriented Framework
9. Debunking 3 SOA Myths
10. SOA: The End of Integration
11. The Critical Role of Shared Services
12. Avoid Dead-End SOAs
13. Use a Services-Network Approach
14. SOA Report
15. Top 10 ESB Myths
16. Take the Enterprise Service Bus
17. Enterprise Architect Summit 2004 Slide Presentations
18. XML and Web Services: Are We Secure Yet
19. Extensible ESB
20. SOA Design: Meeting in the Middle
21. ESB for Distributed Integration
23. Take the Enterprise Service Bus
24. Chapel Video

What’s Web 2.0
I heard Jason Fried talk about Web 2.0, clearly he is the leader and visionary. Here is a few characteristics I found from his talks and other folks:

• Simple and a few features, i.e. less is more
• Start with interfaces and customer experience (no functional specs)
• Rich Internet Application
• Social networking like FOAF
• Tagging
• YAGNI
• Interactive — AJAX
• SOA
• Decisions are temporary
• Embrace constraints
• Work on immediate features and buy as late as you can
• Examples:
  • http://www.37signals.com/
  • http://www.tadalist.com/
  • http://flickr.com/

On today’s show, Matt Olander of Offmyserver shows how to create a processing cluster using old computers. The cluster Olander assembles is called a Beowulf cluster. Olander also talks about using FreeBSD for clusters. Take a look at the Offmyserver cluster built for today’s show.

OS support

Linux offers operating system level support for linking independent PCs. This technology is called “clustering.” It’s usually implemented for one of three reasons: parallel processing, load balancing, or fault tolerance.

Clustering is supported in Windows Server 2003.

Mac OS X Server supports clustering. Read how Carnegie Mellon University implemented its Mac OS X clusters.

Cluster links

Learn more about clusters by clicking on the links below.

• offmyserver.com

• FreeBSD cluster forum
  Mailing list for technical discussions related to creating clusters of FreeBSD computers.

• Beowulf.org
  Comprehensive resource for Linux clustering.

• Beowulf cluster mini-how-to
  Written by Ole H. Nielsen at the Technical University of Denmark

• Guide to Creating and Configuring a Server Cluster under Windows Server 2003
  White paper with step-by-step instructions for creating and configuring a typical single quorum device multi-node server cluster.

• Deploying Mac OS X in Clusters
  Carnegie Mellon University’s deployment plan.

• PS2 Supercomputer
  How PlayStation 2 devices are linked together to create a cluster.

Articles Checkout a great articles about:
Slimp3 Streams Your MP3s for Free

Integrating Struts, Tiles, and JavaServer Faces

 Apache Beehive - http://incubator.apache.org/beehive/
 SDO - http://www-106.ibm.com/developerworks/library/j-sdo/
 DOM4J - http://www.dom4j.org/
 Spring - http://www.springframework.org/
 Cocoon - http://xml.apache.org/cocoon/index.html
 Spring - http://www.springframework.org/
 Cocoon - http://xml.apache.org/cocoon/index.html
 WebApp Framework - http://webapp.de/en/
 Arch4J - http://arch4j.sourceforge.net/
 JSF - http://java.sun.com/j2ee/javaserverfaces/index.jsp
 Struts - http://struts.apache.org/
 Tapestry - http://sourceforge.net/projects/tapestry
 WebWork - http://www.opensymphony.com/webwork
 Echo - http://www.nextapp.com/products/echo
 Expresso - http://www.jcorporate.com/html/products/expresso.html
 Jade - http://sourceforge.net/projects/salmon
 JOT Servlets Framework - http://www.jotobjects.com/
 JUnit - http://www.junit.org/index.htm
 Castor - http://www.castor.org/
 Hibernate - http://www.hibernate.org/
 OJB - http://db.apache.org/ojb/
 JDO - http://java.sun.com/products/jdo/
 O/R Broker - http://orbroker.sourceforge.net/
 Cayenne - http://objectstyle.org/cayenne/
 O/R Broker - http://orbroker.sourceforge.net/
 Cayenne - http://objectstyle.org/cayenne/
 Jena - http://jena.sourceforge.net/
 Framework for Java Database Connectivity -
 http://www.alphaworks.ibm.com/tech/framework4jdbc
 Grid Application Framework for Java -
 http://www.alphaworks.ibm.com/tech/GAF4J
 Java 2 Collections -
 http://java.sun.com/j2se/1.4.2/docs/guide/collections/
 Avalon - http://jakarta.apache.org/avalon/index.html
 Cactus - http://jakarta.apache.org/cactus/index.html
 Turbine - http://jakarta.apache.org/turbine/index.html
 JPOPS - http://jpos.org/
 A Java framework for GPS - http://www.aasted.org/gps/
 MyFaces - http://incubator.apache.org/projects/myfaces.html
 Sun Java Media Framework -
 http://java.sun.com/products/java-media/jmf/index.jsp
 A framework for Internet Distributed Computations -
 http://www.imc.pi.cnr.it/java.html
 http://www.imc.pi.cnr.it/java.html
 The Real time Java Framework -
 http://control.ee.ethz.ch/~ceg/RealTimeJavaFramework/doc/index.html
 Java Agent Framework - http://dis.cs.umass.edu/research/jaf/
 Janx - http://www.bearriver.com/janx.html
 Open Card - http://www.opencard.org/
 Piccolo - http://www.cs.umd.edu/hcil/piccolo/
 Symphony - http://zuni.cs.vt.edu/symphony/
 
