Above par

Posted on September 21, 2007 by David Megginson

Today, around 12:30 pm EDT, the Canadian loonie was worth more than the US greenback for the first time in 31 years (CBC story). By contrast, the Canadian dollar hit a low of somewhere around US $0.63 in the late 1990s.

Everyone’s poorer

I’d like to gloat and do the “Oh Canada” thing, but a weak U.S. dollar is bad news for a lot of us in Canada — effectively, the value of many of my investments (the U.S. stocks), of our little family airplane, and (most importantly) of my consulting fees have all declined by almost 40% this decade vs. what they’d be if the greenback had held its value. Almost every tech company depends on the US market, and they’re all going to take yet more price hits.

South of the border: in denial

I’m not sure that most Americans understand how bad things are. A significant part of the apparent gains in the U.S. stockmarkets since the dot.com crash are actually just adjustments for the falling U.S. dollar — look at the US stockmarket recalibrated Euros or sterling, and it’s probably not doing very impressively. Americans’ houses, cars, savings, and salaries are all worth a lot less than they think: if you’re making US $100K today, that’s the equivalent of around $65K in the late 1990s against the looney (worse against the Euro or Sterling, I think), and that’s before considering inflation. Ouch!

North of the border: no reason to be smug

Another reason not to gloat is that — while Canadian governments do some things better than the U.S. (like balanced budgets) — much of our current economic strength comes from the resource sector, where oil and metal prices (among others) are sky high. The resource sector is cyclical, though, and it won’t protect us from the problems in the U.S. forever.

Tagged | 2 Comments

Ubuntu gutsy is about to mess up

Posted on September 17, 2007 by David Megginson

Ubuntu — my favorite distro of my favorite OS — is about to mess up. The next official release, Gutsy Gibbon, is scheduled for release in a month.

In an attempt to out-cool Vista and OSX, they’re switching over to compiz as the default window manager on systems with 3D hardware support, to enable all kinds of 3D effects for windows and dialogs. Unfortunately, that leads to two big problems:

  1. Even on a fast machine (I’m running on a 2.2 GHz dual-core), there are long pauses/freezes while doing things like typing into OpenOffice or entering info into dialog boxes (including lost info typed into dialogs) — I actually uninstalled the 3D driver to make my machine usable, before I realized that compiz was the problem.

  2. For machines with Nvidia cards, X windows will crash (using the current Nvidia binary drivers) if you run any other 3D app under compiz.

Ubuntu has a well-deserved reputation as the Linux distro that just works out of the box — on desktop machines, at least, it’s generally easier to install than Windows — and giving all that away in gutsy for a bit of dubious eye candy looks like a bad move. People who want compiz can enable it with a single click in gutsy’s GUIs.

Posted in General | 7 Comments

Overwhelming response to XML 2007

Posted on September 4, 2007 by David Megginson

Thank you to everyone who submitted a proposal for XML 2007 — the last-minute response was overwhelming, and we ended up with nearly four proposals for each available speaking slot.

Our volunteer reviewers are now at work reading and grading all of your proposals, and the planning committee will meet in Boston the weekend of 14 September to block out the venue and draw up the schedule. If you accepted an invitation to review and haven’t received your assignments yet, please check your inbox and spam folder just to be safe, then send me a note if you don’t find anything.

Tagged | Comments Off on Overwhelming response to XML 2007

XML 2007 overview schedule available

Posted on August 30, 2007 by David Megginson

Reminder: the XML 2007 Call for Participation deadline is tomorrow. Thanks to the many people who have already sent in proposals.

While we haven’t chosen the actual presentations yet, there is now an overview schedule of the XML 2007 conference (3-5 December, Boston) available to help you schedule your visit. The registration page will be going online soon. Hope to see you there!

Tagged | Comments Off on XML 2007 overview schedule available

Two problems with Google Maps for aviation

Posted on August 29, 2007 by David Megginson

I love Google Maps and their API, and am using it extensively in my new web site OurAirports. However, there are two problems that keep coming up for using Google Maps with an aviation application:

[Diagram of Mercator projection]

  1. Google Maps uses a Mercator Projection, grossly distorting the northern and southern parts of the world, and cutting off the area near the poles so that a few of the Antarctic airports don’t show up on my maps at all. I can understand the reasons for their choice, with simple panning and tile paging and a rectangular area, but it can make things look pretty silly sometimes (such as Greenland and Africa appearing the same size).
  2. Google Maps does not provide an API call to draw a great-circle path. This seems to me to be almost a no-brainer, and it’s especially important in a Mercator projection, where the apparently straight paths drawn by the API are anything but (especially east-west). After messing with some out-of-date third-party libraries, I finally found some JavaScript at one site that does a good job on efficient, approximate great-circle paths, and am waiting to hear from the author about terms for reuse. Google might want to just go ahead and add this, though.

