Friday, July 20, 2007

Loving the Mac - Feeling Productive... New Parallels Update!

Parallels just released a new patch to their software which lets me run Windows Vista and Mac OS X simultaneously. I highly recommend that everybody using Parallels 3 Update to Parallels Build 4560 sooner rather than later.

In the previous build of Parallels (4128) - Windows Vista would suck up 70-107% of my Mac's CPU even when Vista was idle! (I think CPU usage can go over 100% because I have a dual-core Core Duo 2 machine).

But now with Parallels Build 4560 - Vista still sucks - but it sucks less...only 24-47% now. And that is good enough to leave Windows running full-time on OS X with Vista in Parallels.

The image above is my MacBookPro connected to a second monitor. The MBP's laptop screen is running OS X full-screen, and the second monitor is running Windows Vista full-screen. Today - I'm 200% more productive thanks to that Parallels patch.

Using Eclipse and CVS Source Code Control on Mac OS X

The new project I just joined is waiting to get their source control system in the meantime -- I felt inclined to provide a interim solution until their permanent server arrives.

I was able to get a local copy of CVS up and running on my MacBook Pro. Along the way - I learned a little more about the Mac Firewall and service configuration that I thought I'd share... (this stuff isn't obvious to somebody who just switched to the Mac)

The following article from Apple gives very good instructions about how to run CVS via command-line instructions: Version Control with CVS on Mac OS X

That's the easy part -- running CVS via command-line worked right away without any problems. The challenges started when I tried to connect Eclipse to the CVS server hosted on my Mac.

First, Eclipse needs to connect to CVS through a network connection. And by default ssh is disabled. If you type the following command - you may see the same error I did:

ssh your-machine-name
ssh: connect to host your-machine-name port 22: Connection refused

The recommended way to establish communication to CVS is via SSH - and although SSH is pre-installed on OS X, it is disabled by default. You will need to enable SSH to support secure host communications. Visit System Preferences / Services

And while you are there - it would be a good idea to click the "Firewall" button and enable the mac Firewall (it's DISABLED by default!). And be sure to check "Remove Login - SSH" to let SSH connections through the firewall.

Next - start a Terminal Session (Applications/Utilities/Terminal) to test ssh connectivity using the following command:

ssh your-machine-name

If enabled, you should not be prompted for a password. You may also see the following error: "The authenticity of host...can't be established." This is because we are cheating slightly and not generating SSH host keys. Ignore this for now and when prompted "Are you sure you want to continue connecting" - answer YES. In my case - I was connecting from my own machine to my own machine's CVS server. For other machines - I will expend the extra effort to generate SSH keys and pass their public keys to the client systems.

Now - cvs is installed, and ssh is configured. The next step is to connect eclipse to CVS. I found this link to be very helpful: Eclipse and cvs

Screen-shots of my eclipse settings are below:

Eclipse - Ext Connection Method configuration window.

Eclipse - CVS Repository settings

So if you want to use SSH at its default port of 22 - then you are done.

But if you want a more secure environment -- I took the extra steps to choose a different port number for SSH as recommended in this security article (See Rule#4):

Basic Mac OS X Security

You may with to do the same to confuse people scanning for Port 22.

Saturday, July 7, 2007

Internet Anywhere! Connecting the Cingular SYNC (Samsung SGH-A707) to a MacBook Pro via AT&T

The following articles helped me get my Samsung SYNC talking to my MacBookPro:
Tether Your Smartphone To Your Mac, Ross Barkman's Home Page, and Tethering on the Samsung A707

After buying my MacBook Pro with built-in Bluetooth - I couldn't wait to tether it to a cellular phone and get Internet connectivity anywhere I have cell-phone coverage.

But first - I had to upgrade my old cell-phone, the Nokia 6030. A great phone, small, reliable, but a little low on gadgets by today's standard.

I knew I wanted a 3G capable phone, but since I'm prone to losing phones, I also didn't want to spend a lot. AT&T had a special for their Samsung SYNC phone this weekend that was just what I wanted -- only $49 with a 2-year contract (after $50 rebate). What attracted me to this phone was:

  • 2M Camera

  • Bluetooth Support

  • 3G network support

  • And most importantly, Bluetooth DUN support

They also had the Motorola Razr V3xx phone for $FREE$ with a 2-year contract. But I picked up both, and liked the feel of the buttons on the Samsung SYNC better. The SYNC also had a 2M camera vs. a 1.3M camera.

Note: Make sure you add an appropriate data plan to allow data transfers.

And, be sure you are running Mac OS X v10.4.9 or higher in order to get the latest bluetooth updates.

Getting the Mac talking to the Samsung took me about an hour...but hopefully - I can reduce the work to only 15 minutes for anybody reading this post..


  • Menu / Settings / Connectivity / Bluetooth

  • Set Activation to ON

  • Set My Phone's Visibility to ON

  • Set My Phone's Name to whatever you want

MacBook Pro

  • Visit Ross Barkman's Home Page and download the Generic 3G Scripts

  • Expand the downloaded file with StuffIt Expander, and copy the file "Generic 3G CID1" to the directory "Library:Modem Scripts"

  • System Peferences / Bluetooth

  • Click Set Up New Device...

  • Choose "Mobile Phone" as the Device Type

  • The Assistant will now search for your mobile phone, and it should be listed

  • Select your phone, and press Continue

  • The first time your MacBook Pro communicates with your Samsung SYNC phone, you must approve the pairing with a pass key. A numeric passkey will be shown on the MacBook. At the same time, the Samsung SYNC should display a dialog window asking for the passkey. Enter the numeric key from the MacBook into the Samsung

  • Select Services you want to use. Choose "Use Address Book", "Access the Internet with your phone's data connection", and "Use a direct, higher speed connection to reach your Internet Service Provider"

  • Press Continue

  • You will be prompted for information specific to the Cingular network. Use the settings below:

    Password: CINGULAR1
    GPRS CID String: ...leave this field blank...
    Modem Script: Generic 3G CID1

  • Click Continue / Quit

  • Select System Preferences / Network

  • Select Show: "Bluetooth"

  • Click PPP, and your Bluetooth settings should be already populated

  • Service Provider: Enter whatever you want here
    Password: CINGULAR1
    Telephone Number: Leave Blank!
    Alternate Number: Leave Blank!