 

Cool Outdoor Wireless Internet
Wireless Outdoor

Embedded Security: Top Ten Myths

by Mukesh Lulla, TeamF1

Perhaps no other area of embedded technology gets as much visibility today as security. After all, if .connectivity. of modern embedded systems was the wave of the last decade, it.s no surprise that .secure connectivity. is becoming an almost inescapable requirement as networks come of age. The prevalence of wireless, remote management, storage, and mobile technologies has reinforced the urgency of this requirement and sparked renewed interest in not just protection of data-in-transit, but also data-at-rest.

State of the Onion

As prolific as the exhortations to protect embedded devices are, the current state of security in many embedded applications still hovers somewhere between confused complacency and intimidated inaction.

.Security is a multi-dimensional problem., insist some pundits while others claim, .simplicity is the key to practical security.. .Think of security as an onion with layers and layers of defenses., more experts chime in. .Layers serve as obfuscation and give you an illusion of security., retort the critics. Confusion hath now made his masterpiece!

While the high priests of security duke it out and management, sniffing the fumes of unrealistic end-customer demands, wants nothing short of an absolute guarantee of security, we engineers are frequently left to sort out what is and what is not feasible. When it comes to security, conventional wisdom just isn.t!

Hit or Myth

Muddying the waters further are some widely held misconceptions. We cannot resolve the apparent contradictions surrounding the best practices for secure devices without first clearing this fog, so we.ll start by dispelling ten of the more egregious myths surrounding this subject:

1. Myth #10 : We aren.t the likely target of an attack

   This is the most pernicious myth of all and takes various forms: .The data on/from my device is useless to others, ergo I don.t need any security.. Or, .who would ever want to spend the effort to hack my system?.. But with the proliferation of easily accessible hacking tools, advanced crackers aren.t all you need to worry about-a whole army of kiddie-script writer wannabes is waiting for their 15 minutes of fame.

2. Myth #9 : My embedded system.s security has never been broken, so it.s all we need

   Sure, that.s like saying: .I intend to live forever – so far, so good.. Enough said!

3. Myth #8 : My device is password .protected.

   Well, password protection at least implies awareness of a requirement for security. However, passwords are usually sent over a network in clear-text and are easily captured by packet sniffers on intermediate network nodes. In most cases, they provide only a deceptive veneer of security. If the password scheme protects remote management or access to the device, an attacker could potentially gain complete control of the device with impunity. Even if passwords were sent over a secure channel, they may still be susceptible to dictionary attacks.

4. Myth #7 : Security protocol XYZ is the silver bullet

   Once convinced that real security is needed, many users start looking for a quick fix believing that some single well-known security protocol is all that their device needs. One common manifestation: .My device has a firewall, so I don.t need to worry about security threats.. Such delusions of adequacy may blind one to serious vulnerabilities in the system such as lack of protection for network data.