[Diagram of Mercator projection]

Aviation charts mostly use a Lambert conformal conic projection, which ensures that distances are preserved (any two points the same distance apart on the chart are the same distance apart in the real world); however, by definition this projection can’t show more than half the world at once, and generally shows much less than that, so it wouldn’t work for something like Google Maps.

Posted in Uncategorized | Tagged , | 4 Comments

Only 11 days to XML 2007 deadline

Posted on August 20, 2007 by David Megginson

The deadline for paper proposals for XML 2007 is only 11 days away, on 31 August 2007.

Last year, we had a lot of good submissions come in late, and had to turn most of them down for lack of space. You can read more information about submissions here, then enter your proposal in the form at http://2007.xmlconference.org/user/proposal/new/4.

Note: There is no late-breaking proposal deadline for 2007. This is the only call for participation.

Stuff to think about

  • Our audiences are interested in all structural markup languages, not just XML. Proposals for talks on JSON, SGML, etc. are very welcome.

  • We have four tracks: Documents and Publishing, XML on the Web, Enterprise XML, and XML training. It’s OK if your paper fits in more than one track — just pick the best one (we’ll move it if necessary).

  • In addition to regular speaking slots, we have lightning rounds available for standards and spec groups on Tuesday evening. These are open to the public free of charge, and are a great opportunity to learn about a lot of XML-related standards and specs in a hurry.

  • Instead of a tutorial day with an extra registration charge, we’re offering a training track on Wednesday afternoon that’s open to all registrants, with a mixture of short and long sessions; standards, tech, and product training; etc.

  • Boston in December is not usually very cold, but the Back Bay, where our conference is held, is nothing if not cool.

Tagged | Comments Off on Only 11 days to XML 2007 deadline

[not] Protecting web sites and services from DNS rebinding attacks

Posted on August 1, 2007 by David Megginson

Update: Nope, my solution won’t work. As Christian Matthies points out in the comments, it is possible to spoof the HTTP Host header as well (his link in the comment is broken because of an extra comma, but this one works). As a kludge, browsers could be modified to prevent Host header spoofing, but (a) it would take a long time to deploy to the world at large, and (b) it would be only a bandaid for a much bigger problem.

Summary: While there’s no way to protect browsers against the DNS rebinding attack, you can protect web sites and web services by forcing them to check the HTTP Host header with every request. This is easy to do for RESTful services going through a regular web server like Apache — you get it by default with virtual hosts — but might be trickier for WS-* services.

If you or your company is using HTTP-based web services (either WS-* or REST), you might be in trouble — a new exploit allows a web site from outside your firewall to use a web browser as a proxy to read any web site or service inside your firewall.

Artur Bergman at O’Reilly has a posting on the DNS rebinding (aka anti-DNS-pinning) attack that works against all major browsers, including all versions of Firefox and MSIE. There’s no obvious general fix for this, though there’s a Firefox extension that helps a tiny bit.

The attack

In a DNS-rebinding attack, the attacker is able to force your browser to read data from any IP address that your browser has access to, even if you’re behind a router/firewall, by changing the IP address associated with a domain name you’ve connected to. That means that given an IP address, an outside attacker can read your local website (at 127.0.0.1), anything behind your corporate firewall (such as an Intranet accounting page or a web service), or — I think (haven’t tested yet) — a website that you’re logged into using a cookie (HTTP authentication will force a popup, since the browser will see a different domain name, even if you’re logged into the site in another tab/window). If you run a local web server on your computer (say, at 127.0.0.1), you can go to http://www.jumperz.net/index.php?i=2&a=1&b=7, type in the local address, and see jumperz.net use the exploit display the source of your home page.

The defence

There’s no way to protect the browser yet, but you can protect your HTTP-based sites and services from this attack very easily — in fact, many sites on the web are already unknowingly protected, though I don’t know if most enterprise web services are.

The trick is in the HTTP Host header. While the DNS rebinding attack can associate a new IP address with a hostname, it cannot change the hostname itself, so the browser will still send the original hostname to the new host. Nearly all shared-hosting servers — and many servers at dedicated hosts as well — will check the Host header to decide what pages to serve out. As long as the site does something harmless when it gets an unrecognized hostname (such as returning a “501 Not implemented” HTTP status code), the site will be safe the attack. In Apache, for example, you use the ServerName directive for each virtual host, and just make sure that there’s a default virtual host that returns an error or at least does nothing harmful.