  • Click Dial Now..., and another window will appear...

  • Click Connect

Your Samsung SYNC phone may ask a question periodically..."DUN Connect with the MacBook Pro computer?". Obviously, you should answer YES.

If everything went smoothly - you should now be connected to the internet on your MacBook Pro through your Samsung SYNC phone!

And if you want the MacBook to seamlessly connect to your Samsung SYNC so you don't even have to pull it out of your pocket! That's possible also. Visit the following menu on the SYNC: Menu / Settings / Connectivity / Bluetooth / My Devices. Choose your computer from the list. Click Options. Then "Authorize Device". Once your MacBook Pro is authorized, you will no longer be prompted for any bluetooth activity!

Friday, July 6, 2007

Installing Oracle 10g on an Intel-based MacBook Pro using Parallels

I was switching to a new client this month, so I decided to treat myself to a top-of-the-line 17" Apple MacBook Pro. I've seen a lot of co-workers at AOL walking around the building with the MBP and I was hit with Mac-envy.

After a few days...Although I still love the machine, my first week did not go smoothly.

My original goal was to install Oracle 10g, and eclipse to emulate the Unix development environment on my MacBook Pro. So I started by downloading Oracle 10g from the Oracle site itself:

Oracle Download Site

There is a link on this page for "Oracle Database 10g Release 1 ( for Mac OS X Server". If you have an Intel-based MacBook Pro like me (Core Duo 2), THIS WILL NOT WORK! I spent hours working through the pre-install documentation over and over again to find out where I was doing wrong.... It turns out that Oracle 10g (as of v10.1.0.3 which was the latest version for OS X on Mac as of July 2007), does not work on Intel-based Macs!

So since I can't run 10g on Mac OS X natively -- I thought I'd use Apple's Boot Camp to run 10g under XP or Vista.

And knowing that the Core Duo 2 chips are 64-bit chips - I purchased a copy of Vista 64-bit Home Premium. That was the start of my second mistake.

Apple Boot Camp

Although Windows Vista 64-bit Home Premium was booting on my MacBook Pro, I had no networking support, no sound, and no ATI exhanced graphics support. After struggling with Boot Camp for another few hours, I discovered, that Boot Camp v1.3 (the latest as of July 2007) does not work with 64-bit Windows operating systems! Well, it actually does, but you won't have audio drivers, network drivers, camera, extended keyboard, or extended USB support.

After more research, I stumbled upon this link which describes how to install a Red-Hat clone using Parallels in Mac OS X in order to run Oracle 10g.

Install Oracle 10g on an Intel Mac

If I found this link first, I might have been willing to try it. But at this point, I was exhausted. So I took the easy route.

This is the solution I eventually settled upon:

  1. Install Apple Boot Camp (free). Be sure to the read the Boot Camp documentation, you will need a blank CD-R and a real installation disk of some variant of a 32-bit Windows operating system (XP, or Vista).

  2. Partition your drive via Boot Camp. I chose NTFS for my file-system.

  3. Install Windows XP via Boot Camp

  4. After the full XP installation is completed, you will need to run the Boot Camp CD that was burned by Boot Camp while in the fresh-Windows installation in order to install Windows drivers for all the MacBook Pro devices.

This all worked perfectly -- and now I could dual-boot my MacBook Pro and have a true Windows environment or true OS X environment.

Random Mac Tips:

  • Hold the "Option" key to choose which partition you want to use while booting.

  • Press the TrackPad while booting to eject the CD

Next I installed "Oracle Database 10g Release 2 ( for Microsoft Windows" from the Oracle download page.

Oracle download page

Important Note! If you do not have a fixed IP address, you will need to install the Microsoft Loopback Adapter and choose a fixed IP address. Do this BEFORE installing Oracle, or else you will most likely have to remove and re-install Oracle.

KnowledgeBase article about installing the Microsoft Loopback Adapter

Now Oracle 10g should install without a problem.

Then, I decided to push my luck, and try out Parallels. Parallels gives me a virtual Windows machine within a running Mac OS X environment. There is a 15-day free trial available.

Parallels Desktop for Mac

Parallels installed flawlessly, and identified my BootCamp parition and created its own variant of the BootCamp launch configuration.

Once completed - Windows XP was running within a window on my Mac OS X desktop!

One last piece was missing though, the Mac could not communicate to Oracle within Parallels Desktop. By default, XP Home installs a Windows Firewall. What Parallels does is create two separate virtual machines running on the same MacBook Pro. So although they are on the same desktop and same machine, they cannot talk to each other because Windows has its own Firewall.

Visit the Windows Control Panel / Firewall Settings, and add Oracle-friendly-ports such as 1158, 1521, and 5560.

Now - within a single desktop environment - I can build applications in Java on OS X while accessing Oracle 10g on Windows.

Wednesday, May 9, 2007

Teach your kids how to program!

A loooong time ago - I taught myself how to write software in the BASIC Programming language on a Radio Shack TRS-80 in middle-school. From there -- I moved up to an Apple II+ computer -- and still continued to write programs in BASIC. (and don't knock BASIC, back-in-the-day, Bill Gates started his Microsoft empire from the humble roots of the BASIC Programming language and DOS...but that's another story)

"Basic Computer Games" by David Ahl was how I taught myself to code when I was about 11 years old. I loved that book.

On these simple machines - you turn on the computer, and just start typing. You had everything you needed to let your imagination run wild writing stuff. Life was good.

Now -- The computer world is over-whelming. The "Introductory" Java book we use for our Java classes is 1000 pages long. ONE THOUSAND PAGES! Plus all the tools, frameworks and servers...Integrated Development Environments, compilers, and Web Containers. Phew...Life is now complicated.

Well - somebody has recognized this to be a problem for the beginner and created a self-contained learning environment that even a child could use called Hackety Hack. Learn to program in a friendly environment again! (you know its friendly because it has a cute cartoon character) - Hackety Hack will step through multiple lessons that teach you (or a child) how to write small computer programs. Ever want to write your own WebLog program?

