Issue No.06 - November/December (2006 vol.10)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MIC.2006.121
A round-up of Internet-related stories in IEEE Computer Society and trade press.
Dr. Dobb's Journal
"AJAX & Record Locking," by David Perelman-Hall
A common problem in multiuser Web applications occurs when two users edit an application record at the same time, resulting in lost data. Because the database locks the record within the database, users can't tell if someone else is editing it. If the server could push information about a locked record to two or more users trying to change the same record, this problem could be avoided; however, no workable Web-oriented push technology currently exists.
To edit content, users assigned to editor or administrator roles must request the editable page via an Edit button in the user interface. View-only pages contain an AJAX call that first runs in window.onload and then in a windowsetTimeout loop, so that when an editor requests a locked page, an alert indicates which page is locked, which user is currently editing it, and removes the Edit button from the interface. Once the locked record is released, the windowsetTimeout function restores the Edit button to the waiting editor.
Software Development Times
1 October 2006
"Where Does Ruby Fit in the Enterprise? Bruce Tate Talks the Business of Ruby," by Alex Handy
Software Development Times interviewed Bruce Tate, coauthor of Ruby on Rails: Up and Running, about how to use Ruby on Rails in an enterprise environment. Tate says Ruby currently works best for "green-field, database-backed Web applications with moderate scalability requirements" — a sizeable share of applications used for Java.
He adds that developers are starting to experiment in other areas, such as those that require greater scalability or in applications without database backing. Tate says Ruby on Rails has moved from an "edge product" into the mainstream over the past year. In that time, he says, several major innovations have occurred for Web services, AJAX, and the Active Record implementation.
Mobile and Wireless Computing
3 August 2006
"Let's Make a WiMax Deal," by Dave Molta
A new partnership between Intel, Motorola, and entrepreneur Craig McCaw has created a huge new player in the broadband wireless networking arena. In July, Clearwire, a broadband wireless Internet provider that McCaw owns, dropped a planned US$400 million initial public offering after receiving $900 million in investment money from Intel Capital and Motorola Ventures. Clearwire will soon begin using Intel's Mobile WiMax (802.16e) technology and begin a supply partnership with Motorola for proprietary broadband wireless network access equipment.
5 September 2006
"RFID's Future Competitor," by Natali Del Conte
Hewlett-Packard (HP) recently unveiled Memory Spot, a tomato-seed-sized memory chip that carries media or data. The Memory Spot could be future competition for radio frequency identification (RFID) tags because HP's chips are smaller, less obtrusive, and feature a higher bandwidth than RFID tags. The Memory Spot transfers data at 10 Mbits per second and can store up to 4 Mbits. The chip has an integrated antenna, whereas RFID tags have an onboard antenna that makes them larger.
Proposed applications include sending digital postcards with moving pictures and sound, attaching resumes to business cards, and including product catalogues with merchandise. And unlike most RFID tags, the data on Memory Spot is rewriteable.
To transfer data, the chip requires a physical connection between it and a reader. HP has yet to develop a Memory Spot reader, but hopes that mobile phone and PDA companies will adopt the technology. Howard Taub, vice president of HP Labs, says, "A PDA is a good reader because it's got a screen and audio and video capabilities, but cell phones are the perfect readers. […] But cell phones are not designed for this yet, so the cell phone companies would have to decide if they want to be part of the ecosystem." HP estimates that Memory Spots could cost US$1 each and expects commercial applications to arrive in two to five years.
The Globus Consortium Journal
"Globus Incubator Project: GridShib," by Von Welch and Frank Siebenlist
A new project called GridShib ( http://dev.globus.org/ wiki/Incubator/GridShib) aims to give users of Shibboleth — a middleware product that helps universities share Web resources — access to highly scalable grid resources using only their local campus authentication.
Welch and Siebenlist began work in early 2005 on GridShib, which lets users get an X.509 certificate based only on Shibboleth authentication and use that same certificate to access the grid service, thus leveraging existing user information for authorization.