5. Myth #6 : Two security protocols are better than one

   This is only a half-myth, but is so frequently abused that it deserves attention. Belief that there is no one panacea for security convinces some to take it to the next logical step-back up the truck and load up on it. After all, more security can.t be worse than less security. But what.s forgotten in this exquisite distillation of logic is that security is weakest at the seams, so adding multiple security layers to an embedded device without thinking it through is like putting three dead-bolts on a door whose door jamb is not anchored to the wall. Security should be a strategy, not a bunch of protocols.

6. Myth # 5 : Security is the same as encryption

   This myth and its corollary-.cryptography is the same as encryption.-are byproducts of buzzword hype. Certainly, encryption is a cornerstone of information security, but consider this fallacy: what if an encrypted (and thus, confidential) connection goes not to the entity you expected to communicate with, but to an unauthorized one? In other words, you may have a completely secure channel, so no one else can listen in to your conversation with. an attacker! Security needs to include authentication (identity verification), integrity (tamper-resistance), and various other techniques to thwart attacks. These are typically based on cryptographic operations, which include but are not limited to encryption.

7. Myth #4: More .bits. mean stronger security

   Yet another fallacy related to encryption is that more .bits. of encryption mean higher security strength. However, like all data, the impact of the .bits. (usually key-size or block-size of encryption algorithms) only depends on the application that uses it-in this case, the encryption algorithm. Assuming that 256-bit RC-4 is stronger than 128-bit AES encryption is like comparing apples to oranges, not to speak of the watermelons that elbow their way in when 1024-bit public-keys (RSA, DSA) are thrown into the equation.

8. Myth # 3 : Security will get in the way of my application

   Security is a subject that turns many embedded developers off. The resource requirements (code size, memory usage, CPU .horsepower.) for cryptography are often formidable by embedded standards. Even if that were reconciled, developers often think that security detracts from their productivity by making things difficult. However, a well-designed security solution that leverages hardware / software optimally, and provides a common framework to secure different aspects of an embedded application can be less intrusive than one may imagine.

9. Myth #2 : I can do it better

   Embedded development frequently revolves around the efficiency of solutions developed in-house because .No one understands my systems as well as I do.. Security protocols, in particular, are viewed as laden with more baggage than a Samsonite factory, so some developers concoct small-footprint, lightweight implementations without the .bells and whistles.. If this is done without a full understanding of why a protocol required it, the bell or whistle that was left out might spell the difference between strong and weak security, and worse, may not be exposed until it.s too late.

10. Myth # 1 : A proprietary implementation is more secure than an open one

    It is a human tendency to equate secrecy with protection of sensitive information and this reasoning has been used to promote some really arcane security implementations. However, if secrets extend beyond the realm of replaceable secret keys to the use of secret methods and implementations, this can be a major cause of brittleness. .Security by obscurity. flies in the face of good security practices. Core security-especially the security protocol and cryptography-should be based on code available for public review. This ensures a deeper analysis of any vulnerabilities than would be possible with any single company.s proprietary code which claims compactness and is written partially in .high-performance. assembly that looks like line noise, just so that .no one can break into it..

Deconstructing Security

Achieving strong security is indeed a multi-dimensional problem, but the key is to architect the system using a cohesive approach to security, rather than stitching together a solution from various pieces-remember, the seams are always the most vulnerable. Inadvertent vulnerabilities resulting from the use of a well-designed crypto algorithm in an application it was never intended for, may be worse than choosing a weaker algorithm and knowing the consequences upfront. The .layers-of-onion. model of security can provide defense in depth, but only if the layers are standard components put together in a consistent manner so as to complement each other.

It is important to recognize the different facets of the embedded security problem first and make sure all relevant ones are considered in the solution. One way to divide the security requirements of an embedded system is to analyze three areas:

Data Security-security of raw data residing on the device e.g. configuration files, statistics, or even databases.

System Security-security of the embedded device as a networked node, or security of the perimeter of a network of devices.

Network Security-security of the data moving between a device and other systems.

Of course, a heavy-gauge steel box welded shut is a very secure container indeed, but not a very useful one. So it is important to remember that a secure system does need to allow access to AUTHORIZED users. This ties in to the concept of identity or more specifically, proving that an entity is who it purports to be-Authentication, which is another important dimension of security that needs to be analyzed.

An embedded device that integrates these elements of security in a seamless manner and complements them with consistent system-wide security policies would be a truly secure device, not just one believed to be secure. After all, while optimism has its place in the world, it has no business being a part of your device.s security strategy.