Check it out!

Wednesday, May 2, 2007

Microsoft Silverlight. Adobe flash and Java JVM Killer???

This past year, I've spent a lot of time working with a wide variety of Rich Internet Technologies. In particular, Ajax (Dojo Toolkit, DWR, Prototype), and Ruby on Rails (yeah, I know, ROR is not specifically sold as a RIA platform, but it does incorporates Ajax seamlessly into the framework with partial templates, components, and readily available Prototype/ support).
  • Java Applets, and ActiveX are both dead (and should be buried)
To round out my understanding of the RIA space -- I'm ramping up with Adobe Flex. Adobe Flex is Adobe's enterprise web product that builds on top of Adobe Flash. Flex can be further extended through Adobe Apollo to build desktop apps.

So I thought -- these are the big players....I was hoping that this was all we will see in the near-term...


I've tinkered with a project from Microsoft called WPF/e several months ago, and I even invited Microsoft to demonstrate WPF/e at a conference I organized on March 1st. But at that time, it all felt very very beta. So its not necessarily new. But now, Microsoft has renamed WPF/e to Silverlight and TechCrunch is just gushing over it.

  • "...Silverlight will be the platform of choice for developers who build rich Internet applications..."
  • "...It makes Flash/Flex look like an absolute toy..."
  • "...Ajax looks like a bicycle next to a Ferrari when compared to Silverlight..."
From the Silverlight web-site:

Microsoft® Silverlight™ is a cross-browser, cross-platform plug-in for delivering the next generation of .NET based media experiences and rich interactive applications for the Web. Silverlight offers a flexible programming model that supports AJAX, VB, C#, Python, and Ruby, and integrates with existing Web applications. Silverlight supports fast, cost-effective delivery of high-quality video to all major browsers running on the Mac OS or Windows.
A portable Silverlight CLR run-time on Mac OS and Windows that can be used to play Rich Media (like videos) and build desktop applications? What's this going to mean to the Java JVM and Adobe Flash?

Thursday, March 22, 2007

AjaxWorld 2007 Day Three (Afternoon)

JSON: Making the "X" in Ajax Superfluous:
The afternoon was off to a good start with Douglas Crockford presenting on JSON. Not much new ground was covered...In a nutshell, JSON is a better way to transfer data than XML. JSON is especially easy to use if you know that the client will be a browser (like it is with Ajax). Since JSON is a subset of JavaScript, the JavaScript engine processes JSON very easily because it is JavaScript.

Some random items mentioned beyond the obvious JSON topics...
  • YAML is a superset of JSON. A YAML decoder is a JSON decoder. And YAML has validators. So if you wanted a JSON validator, a YAML validator would work.
  • Using eval to process JSON text can open security holds. If thats a concern, use a JSON-only parser like string.parseJSON.
  • Crockford was against remote scripting....calling it the "script-tag hack". The problem is that there is no way to vet the script before it executes. The server generating the scripting must be absolutely trusted...this is not always possible in Mashup scenarios.
  • Security Comment - If there is script from 2 or more sources, then the app is not secure.
  • Proposed EcmaScript 4th edition enhancements include new commands available at now.
Here's an application of the supplant function (from the site):

var template = '<table border="{border}"><tr><th>Last</th><td>{last}</td></tr>' +

Notice that we have an HTML template with three variables in it. Then
we'll obtain a JSON object containing members that match the variables.

var data = {
"first": "Carl",
"last": "Hollywood",
"border": 2

We can then use a supplant method to fill in the template
with the data.

mydiv.innerHTML = template.supplant(data);

Nice! These upcoming EcmaScript enhancements can be used now by importing the small JavaScript functions from

In the 2:40pm timeslot, I was looking forward to seeing Clueful 2.0, but it was cancelled. Then I rushed to view "So You Wanna Be a DOM Star" from Molly Holzschlag, but it was cancelled. So my third choice was "Performance-Tune Your Ajax application". This session contained some useful information, but nothing ground-breaking on the topic.

And that ended AjaxWorld for me. There was another vendor presentation followed by 2 more sessions which continued to 7pm....but due to flight schedules, I had to miss those. If I could've stayed longer I would've loved to have seen the following I will have to wait until I receive the AjaxWorld presentations on DVD.

Ajax-Enable Your Java Application with DWR -- I love DWR!
Web 2.0 Security
Rails: De Facto API for the Web

Wednesday, March 21, 2007

AjaxWorld 2007 Day Three (Morning)

I didn't start my Day 3 at Ajaxworld until 8:50am. There were 2 previous sessions: ASP.Net Ajax, and Kapow: Serving Mashups from the Long Tail of the Web. Fortunately - I had the opportunity to see ASP.Net Ajax in action at AOL back on March 1st from another Microsoft evangelist....which mean't I could sleep a little longer.

For 8:50am - I attended Reginald Stadlbauer: Automatically Testing the UI of Ajax: Challenges and Solutions. What I didn't realize until the talk started was that this was really a product demonstration of Squish - a UI testing tool from FrogLogic. The product appeared to be a very useful web UI testing tool that is built with Ajax testing in mind. Some downsides I saw - it appeared to be very slow, even though Reginald was testing a localhost web-app, the live demo dragged. And the price is pretty steep: $2,100 per user license. I don't know the UI testing field well enough to identify its competitors. But for what its worth, I'd try Squish in a heartbeat if it was open-source!

This session finished a little early so I ran to Google Web Toolkit: Quick Relief of Ajax Pain. But this session was overflowing with people and I couldn't get in close enough to see.

9:40am brought Christophe Conreats to the stage to demo Adobe's products: High Definition User Experience with Flex & Apollo. This was also a similar presentation to one I attended at AOL on March 1st. But since Adobe's Flex and Apollo's products look so good - it was still interesting to watch a second time. The most impressive demo was a virtual biology book with transparent layered pages that turned and over-layed organs on a cut-away view of the human body. I don't need this feature - but it's great eye-candy. For me the 4 leading Ajax toolkits/frameworks to pay attention to are: Dojo Toolkit, Adobe Flex/Apollo, Open laszlo, Prototype/

11:35am's presentation was from Helmi Technologies: Step-by-Step - Open source RIA platform. I want to say something nice, but this presentation was a complete train-wreck. The audience repeatedly shouted "we can't hear you"...but it made no difference. If they were hoping to make a good impression of Helmi - they didn't. At the end of the talk - the application never worked, and the presenters left the stage without taking any questions.