The tool contains several components: a product that lets Shibboleth authentication translate into X.509 certificates; an attribute name-mapper plug-in that sends queries about grid attributes back to Shibboleth; and several extension points that let grid services query Shibboleth, receive attributes formatted in Security Assertion Markup Language (SAML), and then parse them.
Welch and Siebenlist say their biggest challenge is that their users already have established campus identities, but the grid knows them by a different set of X.509-distinguished names. As a result, they're working to find a way to correlate names with X.509 certificates.
31 August 2006
"XSS Vulnerabilities Abound," by Andrew Conry-Murray
Cross-site scripting (XSS) vulnerabilities, in which a dynamic Web page accepts and displays malicious input from users, have jumped into the spotlight lately due to a few high-profile attacks. In a recent attack on Netscape.com, attackers created a pop-up message encouraging users to check out a malicious site. MySpace. com has been hit, too, and a security vendor claims to have discovered more than a half-dozen possible XSS vulnerabilities at two unnamed social networking sites. Conry-Murray suggests that Web developers run a Web application vulnerability scanner to eliminate the most obvious XSS vulnerabilities.
"NWC Interview: Arthur W. Coviello Jr., CEO of RSA Security," by Robert Hertzberg
In an interview with Network Computing, Arthur W. Coviello Jr., chief executive officer of RSA Security, says he hopes his company's pending US$2.1 billion acquisition by storage behemoth EMC ushers in a new era in which security is no longer "bolted on" but instead is "built in." He says he doesn't believe in the theory that terrorists want to execute an attack to "bring down the Internet," in part because the Internet has demonstrated its resiliency. Coviello also says he supports California's new law requiring businesses and governments to notify customers when their private information has been compromised, and believes a comparable federal law should be on the books.
5 September 2006
"Keeping Web Miners Safe," by Robert Lemos
Similar to miners using canaries to detect carbon monoxide or methane, companies such as Microsoft and McAfee are running virtual PCs — software systems that emulate a PC's hard drives, memory, and processors — to explore potentially dangerous areas of the Web and catalog malicious sites. Once malicious code infects a virtual PC, the management server running the virtual software records the originating site's address, erases the virtual PC, and sets up a new virtual PC to start the process again.
To malicious software, the virtual PCs look and act like normal PCs; Trojans, spyware, and viruses infect the PC, unaware that it's a controlled and sterile environment. Microsoft, for example, uses virtual PCs to map out the links to malicious sites, a portion of the Internet its researchers call the ExploitNet. McAfee's SiteAdvisor uses the resulting data to create its Web site ratings.
Unfortunately, Lemos writes, some attackers are meeting this challenge by writing code designed to detect virtual PCs and delay discovery by not infecting them with malicious code.
28 September 2006
"An End to Web Services Confusion on the Horizon," by Bruce Boardman
If you're involved with Web services, you know that a complex, sometimes confusing, set of overlapping management standards governs them. However, help is now on the way in the form of an alliance that includes Hewlett-Packard, IBM, Intel, and Microsoft.
The four companies sponsored a white paper released earlier this year that advocates a single interoperable standard, and they're working together to combine existing standards in response to customers' calls for a simpler solution.
The alliance seeks to iron out conflicts between the Organization for the Advancement of Structured Information Standards (OASIS; www.oasisopen.org) Web Services Distributed Management (WSDM) standard and the Distributed Management Task Force's (DMTF's; www.dmtf.org) WS-Management standard, as well as six lesser-known standards, including WS-Transfer, WS-Enumeration, WS-Eventing, WS-MetadataExchange, WS-ResourceFramework, and WS-Notification.
It won't be easy: both OASIS and the DMTF recently released new versions of their standards, so companies must support both standards separately until the single standard is achieved. Because the project is private, a smaller number of people need to sign off on concepts and commercial concerns, such as time and product issues, but current estimates predict it will take at least another two years before the single standard is complete, and even longer for it to make its way into the mainstream.