For Web Services, the same thing applies. It’s often tempting to use IP addresses instead of hostnames for web services (including RESTful services), especially during development, but doing so opens you right up to a DNS-rebinding attack, which could be very harmful if you’re using real data for development and testing. To protect your HTTP-based services from this attack, you need to make sure that every web service is accessed via a hostname rather than a raw IP address, and that every service checks its hostname. For RESTful services, this is trivially easy (since you’re probably going through Apache or something similar anyway, just as with a web site); for WS-* services, I don’t know the implementations well enough to be sure, but it should be possible to force them to check the Host header somehow.

Even if you’re not building web services, managing an enterprise intranet, or running a public web site, don’t forget to protect the web server on your local computer, if you have one.

Tagged , , , | 8 Comments

Three simple tips for LAMP web site developers

Posted on July 21, 2007 by David Megginson

You’ve learned to write some basic HTML, CSS, PHP/Python/Perl and SQL, found a hosting service, and are ready to create your first LAMP web application. You’ve already read a bit about security (you know always to escape user-supplied parameters, etc.). Here are a three very simple tips that will help you along right at the start, without getting caught up in religious wars about frameworks, MVC, REST, abstraction, object orientation, etc.:

  1. Keep all the database code together. Put all your database calls into a single source file if you can — functions like mysqli_query (PHP) should never appear anywhere else but in this file — and create neutral functions like get_member() or delete_cart() for the rest of your code to call. The reason for this is not so that you can switch databases in the future (that’s easy enough to fix), but so that you can easily do a search/replace when you rename or modify tables. If all your database code is in the same place, your application will be orders of magnitude easier to maintain and upgrade a few months from now. Seriously.

  2. Make an extra database for junk. If your hosting account allows more than one database, create at least two, say “foo” and “foo_cache” — put all the tables you need to back up into the first one, and all the stuff you don’t need to back up (views, caching tables, session states, etc.) into the second. Write a SQL script to automatically regenerate any required tables in “foo_cache” when you restore. That way, you won’t waste time and bandwidth every day backing up megabytes or gigabytes of stuff you don’t need and can easily regenerate.

  3. Make GET harmless. If you use HTTP GET (e.g. $_GET in PHP) to do things like deleting or modifying records, bad things will happen to your application — search engines will start randomly changing your database by following links (robots.txt might not be enough to protect you), browsers will delete records by trying to precache pages, etc. Always use POST (normally from a form button) for anything that can make a change. More here.

Tagged , , , | 3 Comments

A Victorian British artilleryman blogs

Posted on June 29, 2007 by David Megginson

William Henry Ranson

Gunner William Henry Ranson (born 1843) has started a blog about his life in the ranks of Royal Artillery and as a civilian in Canada right after Confederation:

http://whranson.blogspot.com/

Gunner Ranson was my great-great-grandfather. After serving in the Royal Artillery during the 1860s, he ended up settling in Canada permanently in the 1870s. While many British officers kept diaries and wrote memoirs, very few men of the ranks did — although a good number could read and write, few had the inclination and the available time (and light) to do so — but my great-great-grandfather was an exception. While we don’t have the original diary, we do have a summary that he wrote later in life as a memoir, based on the lost diary, giving a working man’s view of both the British military and of later civilian life (often more brutal) in Victorian Canada.

My brother Tom has had the memoir for some years and has been trying to decide the best way to edit and publish it. In the end, he has decided to publish sections serially as a blog. I encourage anyone interested in British or Canadian history to read this. The blog format reminds me very strongly of the serial magazine publication common during the Victorian period.

Posted in General | Tagged , | 1 Comment

Coding lessons from university

Posted on June 27, 2007 by David Megginson

Dare Obasanjo, smart code guy and occasional punching bag for the anti-Microsoft people, is collecting lists of Three Things I Learned About Software In College. I posted mine in a comment on his blog, but decided to reproduce them here. Note that these are not lessons you learned 10 or 20 years later, but what you discovered back then.

I coded a lot in university — some of it for pay — but fortunately, I didn’t study computer science or engineering. Here are my major lessons:

  1. Readable code goes further and survives longer than optimized code, especially once you’re no longer the one maintaining it (or if you have to come back to it two years later).

  2. If you write code that makes you feel like a genius, throw it out — you’ll realize later that it’s crap. If you write code that makes you feel like a competent tradesman, you’re on the right track.

  3. No matter how smart you are, everyone — even the most incompetent loser of a coder — knows at least one thing you don’t. It’s a good idea to listen.

Note: If you want to record your own list of three things, please leave it as a comment to Dare’s original posting, not here.

Tagged , | Comments Off on Coding lessons from university