Next, JetBrain's presentation JavaScript Puzzlers was a lot of fun. In the spirit of the book Java Puzzlers, Mike Aizatsky delivered a entertaining demonstration of how tricky JavaScript coding can be. His puzzlers challenged the audience to find casting problems, differences in equal statements in JavaScript, and issues with switch statements. This wasn't an Ajax talk, but it was enjoyable -- and appropriate since JavaScript and Ajax go hand-in-hand.

AjaxWorld: Impressions of the OpenLaszlo Platform

For the 2:40pm - the only game in town is Laszlo System's presentation: The Browser, The Portal, and the Desktop. If you haven't tried it yet, visit the OpenLaszlo site to see application samples created with the OpenLaszlo platform. It's FREE and open-source. The coolest feature is its ability to generate a Flash (version 6, 7, 8) edition or an Ajax edition. Under the hood - Flex and OpenLaszlo are very similar -- some even say that Flex was a copy-cat of Laszlo. Either way - we probably have OpenLaszlo to thank because it most certainly made Adobe open-source the Flex SDK and compiler sooner rather than later.

Now Laszlo System as I understand it is the commercial entity that is trying to make money by building solutions and consulting on the OpenLaszlo platform (somebody correct me if I'm wrong!). Laszlo is all over AjaxWorld, and they were demo'ing WebTop - a very attractive RIA desktop delivered via the web. WebOS anybody?

Open Laszlo is on my list of things to experiment with when I have time.

Since Adobe Flex 2 is free, why choose Open Laszlo? Here's what one of their engineers said....Open Laszlo deploys to Flash 6, 7, or 8 -- that's 98% of the browsers by Adobe's numbers. Flex 2 apparently requires Flash 9 (60%). So if you want to reach the largest audience without an install - Open Laszlo is the better choice (now). Also - if you are building widgets for mobile devices - Flash Lite provides Flash 7 support, not Flash 9. Which means - that once again - Open Laszlo would be the better choice (for now).

But if a Flash 9 installation is an acceptable installation requirement - then the difference seems to disappear since Flex 2 SDK is free, and Flash 9 is supposed to be noticeably faster.

If Open Laszlo had drag-and-drop interface like Flex Builder - then the scales would tip back to Open Laszlo...but their eclipse plug-in project has been archived.

AjaxWorld 2007 Day Two (Afternoon)

Since I'm interested in Dojo - I decide to attend James Harmon's talk "Creating AJAX-Powered Forms with the Dojo Toolkit". This was a bad choice for me because I didn't really learn anything new. But for those that have no exposure to the Dojo Toolkit - it would've been a really good session. His 50-minute presentation enhanced a typical JSP HTML form using Dojo elements that included client-side, and server-side validation, Rich Text Editor control, and a Combo Box. Slides can be found here.

Finally - food! During the lunch break- there was a Power Panel in the main ballroom - unfortunately - I'm eating lunch and chatting with others during the lunch break and miss most of the panel.

For the 2:40pm - the only game in town is Laszlo System's presentation. I created a separate blog entry just for this one....Laszlo had a big presence at AjaxWorld.

On to the next presentation....Dylan Scheimann: Web Vector Graphics & Dojo Draw This! I want to watch this again when the AjaxWorld DVD comes out because I had to run out of the room to take a call from work. But in a nutshell - Dojo provides a vector graphics library (dojo.gfx) that's supposed to be easier to use than VML or SVG, and it hides cross-browser issues. That sounds like a good thing. So if you want to do graphics, and build charts in the browser -- definitely check this out.

At 4:30pm - I watched a presentation on ICEFaces. I never heard of them before AjaxWorld. It appears to be a fairly rich looking java-centric Ajax platform that was recently open-sourced. Their presentation certainly looked good - and this presentation focused on security aspects of the product which seems to plug potential holes in Ajax. Using Java EE enforced security roles (I think Stephen said he's using Tomcat and Tomcat roles) - you can prevent users from running particular Ajax features. My impression is that ICEFaces and BackBase play in the same space.
What does this mean? Just another Ajax libary to explore some day....but not today.

The conference continued further with 2 more sessions - but I was completely spent at this point. I didn't have the energy to continue due to jet-lag from Bangalore, and I felt that 10 hours of Ajax presentations was enough fun for one day. Too bad I won't be able to make the boat-trip sponsored by Laszlo - I'm sure they'd provide enough free drinks to convince me to rewrite everything using Open Laszlo :-)

Some other things I would miss:

Tuesday, March 20, 2007

AjaxWorld 2007 Day Two (Morning)

Day Two at AjaxWorld is off to a great start with a keynote presentation at 7:45am from Bret Taylor of Google: Scaling Ajax: The Promise and the Challenge of Modern Web Development. Bret Taylor was introduced as being the original developer of showcase Ajax web application Google Maps.

He covered a wide range of Ajax topics including....
  • How Ajax has changed the way we design User Interfaces
  • How Ajax has changed the way we view APIs
    • APIs are simple and lightweight
    • Less SOAP
    • More JavaScript
  • Ajax is about using and abusing standards
    • DOM was designed for text docs
    • XMLHttpRequest - not a standard - but supported by all browsers
    • Cross-host communication using and script and iframe tag
Brent then went on to describe how Google Maps takes care of the Back Button...making the Back Button work is a common problem with Ajax application. The solution centers around the use of iFrames for soft vs. hard states. A hard-state is a display state that should be restored if the user hits the back button. For these, GoogleMaps creates a new URL for the iFrame which causes the URL to become part of the history. Soft-states are stored as textbox values within the iFrame. Browser exhibit a behavior where they like to recover the value contained in the textbox when reverting to the previous URL in history. The end-result is that the back button appears to function correctly to the user.

Drawing vector graphics in the browser was also discussed
  • solution in 2005: VML in IE, line-drawing server for others
  • solution in 2007: vml in IE, SVG in firefox, canvas in safari
He the went on to discuss many of the well-known problems with Ajax.

And to wrap-up, he summed up the future state of Ajax...
  • Better tools and libraries
    • Google web toolkit
      • java to javascript compiler
      • hides browser compatibliity issues
      • maps ui programming concepts ( ex: constraint-based layout) to the DOM and css
    • growing community and open source toolkit
      • dojo toolkit -- google contributes
      • prototype
      • mochikit
      • yahoo UI library
  • Bret's predictions
    • technology will be open (no one will "own" the platform)
    • technology will be evolutionary (browser works pretty well already)
    • technology will address an end user need (ex: rich graphics), not just a developer needs (ex: programming language features)
The 8:15am timeslot had a cool title, but the hype from the title did not live up to expectations: The User is the Killer App. Luis Derechin and his VP of Platform Engineering , Danny Malks delivered a presentation which could have sent the same message with less slides ... we are in a user-centric world. And things like Ajax make the user happy.

For 9:10am - I chose to listen to Billy Hoffman, Hacking and Exploiting Ajax Applications. Even though I was already aware of XSS and SQL Injection security issues, Billy's enthusiam to seek and destroy websites that are prone to attack was a great source of solid entertainment.

While demonstrating, Billy used this site to show various types of attacks.

  • Ajax increases the attack surface. In addition to traditional threats...
    • web services
    • page methods
  • Be aware of SQL injection risks
    • especially since most dbs have functions that allow shell script stored procedures and/or direct API access

A key theme he repeated several times...Stop trusting the client
  • Could call functions out of order
  • could bypass form logic / validation
  • information leakage - gives away information about your app
    • function/variable names
    • function parameters and return types
    • program flow
    • trust
    • datatypes and valid ranges
    • JavaScript itself
      • comments with useful information
      • He told a Macworld story - their registration site had md5 hash codes listed in a JavaScript array - so it was easy to figure out the codes for discounts.
    • JavaScript obfuscation does not fully protect
  • Be alert to XSS holes (Cross-Site Scripting). Potential malicious things that could be done...
    • cookie theft
      • session hijacking
    • key logging
    • screen scraping
    • malicious scripts
    • mousemoves
And something new for Ajax -- Ajax mashups can open new security issues when acting as bridges to other sites...
  • another layer for attacker to hide beind
  • theft of resources...
  • dos of affiliate websites
  • bypass of traditional security

He then went on to describe a backdoor security hole in the popular Prototype library. Apparently, when Prototype sees data with a JSON header - it automatically runs it through malicious JavaScript has a way into a Prototype site. I haven't had time to experiment with this - but its worth nothing.

How can we tighten up security in our apps. Here are some of his tips:
  • input validation
    • client side validation is no validation
    • don't use blacklisting (I will not allow these chars)
    • use whitelisting (only list acceptable/known chars/formats)
    • validate both data type and range/length
    • validate data format
    • escaping input is as good as validation
  • prevent info leadkage
    • no monolithic .js or .css filesin master pages
    • separate ajax page method/web services from other web serivces
    • turn off WSDLs for web services
    • comments in JS files cannot be masked
    • minimize logic pushed to the client
    • minimize what is exposed by a web service
    • obfuscation? not really
Useful tools
  • firebug
  • ie watch
  • fiddler
  • web developer toolbar
The final presentation of the morning I attended was a Q&A by Google which started at 11:40am. Unfortunately - I only caught a few minutes of this because I had to take a conference call at noon. But this looked like a very promising block of time -- 3 Google engineers (including Bret Taylor) up on stage in the big ballroom ready to answer any questions.

Here's a couple notes I scribbled down before I had to run off...

  • Google Maps uses iFrame functionality because they wanted to harness the back-button behavior. (see my notes from the first speaker of the day)
  • Google Gadgets uses XMLHttpRequest to do its Ajax transfers. And they use an Ajax proxy to get around cross-domain issues.
  • A question was asked about security and gadgets. Google prefers not to be in the "security business" - and want to provide free services and not make security a barrier. If you need logins - you lose users.
  • Google has its own internal service called dogfood where Google employees use their own products (corporate version of calendar, gmail, etc...) - "eat our own dogfood"
  • Why would they choose Flex or Ajax? They design for a user experience, and then choose technology depending on what meets the requirements. Ex: Google Maps is Ajax, but their stock ticker chart is Flash.
  • Why use Java in GoogleWebToolkit rather than a declarative markup like Flex/Laszlo in XML? A design philosophy of the GWT was to make it easier for Java coders (because there are a lot of them) to build Ajax apps as easily as they build AWT/Swing apps.

Monday, March 19, 2007

AjaxWorld 2007 Day One (NYC)

I'm here at AjaxWorld NYC which starts today (3/20/2007):

SWAG review: I received a black bag which contained the following items....
  • 1 AjaxWorld DVD (2-discs - very nice)
  • A couple vendor CDs
    • IntelliJIdea - 30 day trial
    • Oracle Fusion Middleware
    • Flex 2 SDK (which is free), Flex Builder 30-day trial
    • unlabelled CD-R
      • Turns out it has all the presentations - that's nice. Would be nice to label the CD
  • Some glossy product sheets

A copy of the book Real-world Ajax would've been a nice surprise (hint!)

WiFi in the hotel needs a password....Password is "AJAX0307". And if the WiFi is down - go across the street to Cosi - grab a coffee - and enjoy their free WiFi (it's more stable than the Roosevelt's)

AjaxWorld is supposed to start at 1:30 -- but we don't start until 1:45. Jeremy Gleelan explains to the crowd that we're starting late because he told the people in the registration line that he wouldn't start without them. Nice for the people in line, not so nice for the thousand people in the room waiting.

The keynote, Douglas Crockford didn't take the stage until 1:50pm....and then he only got a chance to speak until 2:15.

AjaxWorld: Ajax, the Browser Application Platform
My hero, the JavaScript god himself, Douglas Crockford, was the keynote speaker (creator of JSON). He surveyed to crowd to see who was in the audience, about 20% of the crowd appeared to be beginners, the remaining had some level of Ajax experience.

Although Douglas didn't break any new ground, he gave a very polite and organized introduction to why we were all here at AjaxWorld. Some interesting comments....

  • First he covered, where we've been...."Java Applets - Flop"
  • What we want out of Ajax..."Apps without installation"
  • A quick shout-out about JSON: "JSON is the X in Ajax:
  • "Best thing to happen after the browser wars...Microsoft did nothing" -- this resulted in stability which allowed applications using Ajax to grow
  • We want open systems, but we miss the advantages of proprietary systems and lack a single vision
  • Stability
  • "apalling standards" -- not enough web standards exist to cover everything necessary to build a modern browser
  • Lack for Foresight - web wasn't originally designed to be used for application delivery
Current Situation
  • 200+ Ajax Libraries
  • Too many - we need a shake-out phase
  • Security is a concern
    • "whitelist filtering"
    • Server's responsibility not to send confidential info to unauthorized agents
    • Server's responsibility not to accept data from unauthorized agents
  • Ajax Wow Factor -- Need to keep at a minimum. "Dare to be dull"
  • Mobile Ajax lags.
    • Java failed on mobile
    • Future: Web apps on mobile
    • Mobile Ajax is here
  • Ajax Competition
    • Adobe Apollo
    • Microsoft WPF/e
More Douglas Crockford! More Douglas Crockford!

In the 2:30pm timeslot, I chose Ryan Stout's presentation "JavaScript Performance: Speeding Up Your Ajax Apps". I really enjoyed Ryan's presentation, and found it to be 45 minutes very well-spent.

He gave some great tips from the trenches, and talked about various techniques he uses to improve Ajax performance. So rather than parrot back what he said - Ryan posted his slides here...

Some key points:
  • slow apps lose users
  • focus on user experience, not resource use
  • profile javascript using firebug - latest firebug has lots of profiling tools
  • profile network activity using firebug
  • avoid things that cause page reflows (redraws or shifts)
  • Keep users informed - use timeouts to provide a chance for the browser to breath
  • interactivity beats response time
  • Set Expiration Date - take advantage of caching.
The 3:40pm - 4:40pm timeslot was filled with 2 Ajax product presentations...neither are open-source...

"Enterprise Web 2.0 - Programming with Levers, Dials and maybe Switches"
A product presentation for Nexaweb. Their key message is "Enterprise Web 2.0 (Enterprise IT + Web 2.0) + switches/levers = business agility". So an application architect needs to balance the needs of the users to help determine where the code resides. Everything from a modern fat-client, to a thin-client is possible today. And Nexaweb appears to make it easy to move between a lightweight thin-client all the way to a fat-client concept....and a couple levels in-between.


"AJAX Best Practices"
A product presentation for BackBase. BackBase appears to be a polished Java-centric Ajax framework that works well with JSF and Struts. The price is steep though -- I spoke briefly to the Backbase rep in the vendor room and developer seats are $2000 each, and server licenses are $8000 per cpu.

The last speaker of the day for me was Ajit Jaokar...his presentation was titled: "Deploying Web-Based Applications to Mobile Devices Using AJAX Techniques". Ajit is the author of the book "Mobile Web 2.0". We didn't get a copy of his slides, but his presentation was well attended and he was asked many questions throughout the speech. The key theme of this topic was Mobile Ajax is driving widgets. He went on to describe WCID (W3C Web Integration Compound document) which is like Ajax++ (Ajax plus audio and video).

He also gave props to Apple..."apple practically invented widgets", "apple is best poised to take advantage of mobile widgets". And Ajit claims Apple is not using Java or Flash in their upcoming iPhone - they are using Ajax technology.

Mobile Ajax is not Google Maps or Netflix. Ajit is Mobile Ajax is widgets. Hopefully we'll get his slides later, because he spoke VERY fast, and covered a lot of material.

I thoroughly enjoyed this presentation and wished Ajit had more time to speak. More information about his talk can be found on his own blog...

...and that wraps up Day One at AjaxWorld 2007 for me!

AjaxWorld 2007 - Waiting for it to start...

So I'm getting ready to attend AjaxWorld in New York City on March 19-21 -- and I realize that the conference is not 3's more like 1 half-day, and 2 painfully-long-days:

Monday, 1:30pm - 5:30pm
Tuesday, 7:30am - 8pm
Wednesday, 7:30am - 7pm

Check out the schedule - it looks like there will be a lot of interesting topics....

And I like Ajax a lot, but 13 hours on Day#2 is just asking too much for a human to endure.

....looking forward to these presentations:
Ajax, The browser the platform - Douglas Crockford (a javascript god)
JavaScript, performance: speeding up Ajax Apps
Ajax Best Practices (I hope this isn't a BackBase advertisement!)
Enterprise Comet: The Real-time Web

I spend the morning having breakfast and lunch with some of the other orphaned AjaxWorld attendees who also arrive earlier than the 1:30pm start-time. One of the guys I had lunch with is Dean Allemang, who will be speaking on Day#3 about using RDFa to build Semantic Mash-ups.

Dean's great to talk to - and I formulate my own short description of RDFa and Semantic Mash-ups. But before I can describe RDFa I have to do a little setup: the Semantic Web reflects a web where the pages are not designed just for humans, but also for computers. Microformats helps by appending extra information to standard web page tags so they contain more descriptive information. RDF is a format which does something similar to Microformats for data transfers. It helps to describe that data that is being sent from machine to machine.

Many people have heard of Ajax Mashups (,, etc...) which blend data with a visual API (ex: Google Maps). A Semantic mash-up merges unrelated data sources together to form a useful product (ex: bike route, with wi-fi hotspots).

Friday, March 9, 2007

7 days in Bangalore, India....

I had to go to Bangalore, India to teach some classes on Ajax and Web 2.0 this week. So I started a separate travel Blog just about this trip.

It should provide some interesting reading for any business travelers going to Bangalore for the first time. I hope you enjoy it!

Sunday, March 4, 2007

Goodbye Windows...Hello Mac....

I started out my computing life with the Radio Shack TRS-80 and the Apple II+ computer. While simultaneously using PC clones in my jobs.

By 1985 - I had moved from one Macintosh, to another...while simultaneously using PC clones and Sun workstations in my internships.

Sadly - after entering the formal business world in the 1990s -- it became clear, that Macs weren't welcome at the office. So since 1994 - I stopped buying Apple, and sold my soul to the dark-side and owning, and using Microsoft Windows.

So here it is, 2007, and I am convinced that we are at the forefront of a dramatic and fast shift to Apple. Last week, I was running an all-day developer's conference with 5 leading technology speakers on Web 2.0. 3 out of 5 of those speakers -- used Macs. I also teach an Ajax course -- about 50% of my students...use Macs.

An article in RDM describes many of the realities that I'm seeing first-hand. Apple is starting to win back the key people that really matter in the next generation of software...the developers.

Apple's triple-combo is quite devastating....Since Mac OS X - Apple started shipping computers which run on a Linux operating system. Strike One Microsoft! And in 2006, Apple start to ship Macs running the Intel Core Duo chips before the Windows machines had them! Strike Two Microsoft! And native Apple software or third-party software like Parallels -- makes its possible to run multiple operating systems....Apple's operating system OR Windows OR most variants of Linux. Ouch...Strike Three Microsoft!

And then there's Microsoft Vista -- dead-on-arrival.

It no longer matters what operating system you are running...Windows, Mac, Unix/Linux. High scale Web Services, Ajax, and Flash are making it possible to run almost anything anywhere.

Microsoft....You're OUT! Or at least -- a commodity.

Sunday, February 25, 2007

How to make Java Developers 200% more productive

I was fortunate enough to attend a class this week on Ruby on Rails from Chad Fowler. It really opened my eyes about why Ruby on Rails is getting so much buzz in the programming community.

Many in the Java world are feeling less and less productive these days. I know I am. I've told people many times that as crazy as it sounds -- I was able to build useful apps much more quickly in old platforms like PowerBuilder and VisualBasic. (And I'm a Java Trainer for gods sake!). This feeling is very well documented in Bruce Tate's book "Beyond Java".

Java is just too BIG

Rails is referred to as a "full-stack framework for developing database-backed web applications according to the Model-View-Control pattern". WTF? Well, here's my interpretation of it -- it means there's less choice on things that your business users don't care about!

Most of the libraries, and plumbing that you would need in a typical Java Application -- have been chosen or created created for you. You don't have to think about how to make your web application Model 2 (MVC) compliant, or how to communicate to the database properly, or how to perform Ajax web updates, or how to create a REST interface, or what naming convention to use or how to structure your project. It's all there for you! You just concentrate on solving business problems. That's the biggest magic I saw in Ruby on Rails.

Can this level of productivity be achieved in Java? Not quite, Java (as the Ruby people seem to say) isn't as expressive....but we can certainly narrow the gap. Java People...wait...don't head for the exits yet...I say there is still hope!

Java is just drowning in choices.

Let's take Database connectivity -- we have many: JDBC, EJB2-CMP Entity, EJB2-BMP Entity, JDO, Toplink, Ibatis, Hibernate.

What about IDEs? We have eclipse, NetBeans, Java Studio Enterprise, JBuilder, Workshop, Together, Rational XDE, IDEA. And once you choose your IDE -- there's the plug-ins and just goes on and on....

And what about those design patterns architects like to sledgehammer into developer's minds to a point where they feel inadequate if they don't apply the right patterns. When you start a Java app -- you effectively have a blank sheet of paper -- you got nothing -- everybody writes the same stuff over and over again.

...not a week goes by where I don't stumble across some bizarre Java acronym or relatively-unknown Java open-source library that's in use.

Here's a thought -- apply the 80/20 rule to Java Web Development...80% of the Java Web Developers would agree to design and organize their applications the same way. It's like a world where 80% of the drivers in Washington DC drive Honda Accords and Toyota Camrys (which is almost the case!). An Accord and a Camry are more than adequate to get people from point A to point B. If you truly need an SUV, or a minivan, or a sports car...that's the other 20%. That type of mentality is happening in the Ruby on Rails community. "convention over configuration"

* Agree to only use a Java Web Container (ex: Tomcat)
* Agree on a common directory structure (think Maven)
* Agree on a common naming convention
(how we name models, controllers, tables, columns)
* Agree to use the Spring Framework
* Agree to use the Hibernate ORM library
* Agree to Unit-Test! JUnit, MockObjects, and EasyMock
* Agree on the same basic Ant template for builds, tests and deployments
* Agree to use the same IDE such as eclipse
* etc...

In other words -- minimize or eliminate CHOICE. And for those that have special requirements, those 20% can go off into the weeds and hack their way to the next generation of standards.

Microsoft DotNet has some advantages -- you don't have to decide what server to use, and you don't have to decide what IDE to use (Visual Studio). That's 2 major choices which completely fracture and confuse the Java community. Can't we all just get along?

Less Choice! More Productivity! We need to stop spinning wheels and wasting time on things that should be no-brainers such as database, XML creation, and unit-testing. Business users certainly don't care what ORM package was Shut-up and start building solutions!

Friday, February 9, 2007

Can you learn SOA in a fun way?

Today's mission -- organize a list of resources about Service Oriented Architecture (SOA). So while collecting web links and resourcees...I stumbled on these two entertaining videos.

The first one could viewed as SOA from a woman's point of view. It's key message "SOA is like clothing in your wardrobe". Hmmmmm -- never quite thought of it that way...but I guess she has a point.

The next one won't teach you anything useful about SOA. But there's certainly worse ways to waste 3 minutes and 5 seconds. At least if you get caught watching it while at the office, you can say you were learning about SOA.

Wednesday, February 7, 2007

JavaScript tutorial....

I was asked to organize a JavaScript brown-bag this month. While collecting material for my presentation, I came across this multi-part JavaScript posted by Yahoo. This is the best 2-hour presentation I've found on the subject of JavaScript. I couldn't do much better myself -- so instead of presenting - I've started to hand out this link instead.

Part 1:

Part 2:

Part 3:

Part 4:

FireBug -- The best JavaScript/DOM/CSS Debugger

If you do any type of web-development - you must try out outstanding JavaScript/DOM/CSS Debugging Plug-In for Firefox.

Like most things I've tried -- I installed earlier versions without reading any manuals and found earlier versions to be very intuitive and helpful without any training.

The latest release, FireBug 1.0, contains many new features that are more subtle. The best way to learn about the power of FireBug 1.0 is to view this video presentation from the author Joe Hewitt. I experienced many of those - "I didn't know it could do that" moments.

So if you're not already using Firefox as your web-browser...switch to it! And after you've done that -- install this plug-in.

Thursday, January 18, 2007

Updating the SpringBlog App from "Pro Spring" to Spring v2 and Hibernate v3.2

I've been refreshing my skills with Hibernate and Spring lately, and one of the activities I took upon myself was to update the SpringBlog application provided in the book Pro Spring from Apress.

Since the book was written in 2005, it is based on previous releases of Spring (v1.1) and Hibernate (v2.1). The current release of Spring is v2.02, and the current version of Hibernate is v3.2. (as of Jan 2007)

Here is a list of some of some upgrades I made to take advantage of improvements in Spring v2 and Hibernate v3 features:

  • Changed from declarative transaction to annotation-based transactional support

  • Modified the HibernateDAO classes so they do not rely on HibernateDaoSupport. The SessionFactory is injected via Spring.

I also had to make several changes due to runtime problems with the newer libraries. Maybe these worked in Spring v1.1 and Hibernate 2, they didn't work for me with Spring v2 and Hibernate v3 without modification:

  • - I had to create a new Comment class and copy the data from the incoming comment variable (which is really based on CommentForm). This is the exact same things that existing code in the class had to do with EntryForm.

  • Hibernate*Dao.delete() -- The delete() feature did not work for any of the Domain classes. There were errors because you cannot create objects with null values in non-null properties. And therefore - you couldn't delete those objects. So the technique used in the downloaded app doesn't work. Instead I had to perform a load() followed by a delete(). The book Java Persistence with Hibernate describes this type of logic in Section 9.3.1 (page#407).

  • I had to add a Filter based on the Spring class OpenSessionInViewFilter in my web.xml. The reasons it were necessary are described in this link from the Hibernate site.

  • Updated all package references to use the newer hibernate3 package provided in the spring-hibernate3.jar

It took me several hours to get this working -- I hope these suggestions save others some time!

Monday, January 8, 2007

Ajax Security -- Changing the nature of the Attack Surface...

Jeremiah Grossman of Whitehat Security published an article titled Myth-Busting AJAX (In)security. In this article, he posed two interesting questions (with answers)...

Does AJAX cause a larger “Attack Surface”?

Does AJAX make the “Attack Surface” harder to find?
Yes and No.

Technically, I agree. But Ajax does in fact change the nature of the Attack Surface. In a traditional dynamic page-based web application - the web application reacts to page-level HTTP requests and responds with page-level responses. And the response is a full page rendered in HTML.

So although possible, the responses were not easy to digest quickly unless tagged with explicit ids, names, or class identifiers.

With Ajax, the request/response food chain acts more like an API library function calls which is what makes them more attractive. So security vulnerabilities like the one found in gmail are easy to exploit and take advantage of.

To eliminate or minimize these types of problems -- Developers must treat every Ajax entry-point as if its a published and self-documented API function call. Assume that somebody, somewhere will figure out how to call your API out-of-context. And the developer needs to takes steps to make that risk as close to zero as possible.

Friday, January 5, 2007

Where have all the programmers gone?

At the start of 2007, I thought I'd take a moment to look at Google statistics in Google Trends to review the search patterns for the term Java over the past year. There was concern at the beginning of 2006 that we were witnessing the end of the Java era. Based on the year-end graphs, it's not looking good for Java -- the pattern is showing a dramatic drop in early 2006 that has never recovered.

So where are all the Java programmers going? Maybe everybody is discovering the language/framework Ruby on Rails? According to the graph...Ruby is not picking up a lot of programmers (although Ruby is holding steady)

How about DotNet. Maybe Microsoft programmers are picking up all the lost Java souls? According to the, DotNet is also in decline.

And actually -- all major language are in decline...




So the question remains...where have all the programmers gone? I spent a grand total of 15 minutes trying various keywords, and the trend was universal. After much head-scratching - I think I've found them!

Here's my theory...let's start by taking a look at the location of the top 10 "java" search regions...

1. India
2. Poland
3. Singapore
4. Romania
5. Czech Republic
6. Hong Kong
7. Slovakia
8. Slovenia
9. Columbia
10. Indonesia

And for completeness, here is the list of top 10 DotNet search regions. The countries are different, but the areas of the world are similar:

1. India
2. Singapore
3. South Africa
4. Pakistan
5. Viet Nam
6. Slovenia
7. Malaysia
8. Hong Kong
9. Japan
10. Czech Republic

Are you concerned too? Not a single country with english-as-a-first-language in the top 10 Google Search Regions for the word "Java", "DotNet" or ".Net". My theory is that the programmers haven't left -- it's just that the bulk of programmers are now all overseas, and simply performing searches in their native languages. One limitation of Google Trends is that it is only for the english-language at this time.

Any evidence to support this theory? Let's take a closer look at Ruby -- what is interesting about Ruby is that it shows the least amount of decline of all the programming languages.

Top 10 regions for Ruby searches:

1. New Zealand
2. Ireland
3. Australia
4. United Kingdom
5. United States
6. Canada
7. Japan
8. Singapore
9. Philippines
10. Morocco

A large portion of the Ruby programmers are in english-speaking countries. Therefore the Google search patterns support the notion of a healthy english-speaking programming community.

Welcome to 2007 -- where it appears that English, and United States has lost its technology dominance in the eyes of the Internet world.

So where have all the programmers gone? Overseas